2026 Threat Outlook: What 2025 Taught us about Ransomware, Attacks & Data breaches

During the last year, cybersecurity threats continued evolving in both sophistication and impact, from critical zero-day exploits to supply-chain compromises and novel ransomware techniques. Throughout 2025, Cohesity REDLab published multiple advisories & newsletters sharing insights from hands-on research into real threats,  including stealer malware, advanced ransomware families, supply-chain attacks, living-off-the-land (LOTL) extortion and bring your own vulnerable drivers (BYOVD) attacks. The advisories provide deep kill-chain technical context and are invaluable for defenders. The newsletters provide context on how Cohesity products can help against real world malware.

This article looks at some of the top malware and cybersecurity incidents from last year and what we can learn from them, the upcoming trends, impact on data protection/recovery and how we can prepare for 2026.

Top 12 Malware & Cybersecurity Incidents of 2025

Below are the most impactful, widely reported, and technically significant incidents of the year blending public breach events with REDLab-aligned threat observations.

1. React2Shell Exploits & Widespread Post-Exploit Malware (CVE-2025-55182)

Overview:
React2Shell, a critical unauthenticated remote code execution flaw in React Server Components (RSC), was publicly disclosed in December 2025 and rapidly weaponized. Exploitation allowed attackers to run arbitrary commands on internet-facing servers ,spawning a range of payloads including cryptominers, Linux backdoors, and RAT frameworks such as Sliver.

Takeaway:

• Fully unauthenticated, critical RCE
• Active exploitation within 24 hours of disclosure.
• Used in broad scanning and automated compromise campaigns.

REDLab updated its threat libraries to detect these exploits and post-exploit malware, enabling rapid threat hunts backups.

2. Qilin LOTL Double Extortion Campaign

Overview:
A sophisticated data extortion tactic where actors combine credential theft and ransomware encryption with data exfiltration and public shaming. REDLab observed patterns of LOTL behavior where attackers move laterally, harvest credentials, and trigger encryption & exfiltration for maximum leverage.

Takeaway:
Double extortion remains a dominant threat - combining traditional ransomware with exposure of sensitive stolen data.

3. Shai-Hulud Supply Chain Compromise (npm Ecosystem)

Overview:
A software supply chain compromise where malicious packages were published to the npm registry. These packages delivered stealthy loaders and RATs, illustrating how open-source ecosystems are used for wide-scale malware distribution.

REDLab insight: This advisory highlights the importance of supply-chain threat awareness - not just server vulnerabilities.

4. CL0P Exploitation of Oracle E-Business Suite

Part of a larger pattern of CL0P/LEMURLOOT exploit activity against enterprise applications. These attacks combine web shells, credential harvesting, and data theft. REDLab’s tracking of similar techniques helped improve heuristic detection.

5. Medusa Malware Active Exploitation (CVE-2025-10035)

The ‘Medusa’ exploit chain triggered widespread concern as actors weaponized actively exploited CVEs to distribute payloads, disrupt services, and establish persistence, showcasing how quickly vulnerabilities can cascade from disclosure to active breach.

6. SharePoint → Ransomware: ToolShell & AK47C2

A hybrid attack combining SharePoint abuse, tooling frameworks (ToolShell), and the AK47C2 command-and-control, leading to lateral movement and ransomware deployment in compromised environments ,the sort of layered progression REDLab simulates and studies.

7. Agent Tesla Returns: Old RAT, New Tricks

Agent Tesla, a long-operating remote access Trojan, resurfaced with new evasion techniques, proving that legacy malware families remain dangerous when updated. REDLab tracked its operational signatures and behavior.

8. BRICKSTORM Backdoor

An actively distributed backdoor family noted for stealthy persistence, lateral movement, and strategic use in follow-on ransomware and data exfiltration efforts. REDLab documentation analyzed its execution pattern and persistence mechanisms.

9. Akira Ransomware’s BYOVD Technique

Akira ransomware, already notorious before 2025, expanded its toolbox with “Bring Your Own Vulnerable Driver” (BYOVD) approaches. Attackers used legitimate but vulnerable signed drivers to bypass endpoint defenses and deploy ransomware. REDLab’s advisory stresses monitoring firewall appliance compromise vectors and file-hash scans to detect dormant malware.

10. Tracing Lumma Stealer Through the Kill Chain

Lumma Stealer, a credential and data stealer, remains a prominent threat. REDLab’s kill-chain analysis highlighted its modular deployment, persistence, and how it exfiltrates session tokens and credentials, often paving the way for larger breaches.

11. Infostealer & Credential Harvester Resurgence

Beyond Lumma, multiple stealer families renewed activity in 2025, infecting endpoints and exfiltrating corporate credentials ,often preceding ransomware or supply-chain abuse.

12. Legacy Ransomware Adaptations & Variants

Families such as Lynx and Prince ,studied earlier by REDLab ,continued to operate with refined evasion, process termination, share discovery, and destructive cleanup routines.

Upcoming trends

1. The cybersecurity events of 2025 clearly demonstrated that attackers are prioritizing speed, stealth, and leverage over brute-force disruption. Zero-day vulnerabilities such as React2Shell were weaponized within hours, leaving organizations with minimal reaction time. This shift highlights the importance of resilience over pure prevention, as even well-defended environments can be compromised.
2. Another defining takeaway was the dominance of multi-stage attack chains. Initial access was frequently achieved through credential theft, supply-chain compromise, or exploitation of trusted services. These footholds were then used to move laterally, exfiltrate sensitive data, and only later deploy ransomware or destructive payloads. The resulting damage extended beyond downtime to include regulatory exposure, reputational harm, and long-term business risk.
3. Living-off-the-land techniques became the norm rather than the exception. By abusing legitimate administrative tools, attackers reduced their malware footprint and evaded traditional signature-based detection. This reinforced the need for behavioral analytics and anomaly detection across both production and backup environments.
4. Finally, 2025 underscored that legacy malware families remain dangerous. Rather than disappearing, older threats such as Agent Tesla and established ransomware groups evolved their tactics, proving that defenders must account for both new and well-known adversaries simultaneously.

Impact on Data Protection and Recovery

Data protection systems were increasingly targeted because they represent the last line of defense against ransomware and destructive attacks. Adversaries intentionally sought to disable, encrypt, or silently corrupt backups before triggering high-impact events, recognizing that recovery capability determines whether extortion succeeds.

A particularly concerning trend was the rise of silent data corruption. Instead of overt encryption, attackers altered databases, configuration files, and backup metadata in subtle ways designed to evade immediate detection. Without integrity verification and anomaly detection, such corruption may only surface during recovery - when time is most critical.

These developments elevated the importance of immutable backups, air-gapped architectures, and continuous scanning for malware within stored data. Backup systems must now function as active security platforms capable of identifying threat indicators, validating data integrity, and supporting forensic investigations.

Equally important is clean recovery. Restoring infected or compromised data can reintroduce malware into production, negating the value of backups. Scanning and validating data before restoration became a best practice reinforced throughout 2025’s major incidents.

How to Prepare for Data Security in 2026

Preparation for 2026 requires a shift from reactive recovery to proactive cyber resilience. Cohesity customers should ensure that anomaly detection and malware scanning capabilities are fully enabled and regularly tuned to reflect emerging threat behavior identified by REDLab research. Organizations should operationalize clean recovery by routinely testing restoration workflows that include malware scanning, integrity checks, and controlled reintroduction of data into production environments.

These exercises reduce recovery time and prevent reinfection during real incidents.

Leveraging REDLab advisories is another critical step. These advisories provide early insight into active campaigns, exploitation techniques, and malware behaviors observed in the wild. Integrating these insights into security operations and threat-hunting workflows strengthens overall detection and response.

Finally, customers should align incident response planning with data protection strategies. Clear roles, escalation paths, and decision criteria ensure that backup and recovery teams can act decisively under pressure. By combining robust technology with practiced processes, organizations can enter 2026 prepared for both known and emerging threats.

Conclusion

The lessons of 2025 reinforce a critical truth: cyber resilience is foundational to modern business operations. Attackers will continue to innovate, but organizations that invest in resilient data protection, proactive threat research, and clean recovery capabilities can withstand disruption and recover with confidence.

Happy New Year and we wish you a secure, resilient, and successful 2026.