
Arctic Wolf’s 2026 Threat Report reveals a continued rise in data‑theft‑driven extortion, sustained pressure from ransomware groups, and a significant increase in attacks that leverage remote access tools rather than technical exploits.
In 2025, ransomware, business email compromise (BEC), and data incidents once again dominated Arctic Wolf’s caseload, accounting for 92% of all incident response engagements. While ransomware remained the most common category, data‑only extortion incidents surged 11 times year-over-year.
“We continue to see that early detection completely changes the outcome of an attack,” says Kerri Shafer‑Page, VP, incident response at Arctic Wolf. “When defenders identify malicious activity before an adversary can detonate ransomware or escalate privileges, the difference in cost, downtime, and business disruption is dramatic. Preparedness allows us to be decisive.”
Key takeaways:
· The report also finds that 65% of non‑BEC intrusions stemmed from abuse of remote access technologies like RDP, VPN, and RMM tools, a dramatic rise that underscores attackers’ preference for low‑friction entry points.
· Ransomware, business email compromise (BEC), and data incidents made up 92% of Arctic Wolf IR cases, with data incidents, jumping from 2% to 22% as attackers increasingly focused on data theft and extortion.
· Pre‑ransomware activity accounted for 5% of cases, showing that earlier detection and faster response frequently stopped attacks before encryption.
· In 77% of ransomware cases, organizations did not pay. When they did, professional negotiation reduced demands by an average of 67%. And, 65% of non‑BEC intrusions stemmed from abuse of RDP, VPN, and RMM tools, up from two years ago, as attackers favored easy remote access over exploits.
· Phishing drove 85% of BEC incidents, rising significantly as AI made fraudulent messages more convincing and scalable.
· All top‑exploited CVEs were from 2024 or earlier, emphasizing the importance of patching and credential rotation after vulnerability exposure.
“Attackers continue to rely on operational efficiency - logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities,” says Ismael Valenzuela, VP, labs, threat research and intelligence, Arctic Wolf. “Organizations that invested in visibility, identity security, and disciplined remote access controls were far more resilient throughout the year.”




















