TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Targeted social engineering is en vogue as ransom payment sizes increase

Bill Siegel · 2025-07-23 · Read original ↗

ATT&CK techniques detected

21 predictions
T1490Inhibit System Recovery
96%
“methods for operational disruption, especially within backup infrastructure. threat actors are increasingly targeting backups as part of their playbook, knowing that undermining recovery amplifies extortion pressure. even in environments with immutable storage, actors are moving …”
T1486Data Encrypted for Impact
96%
“yet believe these metrics to be an inception of a trend. overall, the percentage of organizations that opted to pay a ransom regardless of impact remained relatively low at 26 %. we are encouraged that the overall rate of payment has not shown regression over the prior quarters. …”
T1486Data Encrypted for Impact
94%
“shift : threat actors are optimizing for pressure, not disruption, and the data itself is often the most valuable hostage. lateral movement [ ta0008 ] lateral movement, observed in 60 % of cases, remains a tactical staple despite a slight drop from q1. it continues to underpin mo…”
T1566.004Spearphishing Voice
93%
“in the picture since 2022. aside from scattered spider, they are the only other e - crime group that has been exclusively reliant on social engineering for initial access during their tenure. however, their techniques are distinctly unique. unlike scattered spider who impersonate…”
T1486Data Encrypted for Impact
89%
“% new in top variants market share of the ransomware attacks akira remained the top ransomware - as - a - service brand in q2 2025 with qilin jumping one spot to second place. lone wolf attacks remain highly prevalent though, and we note that most of these attacks are not lone in…”
T1486Data Encrypted for Impact
81%
“offering defenders a chance to catch the threat early. organizations that monitor for anomalous enumeration or employ deception technologies, such as decoy credentials, honeyfiles, or fake infrastructure, can turn this phase into an early warning system, transforming reconnaissan…”
T1486Data Encrypted for Impact
72%
“weeks or months apart ), but the framework is still markedly distinct from scattered spider in that they do not establish widespread or long - term persistence and their impact does not disrupt company operations. many victim companies don ’ t even know a security incident has ta…”
T1486Data Encrypted for Impact
70%
“##lin ’ s growing market share, we assess these impacts will continue and potentially worsen. in contrast, industries like real estate and utilities see minimal impact ( 0. 9 % ), possibly due to lower digital exposure or stronger defenses. the data suggests that attackers priori…”
T1588.006Vulnerabilities
70%
“- based intrusions dominate, with groups like akira regularly exploiting exposed vpns and remote services using stolen or weak credentials, often sourced from infostealers or successful phishing campaigns. social engineering also continues to mature, with actors leveraging truste…”
T1486Data Encrypted for Impact
65%
“the large enterprise market will rapidly escalate as groups shift their attack approaches away from convenient / bulk - purchased attack vectors and invest more resources in compromising fewer high profile entities. further fueling this shift towards more targeted victimology is …”
T1486Data Encrypted for Impact
62%
“##d it teams. even well - managed environments remain exposed through third - party systems or vendor - managed appliances that quietly fall behind. lastly, insider and third - party access risks, though a smaller slice of overall initial access, showed an uptick in q2, particula…”
T1608.006SEO Poisoning
61%
“- based intrusions dominate, with groups like akira regularly exploiting exposed vpns and remote services using stolen or weak credentials, often sourced from infostealers or successful phishing campaigns. social engineering also continues to mature, with actors leveraging truste…”
T1657Financial Theft
59%
“targeted social engineering is en vogue as ransom payment sizes increase table of contentsransomware groupspayment ratestypes of ransomwareattack vectorsttpsvictimology “ don ’ t say the “ s … ” word. but which adjective starting with the letter s are we talking about? three spec…”
T1588.001Malware
41%
“% new in top variants market share of the ransomware attacks akira remained the top ransomware - as - a - service brand in q2 2025 with qilin jumping one spot to second place. lone wolf attacks remain highly prevalent though, and we note that most of these attacks are not lone in…”
T1684.001Impersonation
40%
“in the picture since 2022. aside from scattered spider, they are the only other e - crime group that has been exclusively reliant on social engineering for initial access during their tenure. however, their techniques are distinctly unique. unlike scattered spider who impersonate…”
T1566Phishing
35%
“- based intrusions dominate, with groups like akira regularly exploiting exposed vpns and remote services using stolen or weak credentials, often sourced from infostealers or successful phishing campaigns. social engineering also continues to mature, with actors leveraging truste…”
T1204User Execution
34%
“- based intrusions dominate, with groups like akira regularly exploiting exposed vpns and remote services using stolen or weak credentials, often sourced from infostealers or successful phishing campaigns. social engineering also continues to mature, with actors leveraging truste…”
T1018Remote System Discovery
34%
“objectives quickly and quietly. their success, however, is often less a reflection of novel tradecraft and more an indictment of security controls that have decayed over time. without regular maintenance and tuning, endpoint defenses lose their edge. outdated detection rules, mis…”
T1598.004Spearphishing Voice
32%
“in the picture since 2022. aside from scattered spider, they are the only other e - crime group that has been exclusively reliant on social engineering for initial access during their tenure. however, their techniques are distinctly unique. unlike scattered spider who impersonate…”
T1566.004Spearphishing Voice
32%
“are focused on impersonating real employees and convincing helpdesk technicians to provision them with new credentials to the employees accounts ( in some cases, provisioning their own devices with corporate vpn, mfa, etc. ), which are then used to pivot access to the corporate e…”
T1657Financial Theft
32%
“##d it teams. even well - managed environments remain exposed through third - party systems or vendor - managed appliances that quietly fall behind. lastly, insider and third - party access risks, though a smaller slice of overall initial access, showed an uptick in q2, particula…”

Summary

Several ransomware groups used highly targeted social engineering tactics to create a major impact across several industry sectors in Q2 2025.