Arctic Wolf's 2026 Threat Report highlights notable trends in the cybersecurity landscape. Data-theft-driven extortion and the increasing use of remote access tools emerged as key focus areas, reflecting evolving patterns in cyber threats.
In 2025, Arctic Wolf responded to numerous ransomware, business email compromise (BEC), and data-related incidents, which together accounted for 92% of all incident response cases. While ransomware remained the most common threat, data-only extortion incidents rose elevenfold, indicating a shift in tactics among cyber actors.
The report also found that 65% of non-BEC breaches involved the exploitation of remote access technologies, such as RDP, VPN, and RMM tools, demonstrating a preference among attackers for lower-friction entry points over complex technical exploits.
Key findings include:
- Ransomware, BEC, and data incidents: These represented the majority of cases, with data-focused threats increasing from 2% to 22%.
- Pre-ransomware activity: Accounted for 5% of cases, showing the value of early detection.
- Ransom demands: Professional negotiations reduced demands by an average of 67%, with most organisations choosing not to pay.
- Phishing: Responsible for 85% of BEC incidents, with AI making scams more convincing.
- Exploited CVEs: All top-exploited vulnerabilities were from 2024 or earlier, highlighting the importance of patch management.
Ismael Valenzuela, Vice President of Threat Research & Intelligence at Arctic Wolf, notes that attackers increasingly focus on efficiency, prioritising stealth and subtle methods rather than high-complexity exploits.
Kerri Shafer-Page, Vice President of Incident Response, adds that early detection significantly affects outcomes, with timely identification helping organisations prevent more serious consequences.
These findings emphasise the importance of strong security measures, including visibility, identity protection, and controlled remote access, to mitigate emerging threats.
