The New Ransomware Reality: Identity, SaaS, and Trust Exploitation
Published June 9, 2026
Ransomware remains one of the most disruptive threats facing organizations today, but the way these attacks unfold has fundamentally changed.
For years, ransomware was largely viewed as a malware problem. Attackers exploited vulnerabilities, deployed malicious payloads, encrypted systems, and demanded payment. While those tactics still exist, now ransomware operations increasingly rely on something far simpler and far more effective, that’s legitimate access.
Attackers are no longer just breaking into environments. Increasingly, they are logging in.
Research conducted by Ontinue’s Advanced Threat Operations (ATO) team throughout H2 2025 identified a significant shift toward identity compromise, SaaS trust exploitation, and Access-as-a-Service models that are reshaping how ransomware operators gain entry, move laterally, and scale attacks across organizations and supply chains.
The findings reinforce the broader reality emerging across the threat landscape that ransomware resilience is no longer just a malware problem. It has become an identity, SaaS, and trust problem.
What Ontinue Observed in H2 2025
Analysis conducted by Ontinue’s ATO team, informed by frontline investigations, telemetry from the Ontinue ION SecOps platform, and broader ransomware intelligence sources, revealed several consistent trends throughout 2025:
- More than 7,000 ransomware attacks publicly reported globally
- Approximately $820 million in tracked ransomware payments
- Increasing use of compromised identities, OAuth abuse, and SaaS trust exploitation
- Double, triple, and quadruple extortion tactics becoming standard
- Continued dominance from ransomware groups including Qilin, Akira, and CL0P
At the same time, Ontinue observed attackers increasingly leveraging valid credentials, session tokens, cloud identities, and third-party relationships to quietly move through trusted environments without relying solely on traditional exploit-driven attacks.
Ransomware Has Shifted From Exploitation to Access
One of the clearest shifts observed throughout 2025 was the growing role of identity-driven intrusion models.
Rather than spending time breaking through hardened environments, ransomware operators increasingly purchase or harvest valid access through:
- Infostealer infections
- Stolen credentials
- Session hijacking
- Cloud identity compromise
- Third-party access pathways
- Access-as-a-Service marketplaces
This dramatically changes how ransomware attacks unfold.
When attackers authenticate using legitimate credentials, the activity often appears entirely normal. Traditional malware detection may never trigger, cloud access blends into expected behavior, and lateral movement becomes both faster and quieter. At the same time, SaaS environments and trusted integrations become significantly harder for security teams to monitor effectively, especially when attackers are operating through legitimate authentication flows and valid access.
The rise of infostealers and underground access marketplaces has made valid access scalable, affordable, and increasingly difficult to detect.
In many cases, ransomware operators no longer need sophisticated intrusion capabilities themselves. They can simply buy access into already-compromised environments.
SaaS and Trusted Relationships Are Expanding the Blast Radius
Enterprise environments are deeply interconnected, and often rely heavily on:
- SaaS applications
- Cloud platforms
- APIs
- Third-party vendors
- Managed service providers
- Automation workflows
- Federated identity systems
Attackers increasingly exploit these trusted relationships to expand the scale and downstream impact of ransomware attacks. Ontinue investigations throughout H2 2025 identified growing abuse of cloud identities, OAuth tokens, and third-party integrations to move laterally across interconnected environments.
This helps explain why ransomware incidents increasingly extend beyond a single organization and disrupt broader operational ecosystems.
One of the clearest examples was the 2025 ransomware attack affecting Jaguar Land Rover. Production shutdowns disrupted manufacturing operations and threatened dependent suppliers across the broader supply chain, ultimately contributing to a reported $2 billion government-backed support package designed to stabilize affected operations.
Similarly, ransomware-related disruptions impacting aviation and transportation providers demonstrated how attacks on interconnected digital services can quickly cascade across multiple industries and countries.
The implications are significant.
Ransomware is no longer simply an IT disruption problem. It has become a business continuity, operational resilience, and ecosystem trust problem.
The Extortion Model Has Evolved
Ontinue’s research also identified continued evolution in ransomware extortion tactics throughout 2025.
Encryption alone is no longer enough to pressure organizations into paying. Ransomware operations increasingly combine:
- Data theft
- Public leak threats
- DDoS extortion
- Regulatory pressure
- Direct intimidation of employees or customers
These multi-layered extortion campaigns significantly increase both operational and reputational pressure during incidents.
Even organizations capable of restoring encrypted systems from backups may still face a variety of negative business outcomes, including:
- Exposure of sensitive customer data
- Regulatory scrutiny
- Supply chain disruption
- Long-term reputational damage
- Operational outages across interconnected environments
Ransomware operators increasingly understand that the most effective leverage is not necessarily technical disruption.
It is business disruption.
The Ransomware Ecosystem Is Fragmenting, Not Disappearing
Despite major law enforcement actions and periodic disruption of ransomware groups, Ontinue’s research indicates the broader ecosystem remains highly active and increasingly decentralized.
Analysis of publicly reported ransomware activity throughout 2025 showed:
- More than 8,800 publicly claimed breaches
- 129 active ransomware groups observed
- Qilin, Akira, and CL0P accounting for a significant portion of tracked activity
Rather than disappearing, ransomware operations increasingly resemble fragmented criminal business networks involving:
- Access brokers
- Affiliate operators
- Infrastructure providers
- Credential theft groups
- Extortion specialists
This fragmentation creates resilience within the ecosystem itself. Even when individual groups are disrupted, operators frequently reorganize under new partnerships, infrastructure, or branding while continuing the same underlying activity.
Most Targeted Industries in 2025
Ontinue’s analysis of publicly reported ransomware activity showed attacks distributed broadly across industries, reinforcing that no sector can assume lower risk exposure.
The most targeted sectors in 2025 included:
Manufacturing remained especially impacted, highlighting the growing intersection between ransomware, operational technology (OT), and supply chain disruption.
Why Security Operations Must Evolve
This evolving ransomware landscape creates a fundamentally different challenge for security teams.
Today’s ransomware attacks increasingly generate low-noise, legitimate-looking activity spread across cloud, endpoint, SaaS, and identity environments. Attackers are leveraging trusted authentication flows, valid credentials, cloud-native attack paths, and third-party integrations in ways that often blend into normal enterprise operations.
As a result, traditional alert-driven security models frequently struggle to correlate these subtle behaviors quickly enough to stop attackers before access expands or lateral movement begins.
Defending against ransomware therefore requires more than malware prevention and endpoint protection alone. Organizations must improve visibility into identity activity, strengthen authentication controls, govern SaaS and third-party access more effectively, and enhance their ability to rapidly investigate suspicious behavior across interconnected environments.
This is also where the right managed security operations partner can play an increasingly important role. Detecting identity-driven attacks often depends on the ability to analyze and correlate behavioral signals across cloud, endpoint, SaaS, and authentication systems at scale.
Combining AI-driven investigation with human expertise can help organizations identify suspicious access patterns earlier, reduce investigation time, and accelerate containment before ransomware operators can fully establish footholds or expand access across environments.
The Bigger Picture
The evolution of ransomware reflects a broader shift occurring across the cyber threat landscape.
Attackers increasingly do not need to exploit systems in the traditional sense. Instead, they are leveraging:
- Trusted identities
- Valid credentials
- SaaS integrations
- Third-party relationships
- Legitimate authentication flows
That fundamentally changes the defensive challenge.
Organizations that continue viewing ransomware primarily as a malware problem will increasingly struggle to keep pace with how these attacks now operate.
Because in today’s threat landscape, ransomware resilience is no longer just about recovery.
It is about protecting identity, trust, and access before attackers can weaponize them.
Research Methodology
This research was developed by Ontinue’s Advanced Threat Operations (ATO) team and is informed by frontline investigations across customer environments, telemetry from the Ontinue ION SecOps platform, analysis of publicly reported ransomware activity, and complementary industry threat intelligence research.
This article is the first in a broader Ontinue research series examining how ransomware operations evolved throughout 2025, including identity-driven intrusion models, SaaS trust exploitation, modern extortion tactics, ransomware ecosystem fragmentation, and the growing operational impact of ransomware across industries and supply chains.
