Arctic Wolf has published its 2026 edition of the company’s annual Threat Report, which analyses hundreds of real‑world incident response engagements and threat intelligence findings from the past year.
The report reveals a continued rise in data‑theft‑driven extortion, sustained pressure from ransomware groups, and a significant increase in attacks that leverage remote access tools rather than technical exploits.
In 2025, ransomware, business email compromise (BEC), and data incidents once again dominated Arctic Wolf’s caseload, accounting for 92% of all incident response engagements. While ransomware remained the most common category, data‑only extortion incidents surged 11x year over year, signaling a strategic shift as threat actors adapt to improved organisational recovery capabilities. The report also finds that 65% of non‑BEC intrusions stemmed from abuse of remote access technologies like RDP, VPN, and RMM tools; which is a dramatic rise that underscores attackers’ preference for low‑friction entry points.
“Attackers continue to rely on operational efficiency – logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities,” said Ismael Valenzuela, vice president, Labs, Threat Research & Intelligence, Arctic Wolf. “Organisations that invested in visibility, identity security, and disciplined remote access controls were far more resilient throughout the year.”
Key findings from the 2026 Arctic Wolf Threat & Predictions Report include:
● Ransomware, business email compromise (BEC), and data incidents made up 92% of Arctic Wolf IR cases, with data incidents jumping from 2% to 22% as attackers increasingly focused on data theft and extortion.
● Pre‑ransomware activity accounted for 5% of cases, showing that earlier detection and faster response frequently stopped attacks before encryption.
● In 77% of ransomware cases, organisations did not pay. When they did, professional negotiation reduced demands by an average of 67%. Sixty‑five percent of non‑BEC intrusions stemmed from abuse of RDP, VPN, and RMM tools—up sharply from two years ago—as attackers favoured easy remote access over exploits.
● Phishing drove 85% of BEC incidents, rising significantly as AI made fraudulent messages more convincing and scalable.
● All top‑exploited CVEs were from 2024 or earlier, emphasising the importance of patching and credential rotation after vulnerability exposure.
“We continue to see that early detection completely changes the outcome of an attack,” said Kerri Shafer‑Page, Vice President of Incident Response at Arctic Wolf. “When defenders identify malicious activity before an adversary can detonate ransomware or escalate privileges, the difference in cost, downtime, and business disruption is dramatic. Preparedness allows us to be decisive.”
