Mandiant M-Trends 2026: What 500,000 Hours of Incident Response Tells Houston Businesses About Today’s Threats
Mandiant M-Trends 2026: Key Findings For Houston Businesses – Ransomware Groups Aren’t Just Encrypting Files Anymore – They’re Destroying Backups
Mandiant M-Trends 2026: What 500,000 Hours of Incident Response Tells Houston Businesses About Today's Threats
Key findings from Google Mandiant's frontline investigations - and what they mean for Houston businesses.
Mandiant's M-Trends report has been the cybersecurity industry's annual reality check since 2010. The 2026 edition, built on more than 500,000 hours of frontline incident response work conducted by Mandiant and Google Threat Intelligence Group (GTIG) throughout 2025, paints a picture that should make every business owner sit up and pay attention. The data covers 83 campaigns and eight global events across 73 countries - and the trends it reveals are directly relevant to small and mid-sized businesses across Houston, Katy, and Sugar Land.
We've spent three decades helping businesses handle their IT and cybersecurity challenges. And the M-Trends 2026 findings confirm something we tell clients every week: the threat actors are getting faster, more organized, and more targeted in going after the systems businesses depend on most.
The jump in dwell time from 11 to 14 days might seem like a step backward, but there's context behind the number. Long-term espionage campaigns and North Korean IT worker operations are pulling the median upward. The PRC-nexus group UNC6201, for example, averaged a dwell time exceeding 390 days across its campaigns. When you strip out those outliers, the picture for organizations with active detection programs looks much better.
The real bright spot? Internal detection climbed to 52%, up from 43% the year before. That means more organizations are catching attackers themselves rather than getting a call from law enforcement or finding a ransom note. For law firms, CPA practices, and construction companies in the Houston area, that kind of detection capability is what separates a contained incident from a business-ending event.
The most targeted industries in 2025 were high-tech (14.6%), financial services (17%), business and professional services (13.3%), and healthcare (11.9%). Construction and engineering came in at 4.1% - and that number tends to undercount actual exposure since many of these firms don't have the detection tools to even know they've been compromised.
If your security strategy still revolves around training employees to spot suspicious emails, you're fighting the last war. Email phishing dropped to just 6% of initial infection vectors in 2025 - down from 14% in 2024 and 22% in 2022. That's a significant trend line.
Here's what replaced it:
- Exploits (32%): Unpatched software vulnerabilities remain the single biggest door into any organization. The top three exploited vulnerabilities in 2025 were all zero-days in SAP NetWeaver, Oracle E-Business Suite, and Microsoft SharePoint Server. These are enterprise platforms that handle financial data, business operations, and internal documents.
- Voice phishing (11%): This is the surprise of the year. Attackers are now calling help desks, impersonating employees, and convincing staff to reset passwords or authorize access to applications. The UNC3944 group (overlapping with Scattered Spider) made this technique their signature move.
- Prior compromise (10%): A separate attacker already had access to the environment before the main threat actor even arrived. This "hand-off" model has changed the game entirely.
- Stolen credentials (9%): Down from 16% in 2024, but still a significant factor. Infostealers, leaked databases, and dark web forums continue to supply a steady stream of valid login credentials.
- Insider threat (6%): Up from 5% in 2024. The majority of these insiders were North Korean IT workers, though Mandiant also found cases of financially motivated groups bribing employees for corporate credentials.
The ClickFix social engineering technique was one of the more alarming developments. Attackers create fake CAPTCHA pages, driver update prompts, or software compliance checks that convince users to execute PowerShell commands on their own machines. GTIG identified dozens of threat clusters using this technique in 2025.
The median time between an initial access broker gaining a foothold and handing off that access to a secondary ransomware group has collapsed to 22 seconds. In 2022, that gap was over 8 hours. This means that what looks like a "minor" malware infection - a trojanized download, a drive-by compromise - can become a full-blown ransomware event almost immediately. Security teams that deprioritize low-impact alerts are playing a dangerous game.
This is probably the most important finding in the entire report for Houston-area business owners. Ransomware operators have fundamentally changed their approach. The old playbook - encrypt files, demand payment, maybe leak some data - has evolved into something far more destructive.
Modern ransomware campaigns are structured takeovers of IT administrative infrastructure. Attackers now systematically target three things before they ever deploy ransomware:
1. Identity Services
Attackers are manipulating Active Directory Certificate Services to issue certificates and impersonate admin accounts. In multiple investigations, Mandiant found threat actors stealing the entire AD database - every hash, every credential in the domain. Some groups forced mass password changes on privileged accounts during the attack, locking defenders out of their own emergency access.
2. Virtualization Infrastructure
Rather than targeting individual servers, attackers go after the hypervisor layer. REDBIKE (known publicly as Akira) was the most frequently observed ransomware family in 2025, and it specifically targets virtual infrastructure. Mandiant found attackers creating unmanaged virtual machines to stage operations outside of security monitoring, and using "snapshot mounting" to steal AD databases without triggering EDR alerts on the guest operating systems.
3. Backup Infrastructure
The final stage is destroying the safety net. Attackers now perform full reconnaissance on backup architectures - accessing admin consoles, mapping storage locations, pulling encryption configurations - before systematically destroying every element required for recovery. The goal is simple: if you can't recover, you're more likely to pay.
Takeover
Compromise
Destruction
Deployed
Ransomware accounted for 13% of all Mandiant investigations in 2025. The most common initial vector for ransomware specifically was prior compromise (30%) - meaning another group handed off access. Exploits followed at 27%, and brute-force attacks at 20%.
The most frequently observed ransomware families were REDBIKE (Akira) at 15% of ransomware investigations, followed by AGENDA (Qilin) and ADAPTAGENT at 5% each. The well-established RaaS brands Qilin and Akira became the most active data leak sites in 2025, filling the void left by LockBit and ALPHV (BlackCat) after law enforcement disruptions.
Your Backup Strategy Needs an Upgrade
If your backup system is on the same network as your production systems, it's a target. Mandiant's findings confirm that ransomware operators are specifically seeking out and destroying backup infrastructure before deploying their payload. Air-gapped, immutable backups aren't optional anymore - they're survival essentials. CinchOps provides business continuity and disaster recovery solutions designed to withstand exactly this kind of attack.
Explore CinchOps BCDR solutions →There's a lot of noise about AI-powered cyberattacks. M-Trends 2026 puts that in perspective. Mandiant's direct assessment: 2025 was not the year where breaches were the direct result of AI. The vast majority of successful intrusions still come from human and systemic failures - unpatched software, weak credentials, social engineering that works because people trust phone calls.
That said, attackers are definitely integrating AI into their workflows. Here's what Mandiant actually observed:
- Social engineering acceleration: State-sponsored and financially motivated groups are using large language models to move beyond mass email campaigns toward hyper-personalized, rapport-building social engineering. The phishing emails are better written, the vishing scripts are more convincing, and the pretexts are more tailored.
- Malware that queries AI mid-execution: Malware families like PROMPTFLUX and PROMPTSTEAL actively query LLMs during execution to help evade detection. The QUIETVAULT credential stealer checks for AI CLI tools on compromised machines and uses them to search for configuration files.
- AI-themed lures: Attackers are using fake AI-themed websites and applications as bait, capitalizing on the hype cycle around AI tools to trick users into downloading malware.
- "Distillation attacks": These attacks target the proprietary logic and training data of high-value machine learning models - a growing concern for companies building or deploying AI systems.
For wealth management firms and manufacturing companies in the Houston area, the takeaway is straightforward: AI isn't creating new attack categories yet, but it's making existing attacks faster and harder to spot. Your people need to be ready for phishing that doesn't look like phishing.
The rise of voice phishing is one of the defining trends of 2025. For cloud-specific compromises investigated by Mandiant, voice phishing was the #1 initial infection vector at 23%, followed by third-party compromise (17%), stolen credentials (16%), and email phishing (15%).
The UNC6040 campaign is a good case study. Attackers used voice phishing to convince targets to provide credentials and authorize access to legitimate SaaS applications. Those organizations then received ShinyHunters-branded extortion notes weeks or months later demanding payment for stolen data. The gap between data theft and extortion was so large that Mandiant tracks the extortion activity as a separate threat cluster (UNC6240).
UNC3944, which overlaps with the group publicly known as Scattered Spider, targeted help desks directly - impersonating employees to request password resets and MFA changes. Once inside cloud environments, they conducted extensive recon across SharePoint, Azure Portal, M365 email, and privileged access management solutions before extracting sensitive data.
Mandiant identified evidence of data theft in 59% of cloud compromises. A third of cloud cases supported financially motivated objectives including employment fraud, data theft extortion, ransomware, and payment redirection.
For businesses relying on Microsoft 365, Google Workspace, or other cloud platforms, the message is clear: your cloud security is only as strong as the humans answering the phone at your help desk. Cypress and The Woodlands area businesses running on cloud platforms need verification protocols that go beyond "the caller sounds like they know what they're talking about."
M-Trends 2026 highlights a pattern that should concern every oil and gas company and energy services firm in the Houston area: sophisticated threat actors are deliberately targeting network edge devices that sit outside the reach of endpoint detection tools.
The PRC-nexus espionage group UNC6201 deployed the BRICKSTORM backdoor on Linux- and BSD-based appliances from multiple manufacturers - devices that don't support traditional EDR solutions. From there, they used valid credentials to access VMware vCenter servers and ESXi hosts, cloned virtual machines containing single sign-on identity providers, secret vaults, and domain controllers, and then accessed the sensitive data in the powered-off cloned VMs to avoid triggering security alerts.
UNC5807, associated with "Salt Typhoon" public reporting, focuses on telecommunications infrastructure - exploiting vulnerabilities in VPN solutions and routers to establish initial access, then targeting authentication protocols like TACACS+ and RADIUS using packet capture capabilities built into the compromised appliances themselves.
The challenge for defenders is real. These specialized appliances frequently lack support for conventional monitoring and security tools, making them ideal targets for threat actors seeking long-term, covert access. Most organizations only retain 90 days of logs, but the average BRICKSTORM campaign lasted 393 days. In those cases, evidence of initial access simply doesn't exist anymore.
Mandiant's recommendation: organizations should audit their logging configurations to cover frequently overlooked assets including hypervisors, network edge devices, routers, and authentication data for all servers. Logs should be forwarded to centralized, protected storage - and alerts should fire if a logging source unexpectedly stops.
The M-Trends 2026 findings map directly to the services CinchOps delivers for small and mid-sized businesses across the Houston metro. In 30+ years of technology leadership, including senior roles at Cisco and NinjaOne, we've seen threat patterns evolve - and the 2025 data confirms that the fundamentals matter more than ever.
- Patch management and vulnerability scanning: Exploits are the #1 infection vector for the sixth consecutive year. CinchOps monitors and patches your systems on a defined schedule so zero-days and known vulnerabilities get addressed before attackers find them.
- Help desk verification protocols: With voice phishing now the #2 attack vector, your help desk is a primary target. CinchOps implements verification procedures that prevent social engineering attacks from succeeding through phone calls.
- Backup infrastructure hardening: Ransomware operators specifically target and destroy backups before deploying their payload. CinchOps designs backup architectures with air-gapped, immutable copies that survive even a full environment compromise.
- Identity and access management: Attackers are manipulating Active Directory and cloud identity services. CinchOps configures and monitors identity infrastructure with MFA enforcement, certificate services auditing, and privileged access controls.
- 24/7 monitoring and alert triage: When the hand-off from access broker to ransomware group takes 22 seconds, you can't afford to let a low-priority alert sit in a queue. CinchOps provides continuous monitoring with defined response SLAs.
- Edge device and network security: The visibility gaps on VPNs, routers, and appliances are exactly where sophisticated attackers hide. CinchOps ensures these devices are inventoried, patched, logged, and monitored.
The data doesn't lie. The organizations that survive modern cyberattacks are the ones that invest in detection, response, and recovery before the attack happens - not after.
What is the Mandiant M-Trends report and why does it matter for Houston businesses?
Mandiant M-Trends is an annual cybersecurity report based on over 500,000 hours of real-world incident response investigations. It documents the actual tactics, techniques, and procedures attackers used in confirmed breaches during 2025. For Houston businesses, it provides a data-driven view of how cyberattacks happen and which defenses actually work - not theory, but observed reality from the front lines.
What is the biggest cybersecurity threat to small businesses in 2025 according to M-Trends?
Exploits targeting unpatched software vulnerabilities were the #1 initial infection vector at 32% of all incidents. For small businesses, the rise of the "hand-off" model is equally concerning - initial access brokers compromise a business through low-impact techniques like drive-by downloads, then sell or hand that access to ransomware groups in as little as 22 seconds. A minor malware infection can become a ransomware event almost instantly.
How are ransomware attacks different in 2025 compared to previous years?
Ransomware operators now prioritize destroying an organization's ability to recover over simply encrypting files. They target identity services like Active Directory, virtualization management infrastructure, and backup systems before deploying ransomware. The goal is to eliminate every recovery option so organizations face maximum pressure to pay. Prior compromise was the #1 initial vector for ransomware incidents at 30% in 2025.
What is voice phishing and why did it surge in 2025?
Voice phishing, or vishing, involves attackers calling an organization's staff - often the help desk - while impersonating an employee or contractor to request password resets, MFA changes, or application access. It surged to 11% of all initial infection vectors in 2025 (and 23% of cloud-specific compromises) because it bypasses technical email security controls and exploits human trust in real-time conversation.
How can a managed IT provider help protect against the threats identified in M-Trends 2026?
A managed IT services provider addresses the core vulnerabilities M-Trends identified: consistent patch management to close the exploit gap, help desk verification protocols to counter voice phishing, hardened backup architectures to survive ransomware, 24/7 monitoring to catch low-priority alerts before they escalate, and edge device management to close the visibility gaps attackers exploit. CinchOps provides all of these services for businesses with 10-200 employees across the Houston metro area.
