.webp)
The cybersecurity landscape just shifted in a big way. Google's Mandiant team released their M-Trends 2026 report this week, and the findings are eye-opening. Based on over 500,000 hours of real-world incident response investigations in 2025, the data shows one clear pattern: attackers aren't just getting smarter. They're getting faster.
How much faster? In 2022, when a criminal got into your network, it took an average of 8 hours before they handed off that access to a ransomware gang. In 2025, that window collapsed to 22 seconds. That's not a typo. Twenty-two seconds.
If you're running a small or mid-sized business, this matters. A lot. Here's what you need to know and what you can actually do about it.
The 22-Second Problem
Let's talk about what's happening here. Cybercrime has turned into an assembly line. One group specializes in breaking in. Another group specializes in deploying ransomware. They've streamlined the handoff to the point where it's almost instantaneous.
According to the Mandiant research, initial access brokers now pre-stage the ransomware group's tools during the first infection. By the time the ransomware crew logs in, everything they need is already there. They don't waste time setting up. They just go.
This changes everything about how you need to think about alerts. That single infected laptop? The one your antivirus flagged but didn't seem like a big deal? You might have 22 seconds before that becomes a full-blown ransomware attack across your entire network.
How They're Getting In
Exploits are still the number one way attackers break into businesses, accounting for 32% of incidents. But here's what caught our attention: voice phishing (vishing) jumped to 11%, making it the second most common entry point.
Traditional email phishing has dropped to just 6%. Attackers realized that people are getting better at spotting fake emails, and automated filters are catching more of them. So they switched tactics.
Now they're calling your help desk. They're pretending to be employees who forgot their passwords. They're using social engineering to convince your IT team to reset credentials or disable multi-factor authentication. It works because it's personal, it's interactive, and it bypasses the technical controls that stop email-based attacks.
The CSO Online analysis of the report highlights how groups like UNC3944 (publicly known as Scattered Spider) have perfected this approach, targeting help desk staff with convincing impersonation attacks.
The Backup Destruction Strategy
Ransomware operators have figured something out: encryption alone doesn't guarantee payment. If you have good backups, you can just restore and move on. So they've adapted.
Modern ransomware groups now actively target your backup infrastructure before deploying encryption. They're looking for:
- Backup management consoles
- Virtual machine snapshots
- Cloud storage backups
- Active Directory Certificate Services (for creating persistent admin accounts)
- Hypervisor management platforms
In multiple 2025 incidents investigated by Mandiant, attackers logged into backup systems, pulled credentials from configuration databases, and deleted millions of backup objects from cloud storage. Then they encrypted what was left.
This isn't theoretical. Groups using REDBIKE (also known as Akira) and AGENDA (Qilin) ransomware are doing this routinely. The goal isn't just to lock your files. It's to make recovery impossible, forcing you to either pay the ransom or rebuild everything from scratch.
How Long Are Attackers Hiding in Your Network?
The global median dwell time (the period between when an attacker gets in and when you discover them) rose to 14 days in 2025, up from 11 days in 2024. But that number hides something important.
For financially motivated attackers deploying ransomware, dwell time can be very short - sometimes just hours. But for cyber espionage groups and North Korean IT worker schemes, the median dwell time was 122 days. Four months. Some cases stretched past 400 days.
Organizations that detected intrusions internally found them in about 9 days. But when an external party notified you (like a customer, partner, or law enforcement), it took a median of 25 days. That gap tells you something: if you're relying on someone else to tell you you've been breached, the damage is already done.
The good news is that more companies are catching intrusions themselves. In 2025, 52% of organizations detected evidence of malicious activity internally, up from 43% in 2024. That improvement matters.
What Small Businesses Can Actually Do
This report isn't meant to scare you. It's meant to give you clarity. Here's what we recommend based on these findings:
1. Treat Every Alert Seriously
With handoff times measured in seconds, you can't afford to let low-level alerts sit in a queue for days. A single compromised machine today could become a company-wide ransomware incident by tomorrow morning.
If your antivirus flags something, investigate it immediately. If you see unusual login attempts, failed authentication events, or strange network traffic, don't ignore it. Speed matters now more than ever.
2. Protect Your Backups Like Crown Jewels
Your backup environment should be completely isolated from your main network. That means:
- Separate credentials (not your domain admin account)
- Multi-factor authentication on all backup consoles
- Immutable backups that can't be deleted or modified
- Regular testing to make sure restores actually work
We've seen too many businesses discover their backups were compromised only after they needed them. Don't be one of them.
If you need help setting up a proper backup and disaster recovery solution, it's worth getting professional help to do it right.
3. Rethink Your Identity Security
Voice phishing works because attackers are bypassing technical controls by manipulating people. Your help desk needs training on how to verify identity requests. Your IT team needs clear protocols for password resets and MFA changes.
Consider implementing:
- Callback verification for any authentication changes
- Out-of-band confirmation (like texting a registered phone number)
- Strict policies around who can authorize account changes
- Regular security awareness training for your entire team
4. Monitor for the Right Things
Static indicators of compromise (like known malware signatures) aren't enough anymore. Attackers are using legitimate tools and in-memory malware that doesn't leave traditional forensic traces.
You need behavioral detection. That means watching for:
- Unusual access patterns (someone logging in from a new location or device)
- Bulk data downloads or transfers
- Access to systems that person doesn't normally use
- Failed authentication attempts followed by successful ones
- Changes to backup configurations or security settings
A good Security Operations Center (SOC) can monitor for these patterns 24/7.
5. Extend Your Log Retention
If attackers can hide in your network for 122 days (or longer), your standard 90-day log retention isn't enough to investigate what happened. You need logs from network devices, cloud services, and authentication systems stored for at least 6-12 months.
This isn't just for forensics. It's for understanding how they got in, what they did, and whether you've actually kicked them out.
6. Segment Your Network
If everything on your network can talk to everything else, a single compromised laptop becomes a launching pad for total network access. Network segmentation limits how far an attacker can move laterally.
Critical systems - especially backup servers, domain controllers, and hypervisor management consoles - should be on isolated networks with strict access controls.
7. Patch Aggressively
The report found that the mean time to exploit vulnerabilities has turned negative. In 2025, it was estimated at -7 days, meaning attackers are exploiting flaws before patches are even released.
You can't prevent zero-day attacks, but you can make sure you're patched for everything that has a fix available. The three most exploited vulnerabilities in 2025 all had patches available, but many organizations hadn't applied them.
If you're struggling to keep up with patching and updates, that's what managed IT services are for.
The Industries Being Targeted Most
The high-tech sector led all industries in 2025 investigations (17%), followed by financial services (14.6%), healthcare, and business services. But honestly, no industry is safe.
If you're in healthcare, you already know you're a target because of HIPAA compliance requirements and valuable patient data. If you run a car dealership, you're dealing with FTC Safeguards Rule compliance and customer financial information. Legal firms, engineering companies, and financial services all hold sensitive data that makes them attractive targets.
The point is this: it doesn't matter what industry you're in. If you have data, systems, and the ability to pay a ransom, you're a potential target.
What About AI in Attacks?
There's been a lot of hype about AI-powered cyberattacks. The M-Trends report puts it in perspective.
Yes, attackers are using large language models to improve phishing messages, accelerate reconnaissance, and evade detection. Malware families like PROMPTFLUX and PROMPTSTEAL query LLMs during execution to adapt their behavior. The QUIETVAULT credential stealer even checks for AI command-line tools on compromised machines.
But the report's assessment is clear: "2025 was not the year where breaches were the direct result of AI. Most successful intrusions continued to stem from human and systemic failures."
Translation: The fundamentals still matter. Attackers don't need AI to break into your network if you haven't patched a six-month-old vulnerability or if your help desk will reset passwords over the phone without verifying identity.
Moving Forward
The M-Trends 2026 report makes one thing abundantly clear: the time to react is shrinking. Attackers are faster, more specialized, and more focused on denying you the ability to recover. But they're not unbeatable.
Most of what makes businesses vulnerable are things you can fix:
- Outdated software that hasn't been patched
- Weak authentication policies
- Inadequate backup protection
- Poor network segmentation
- Lack of monitoring and alerting
- Insufficient security training
None of these require a massive budget or a dedicated security team. They require attention, planning, and follow-through.
If you're handling this yourself, the Mandiant report (available as a free download) includes detailed technical recommendations worth reviewing with your IT team.
If you'd rather have professionals handle it, that's what we do. We help businesses in Orange County and beyond build security programs that actually work - not theoretical frameworks, but practical protections based on how attackers operate in the real world.
You can reach us at (949) 381-1010 or through our contact page. We're happy to review your current setup and identify where you're most vulnerable.
Frequently Asked Questions
What is the M-Trends 2026 report?
The M-Trends 2026 report is an annual cybersecurity analysis published by Mandiant (now part of Google Cloud) based on real-world incident response investigations. The 2026 edition analyzed over 500,000 hours of investigations from 2025, providing insights into how attackers are actually breaking into organizations, how long they're staying, and what tactics are working.
How did attack handoff time drop from 8 hours to 22 seconds?
Cybercriminal groups have specialized. Initial access brokers (who break into networks) now pre-stage all the tools and access that ransomware groups need during the initial infection. When the ransomware team takes over, everything is ready to go. This assembly-line approach eliminates the delays that used to give defenders time to detect and respond.
Should small businesses be worried about these advanced attacks?
Yes, but not paralyzed. While the tactics are sophisticated, most successful attacks still exploit basic weaknesses: unpatched software, weak passwords, lack of multi-factor authentication, and poor backup practices. Small businesses can significantly reduce risk by focusing on fundamentals: regular patching, strong authentication, isolated backups, employee training, and active monitoring.
What's the difference between dwell time for ransomware vs. espionage attacks?
Ransomware groups move fast - often deploying encryption within hours or days of initial access. Their dwell time can be very short. Cyber espionage groups and insider threats (like North Korean IT workers) optimize for long-term persistence, with median dwell times of 122 days or more. They hide in your network for months, stealing data quietly without triggering alarms.
How can I tell if attackers are already in my network?
Look for anomalies: unusual login times or locations, failed authentication attempts followed by successful ones, access to systems or data that employees don't normally use, large data transfers, changes to backup or security configurations, and new administrative accounts. A professional vulnerability assessment and network security audit can identify signs of compromise you might miss.
