2026 H1 Threat Landscape: Ransomware TTPs, KEV Exploitation Rates, and Emerging Vectors
Ransomware operators reduced median dwell time to 4.3 days in H1 2026. KEV exploitation windows shrank to under 72 hours for 38% of new entries. This report analyses the data and maps it to defender actions.
This report covers threat activity observed and aggregated across Threatstealth-monitored environments and open-source intelligence feeds from January 1 to May 15, 2026. All statistics reflect telemetry from endpoint agents, WAF event logs, and third-party CTI integration.
Executive Summary
Three trends dominate the H1 2026 threat landscape: (1) ransomware operators have accelerated initial access to encryption timelines, compressing median dwell time to 4.3 days; (2) 38% of CISA KEV additions in Q1 2026 saw active exploitation within 72 hours of NVD publication; (3) living-off-the-land binary (LOLBAS) abuse reached its highest prevalence since measurement began in 2022, accounting for 67% of post-compromise persistence detections.
Ransomware: Operational Tempo and TTP Evolution
The most significant operational shift in H1 2026 ransomware is speed. Historically, ransomware operators spent days to weeks establishing persistence, conducting internal reconnaissance, and exfiltrating data before deploying encryption. In H1 2026, the median time from initial access to encryption was 4.3 days — down from 5.8 days in H2 2025 and 9.2 days in H1 2024.
This acceleration is attributable to three factors: improved initial access brokers (IABs) providing pre-validated, privileged access; increased use of automated post-exploitation frameworks that execute reconnaissance and lateral movement concurrently; and a shift toward opportunistic targeting of known-vulnerable exposed services rather than spear-phishing campaigns that require operator attention.
- LockBit 4.0 affiliates: median 3.1 days initial access → encryption in monitored incidents
- Black Basta: continued double-extortion with accelerated exfiltration via Rclone before encryption
- Akira: targeting VPN appliances as primary initial access vector — 71% of incidents in H1 2026
- Medusa: increased use of PsExec and WMI for lateral movement — LOLBAS preferred over custom tooling
- New entrant — SilkMoth: first observed Q2 2026, targeting healthcare; uses living-off-the-land exclusively
KEV Exploitation Window Analysis
CISA added 94 CVEs to the Known Exploited Vulnerabilities catalogue in Q1 2026. Of those, 36 (38%) had confirmed exploitation activity detected within 72 hours of NVD publication. This represents a meaningful increase from the 22% rate observed in Q1 2025.
The fastest exploited were network device vulnerabilities — specifically VPN appliances and network edge devices — where CVE-to-exploitation windows averaged 18 hours. Web application framework vulnerabilities averaged 54 hours. Server-side vulnerabilities averaged 98 hours.
| Category | KEV entries added | Exploited <72h | <72h rate | Median window |
|---|---|---|---|---|
| Network/VPN appliances | 18 | 14 | 78% | 18 hours |
| Web frameworks / CMSs | 22 | 11 | 50% | 54 hours |
| Server-side (OS/services) | 31 | 8 | 26% | 98 hours |
| Client-side (browsers/Office) | 14 | 2 | 14% | 162 hours |
| Cloud/SaaS services | 9 | 1 | 11% | 201 hours |
Living-Off-the-Land (LOTL) Prevalence
LOLBAS abuse — using legitimate Windows binaries to execute malicious actions — was present in 67% of post-compromise incidents in H1 2026. The top abused binaries were certutil (39%), mshta (31%), regsvr32 (28%), wmic (24%), and rundll32 (21%). All five have published MITRE ATT&CK sub-technique entries and viable Sigma detection rules; the persistence of their abuse reflects inconsistent rule deployment rather than detection gaps.
- certutil — used for encoded payload download and certificate store manipulation
- mshta — used to execute VBScript/JScript payloads from remote URLs
- regsvr32 — COM scriptlet execution bypassing AppLocker in default configurations
- wmic — lateral movement via WMI process creation on remote hosts
- rundll32 — shellcode injection via undocumented exports
Three Emerging Vectors to Track in H2 2026
Based on H1 telemetry and early threat actor signals, three vectors are expected to gain prominence in H2 2026: (1) MCP server compromise — attackers targeting Model Context Protocol servers as a pathway into AI agent tool execution environments; (2) CI/CD pipeline poisoning via dependency confusion targeting private registry namespaces; (3) OAuth 2.0 token theft via open redirects in enterprise SaaS integrations, enabling persistent access without credential compromise.
Defender Actions
Prioritise KEV-listed CVEs with exploitation windows under 72 hours — treat them as zero-days from the moment of NVD publication. Deploy Sigma rules for the top-5 LOLBAS binaries on every SIEM; all have high-fidelity detections available on the Sigma HQ repository. For ransomware acceleration, focus on reducing attacker discovery speed: disable SMB null sessions, enforce SMB signing, and alert on internal network scans regardless of source host.
- Patch KEV network/VPN appliance entries within 24 hours — not the standard 14-day CISA deadline
- Deploy LOLBAS Sigma rules to SIEM: certutil, mshta, regsvr32, wmic, rundll32
- Enable Wazuh file integrity monitoring on %SystemRoot%\System32 for LOLBAS binary modification
- Segment CI/CD pipeline networks and enforce OIDC-based authentication for all pipeline runners
- Audit MCP server configurations: enforce tool-call allowlists and log all tool invocations