$13.82 trillion dollars. That’s the projected annual cost of global cybercrime by the year 2028. However, with cybercriminals constantly sharpening their skills and honing new attacks, the actual cost could easily be much higher.
You need to attack potential digital threats from many angles. Remaining up to date on industry trends and the latest hacker tactics, techniques, and procedures (TTPs) is one of the simplest ways to know what you’re up against and stay protected.
According to Cybersecurity Ventures, if annual cybercrime were a country, it would have the third-largest gross domestic product (GDP) worldwide after the United States and China. These staggering statistics underscore the alarming reality that cybercriminals have turned data into valuable currency.
In 2025, researchers uncovered what is believed to be one of the largest data exposures on record, with billions of credentials leaked through infostealer malware campaigns. The data, aggregated from thousands of compromised systems, highlighted how credential theft at a massive scale can silently fuel account takeovers, ransomware, fraud, and downstream attacks across countless organizations.
A 2025 cyberattack on Jaguar Land Rover was estimated to have cost the British economy £1.9 billion (US$2.5 billion), making it one of the most economically damaging cyber incidents in UK history. The attack halted vehicle production for weeks and triggered widespread delays across JLR’s supply chain, demonstrating how a single cyber event can cascade into large-scale operational disruption, third-party impact, and long-term financial loss.
Together, these incidents highlight how cyberattacks are growing not only in frequency but in scale and consequence. Staying informed about industry trends and the latest TTPs employed by hackers is a fundamental step in ensuring your protection. To help with this, we’ve compiled a list of the 10 most common cybersecurity threats you’re likely to face in 2026 and what you can do to protect against them.
Ransomware remains one of the most disruptive and financially damaging cyberthreats. In 2025, ransomware activity surged to record levels, reversing earlier declines and peaking in the fourth quarter. Looking ahead, Cybersecurity Ventures predicts that global ransomware damage costs will reach $250 billion annually by 2031, with a new attack every two seconds as perpetrators progressively refine their malware payloads and related extortion activities.
Rather than relying on novel exploits or custom malware, attackers increasingly focused on speed, access, and operational disruption. For many threat actors, ransomware is the endgame. Successful ransomware operations typically follow earlier access gained through identity abuse, remote access compromise, or user-mediated execution. Once attackers secure reliable access, they move quickly to maximize impact before defenders can respond.
Many threat actors have expanded their ransomware game to include data theft and extortion, a technique known as double extortion. Attackers increasingly exfiltrate data early in the intrusion lifecycle and use leak sites as a primary negotiating tool, shortening timelines and limiting defenders’ ability to respond before impact.
As we mentioned in our 2025 MSP Threat Report, data extortion as a standalone strategy has also been growing. In Q4 2025, the Cl0p ransomware gang exploited an Oracle E-Business Suite 0-day to steal data from dozens of organizations and then threatened to leak the stolen data unless a ransom was paid. Recent reports show data extortion incidents increased 11X in 2025.
2025 ransomware example
In 2025, DaVita, a major US healthcare provider, disclosed a ransomware attack that disrupted internal systems and forced the organization to isolate affected environments while remediation was underway. Although patient care continued, the incident required rapid containment and system restoration to maintain operations. Public reporting showed attackers moved quickly once access was established, prioritizing disruption over stealth.
How to defend against ransomware
Defending against ransomware requires focusing on both prevention and recovery. Managed service providers (MSPs) and IT teams must disrupt attackers earlier in the attack lifecycle while ensuring they can restore operations even when prevention fails.
Identity threats, also referred to as identity-based attacks, occur when attackers gain access by abusing legitimate credentials, authentication tokens, or trusted user identities rather than exploiting software vulnerabilities or deploying malware. These attacks have emerged as one of the most prevalent and consequential attack patterns today.
In 2025, attackers didn’t break in; they logged in. Valid usernames and passwords, stolen session tokens, and compromised identity credentials provided threat actors with immediate access to environments that appeared legitimate to security tools. Once authenticated, malicious activity is often blended into normal user behavior, bypassing traditional perimeter and endpoint defenses.
How to defend against identity threats
Defending against identity abuse requires shifting focus from blocking payloads to continuously validating access. MSPs and IT teams should treat identity as a core security control plane and apply layered defenses to reduce the risk of credential abuse.
Key defensive measures include:
VPN compromise remains one of the most reliable and repeatable ways attackers gain access. As organizations expanded hybrid work and third-party access, VPNs became high-value targets, especially when paired with weak authentication, inherited configurations, or delayed patching.
2025 VPN compromise example
One of the most impactful examples observed in 2025 involved the exploitation of SonicWall SSL VPN infrastructure. This vulnerability allowed attackers to log in with valid credentials even when MFA was enabled. Several of these incidents resulted in full domain compromise in under two hours.
How to defend against VPN compromise
Living-off-the-land (LotL) attacks are a class of cyberattacks in which threat actors abuse legitimate system tools, administrative utilities, and trusted software already present in the environment to carry out malicious activity. Rather than introducing custom malware, attackers “live off” the tools defenders already trust.
In MSP environments, living-off-the-land attacks often involve the abuse of RMM solutions and remote access tools. Once attackers gain access, these trusted tools allow them to execute commands, deploy payloads, disable security controls, and move laterally while appearing indistinguishable from legitimate IT activity.
2025 LotL attack example
In mid-2025, the SharePoint ToolShell campaign highlighted how modern attackers combine initial access with living-off-the-land techniques to remain stealthy. After exploiting weaknesses in on-premises Microsoft SharePoint servers to gain execution, threat actors relied primarily on legitimate system tools and built-in Windows binaries to persist, move laterally, and evade detection. By operating almost entirely through trusted utilities already present in the environment, the attackers blended into normal administrative activity, making the intrusion difficult to detect until follow-on actions occurred.
How to defend against living-off-the-land attacks
Supply chain attacks occur when threat actors compromise trusted software, vendors, or update mechanisms to gain indirect access to downstream environments. Instead of attacking organizations directly, attackers target the tools, services, and dependencies that those organizations already trust and rely on.
2025 supply chain attack example
In September 2025, CISA released an alert regarding a “widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com.” By injecting backdoors into trusted JavaScript libraries, threat actors were able to impact thousands of developers and organizations that unknowingly pulled the compromised packages into their applications through routine dependency updates.
How to defend against supply chain attacks
Trojanized software and potentially unwanted programs (PUPs) refer to legitimate-looking applications or installers that have been modified, bundled, or repurposed to perform malicious actions once executed. Unlike traditional malware, these programs often appear trusted, signed, or commonly used, allowing them to bypass security controls and gain a foothold inside IT environments.
2025 trojanized software example
In 2025, researchers identified EvilAI, a trojanized application posing as a legitimate AI tool. Once installed, the software abused trusted system components to execute malicious code, establish persistence, and communicate externally while evading detection. By leveraging interest in AI tools, attackers increased the likelihood of installation and bypassed traditional security controls, highlighting how trojanized software can blend into normal activity within MSP-managed environments.
How to defend against trojanized software and PUPs
Social engineering attacks exploit human behavior rather than technical vulnerabilities, using deception, trust, and urgency to manipulate users into taking actions that benefit attackers. These attacks remain one of the most effective and adaptable tactics because they bypass traditional security controls by targeting the decision-making process of users instead of systems.
In modern environments, social engineering has evolved beyond simple phishing emails. Attackers now focus on inducing users to authenticate, approve access, or manually execute commands using trusted tools and workflows. This shift has made social engineering a primary driver of initial access in many 2025 intrusion campaigns, especially when combined with user-mediated execution techniques.
2025 social engineering attack example
Throughout 2025, ClickFix attacks emerged as one of the most reliable and repeatable initial access methods observed across multiple intrusion campaigns. Rather than relying on exploitation or malicious attachments, ClickFix attacks manipulate users into manually executing attacker-provided commands under the pretense of routine verification steps, CAPTCHAs, browser prompts, or security-related actions.
ClickFix does not represent a single lure or campaign style, but a general execution pattern that can be adapted to different themes, interfaces, and delivery contexts. Variants such as FileFix reframed manual execution as a required step to open or repair a downloaded document, while ConsentFix extended the same copy-and-paste social engineering model into browser-based identity workflows by abusing legitimate OAuth consent and authorization flows within the browser rather than delivering endpoint malware.
How to defend against social engineering
While phishing has long been a core social engineering technique, the introduction of AI has fundamentally changed its impact. AI-enabled phishing attacks allow threat actors to rapidly generate convincing lures at scale, closely mimicking legitimate users, communications, and workflows. As a result, phishing has become more accessible, more effective, and more difficult to detect, justifying its treatment as a distinct threat category.
How to defend
Defense evasion refers to the tools and techniques attackers use to bypass, disable, or degrade cybersecurity defenses to operate undetected. In modern attacks, it is a deliberate and early-stage objective designed to blind defenders before more disruptive actions occur.
2025 defense evasion example
The Defendnot, an EDR Killer, represented one of the most advanced examples of defense evasion observed in 2025. The malware was specifically engineered to bypass modern security controls, including runtime attestation and kernel-level integrity checks that are designed to detect tampering and unauthorized behavior. By operating below traditional detection thresholds, Defendnot was able to persist and execute without triggering alerts from endpoint protection tools.
How to defend against defense evasion
Backup and recovery systems have become prime targets for attackers seeking to maximize impact and extortion leverage. Rather than encrypting endpoints alone, modern ransomware operators increasingly attempt to disable, delete, or corrupt backups early in the attack lifecycle to prevent recovery.
How to defend against backup and recovery attacks
Here are a few best practices you can follow internally to minimize the chances of one of these attacks infiltrating your clients’ systems:
As always, ConnectWise is here to help with a variety of cybersecurity solutions for MSPs. Request a demo of our cybersecurity suite or talk to a cybersecurity expert today to see how we can help you protect your business and your clients.
Share:
The top 10 cybersecurity threats right now are:
There is a cyberattack every 39 seconds, according to a 2007 Clark School study at the University of Maryland. This translates to roughly 2,215 cyberattacks per day.
There are several steps you can take to protect yourself against cyberattacks:
Denial of service (DoS) and distributed denial of service (DDoS) are both types of cyberattacks that aim to disrupt the availability of a targeted system or network. In a DoS attack, the attacker overwhelms the target with a flood of traffic or requests, rendering it unable to respond to legitimate users. This is typically achieved by exploiting vulnerabilities in the target’s infrastructure or by consuming its resources, such as bandwidth or processing power.
On the other hand, a DDoS attack involves multiple compromised devices forming a botnet to launch the attack simultaneously. These devices, often referred to as “zombies,” are controlled remotely by the attacker. By coordinating the attack from multiple sources, the attacker can generate an even larger volume of traffic or requests, making it more challenging for the target to mitigate the attack.
The key difference between DoS and DDoS attacks lies in the number of sources used to overwhelm the target. While a DoS attack originates from a single source, a DDoS attack leverages multiple sources, making it more difficult to defend against. DDoS attacks are often more powerful and can cause more significant disruptions due to the increased volume of traffic or requests involved.
