TL;DR

  • The time between initial compromise and secondary attacker hand-off collapsed from 8 hours (2022) to 22 seconds (2025)
  • Prior compromise is now the #1 initial infection vector for ransomware, accounting for 30% of attacks
  • Initial access brokers use AI-generated phishing to establish footholds, then immediately hand off to ransomware groups
  • SMBs must treat low-impact alerts as critical indicators and isolate critical control planes

The Hand-Off Window Has Collapsed

In 2022, after an attacker first gained access to a victim network, a median of 8 hours passed before a secondary threat group took over to execute the final attack—typically ransomware deployment. In 2025, that window collapsed to 22 seconds [1].​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌

This finding from Mandiant's M-Trends 2026 report signals a fundamental shift in cybercriminal operations

. Attackers are no longer running isolated campaigns. They're operating as specialized supply chains: initial access brokers establish footholds using low-impact techniques, pre-stage secondary group's preferred malware, and hand off access the moment the secondary group engages.

For SMBs, the implications are stark. The "we have time to respond" assumption is dead. When an initial access alert fires, you don't have hours to investigate. You have seconds before the next threat actor arrives.​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌​​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌

The Cybercrime Supply Chain

Mandiant's research documents a maturing cybercrime ecosystem with distinct specializations:

Initial Access Brokers

These groups focus purely on getting in. Techniques include:

  • Malicious advertisements
  • ClickFix social engineering (fake browser update prompts)
  • AI-generated phishing campaigns
  • Exploitation of unpatched vulnerabilities

They deliberately avoid noisy, high-impact actions that might trigger detection. Their goal is persistent, quiet access—not data theft or disruption.

Secondary Threat Groups

These are the ransomware operators. They receive access from initial access brokers and immediately execute:

  • Large-scale data exfiltration for double-extortion
  • Backup infrastructure destruction
  • Identity system compromise
  • Ransomware deployment across the environment

The 22-second hand-off means these groups are essentially pre-staged. Initial access brokers aren't just providing credentials—they're installing tunnels, dropping malware payloads, and configuring persistence mechanisms so secondary actors can operate immediately.

Why This Shift Economics

For cybercriminals, specialization increases efficiency. An initial access broker can compromise 100 organizations using the same phishing campaign, then sell access to multiple ransomware groups. Ransomware operators don't need to invest in reconnaissance or initial exploitation—they focus purely on maximizing extortion value.

Prior Compromise: The New #1 Attack Vector

The collateral effect of this hand-off acceleration is that prior compromise—where attackers leverage existing access from a previous intrusion—has become the dominant initial infection vector for ransomware. In 2025, it accounted for 30% of ransomware attacks, doubling from 15% in 2024 [1].

For SMBs, this creates a vicious cycle:

  1. You suffer a minor compromise that goes undetected (or is deemed "low impact")
  2. Initial access brokers sell your access to ransomware groups
  3. Months later, ransomware operators use that existing access to deploy encryption
  4. You discover the breach only when ransomware hits—but the initial access occurred months ago

Mandiant found that global median dwell time—the duration attackers remain undetected—rose to 14 days in 2025 [1]. But for cyber espionage and nation-state incidents, median dwell time reached 122 days. Attackers are living in your network for months before you notice.

How SMBs Are Targeted

SMBs often assume they're too small to warrant access broker attention. But the economics of the cybercrime supply chain don't discriminate by size:

Volume Over Value

Initial access brokers optimize for scale. AI-generated phishing campaigns can target thousands of SMBs with minimal incremental cost. Your business doesn't need to be a high-value target—you just need to be vulnerable enough to be worth adding to the catalog.

The MSP Vector

Managed Service Providers (MSPs) are particularly attractive targets. Compromise one MSP with 1,000 SMB clients, and you immediately have 1,000 potential access sales. Mandiant documented attackers compromising third-party SaaS vendors to steal hard-coded keys and tokens, then pivoting into downstream customer environments [1].

Ransomware as a Service

Ransomware groups increasingly operate as franchised operations. Initial access brokers feed a pipeline of compromised networks into multiple ransomware "affiliates" who execute attacks and share profits with the core group. This model scales regardless of victim size.

Building Resilience Against Accelerated Attacks

Treat Low-Impact Alerts as Critical

Mandiant is explicit: "With hand-off times shrinking to seconds, security teams must restructure response playbooks. Treat routine malware alerts as high-priority indicators of an impending secondary intrusion, and remediate before interactive hands-on-keyboard operations begin" [1].

For SMBs without 24/7 security teams, this means:

  • Automated isolation: Configure endpoint detection to automatically isolate devices exhibiting suspicious behavior.
  • Zero-trust architecture: Assume breach. Segment networks so that compromised credentials or devices can't access critical systems.
  • Rapid response playbooks: Pre-defined procedures for common scenarios (phishing report, suspicious endpoint, anomalous login) that execute within minutes, not hours.

Isolate Critical Control Planes

Mandiant warns that attackers are targeting "Tier-0 assets"—infrastructure that controls your entire environment. These include:

  • Virtualization management platforms (VMware vSphere, Hyper-V)
  • Backup and recovery systems
  • Identity providers (Active Directory, Entra ID)
  • Remote monitoring and management (RMM) tools

Protective measures:

  • Separate administration networks: Don't manage hypervisors or backup systems from the same network used for general computing.
  • Just-in-time access: Grant admin privileges only when needed, revoke immediately after.
  • Decouple backup environments: Mandiant recommends backup environments "decoupled from the corporate Active Directory domain and utilizing immutable storage" [1].

Shift From Static IOCs to Behavioral Detection

Attackers rapidly change infrastructure and deploy custom, in-memory malware. Relying on static indicators of compromise (IOCs)—specific file hashes, IP addresses, domain names—is no longer sufficient.

Behavioral detection capabilities include:

  • Anomaly detection: Flag deviations from established baselines (unusual login times, atypical data access volumes, lateral movement).
  • EDR telemetry: Deploy endpoint detection and response tools that identify suspicious process chains and execution patterns.
  • Network analysis: Monitor for unusual network traffic patterns, including data exfiltration and command-and-control communications.

Extend Log Retention

Standard 90-day log retention policies leave organizations "completely blind to the initial access vector and the full scope of the intrusion" [1]. When dwell time reaches 122 days, you need logs that cover at least that period.

For SMBs, cloud-based SIEM solutions (Security Information and Event Management) with long-term retention provide cost-effective log storage. Forward critical logs—especially application, administrative, and hypervisor-level telemetry—to centralized storage.

The Recovery Denial Threat

Modern ransomware groups don't just encrypt data—they destroy your ability to recover. Mandiant observed attackers actively targeting:

  • Backup infrastructure
  • Identity services
  • Virtualization management planes [1]

By encrypting hypervisor datastores or deleting backup objects from cloud storage, attackers render all associated virtual machines inoperable simultaneously. This isn't encryption—it's destruction.

Immutable Backups as a Defense

Immutable backups—backups that cannot be modified or deleted for a fixed retention period—provide defense against recovery denial. Implementation approaches include:

  • Object lock in cloud storage (AWS S3 Object Lock, Azure Immutable Blob Storage)
  • WORM (Write Once, Read Many) storage systems
  • Air-gapped backup copies stored offline

Test Your Recovery

Backups you can't restore are useless. Regular recovery testing—restoring from backup to verify data integrity and system functionality—is essential. Test frequency depends on your risk tolerance, but quarterly testing is a reasonable baseline for most SMBs.

What You Can Do Today

  1. Audit your critical assets: Identify your Tier-0 systems (hypervisors, backups, identity providers). These get the strictest access controls.
  2. Review recent alerts: Examine security alerts from the past 90 days. Look for patterns that might indicate undetected persistence.
  3. Extend log retention: Configure centralized log storage with at least 6-month retention.
  4. Implement behavioral detection: Deploy EDR if you haven't already. Configure alerts for anomalous behavior.
  5. Test incident response: Run a tabletop exercise simulating a ransomware scenario. Can you detect, contain, and recover within your target timeframe?

FAQ

No. It's the median time for hand-off scenarios—meaning half are faster, half are slower. But the trend direction is clear: attackers are operating faster and more collaboratively.

Signs include unexplained account activity, unusual network traffic, new user accounts created without authorization, or security alerts that were investigated but not fully remediated. A professional security assessment can identify indicators of compromise.

Not necessarily. Automated detection and response can operate continuously. The key is configuring systems to isolate threats automatically rather than waiting for human review.

Backups protect against data loss, but they don't prevent initial access. However, immutable backups and tested recovery procedures can prevent ransomware from forcing you to pay.

Yes. Initial access brokers cast wide nets. MSPs, SaaS platforms, and supply chain relationships mean that compromising one vendor can provide access to thousands of SMB customers.

References

[1] Mandiant, "M-Trends 2026: Data, Insights, and Strategies From the Frontlines," Google Cloud, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/

[2] CISA, "Known Exploited Vulnerabilities Catalog," Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[3] NIST, "Computer Security Incident Handling Guide," National Institute of Standards and Technology, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

[4] Australian Cyber Security Centre, "Ransomware," ACSC, 2025. [Online]. Available: https://www.cyber.gov.au/threats/ransomware

[5] SANS Institute, "Incident Response Fundamentals," SANS, 2025. [Online]. Available: https://www.sans.org/incident-response/

[6] VMware, "Securing Virtual Infrastructure," VMware, 2025. [Online]. Available: https://core.vmware.com/resource/securing-virtual-infrastructure

[7] DORA, "Digital Operational Resilience Act Guidelines," European Union, 2025. [Online]. Available: https://www.eba.europa.eu/regulatory-policy/digital-operational-resilience-act

[8] IDC, "Worldwide Security and Trust Spending Guide," IDC, 2025. [Online]. Available: https://www.idc.com/getdoc.jsp?containerId=prAP50315123

Attack speed is accelerating, but your defenses can keep pace. lilMONSTER helps SMBs build resilience against modern threats through layered security, rapid incident response, and recovery-tested backup strategies. Get in touch at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=m-trends-2026-handoff

TL;DR

  • Bad guys work in teams now—one breaks in, another wrecks everything
  • The time between breaking in and wrecking things dropped from 8 hours to 22 seconds
  • This means you have to act fast when something goes wrong
  • Good backups and smart computer habits can protect your business

The Team-Up Problem

Imagine a burglar who breaks into houses but doesn't steal anything. Instead, they sell the keys to other burglars who come back later and clean the place out.

That's exactly what's happening in cybercrime now.

In the old days, one bad guy did everything: broke in, stole stuff, left. Now bad guys work in assembly lines:

  • Team 1 breaks in and leaves the door unlocked
  • Team 2 comes in and steals everything

Here's the scary part: in 2022, there were 8 hours between Team 1 breaking in and Team 2 arriving. In 2025, that time dropped to 22 seconds [1].

Twenty-two seconds. You don't even have time to make a coffee.

Why Bad Guys Team Up

It's about being efficient.

Think of it like a car factory:

  • One person installs the engine
  • Another person puts on the wheels
  • Someone else paints it

Each person is really good at their one job. The car gets built faster.

Cybercriminals do the same thing:

  • Break-in specialists are good at getting into computers (sending fake emails, finding unlocked doors)
  • Wrecking specialists are good at stealing data or locking files (ransomware)

The break-in specialist doesn't need to know how to lock files. The wrecking specialist doesn't need to know how to break in. They each focus on what they're good at.

The 22-Second Hand-Off

Here's what 22 seconds looks like:

Second 0-5: Break-in specialist installs a "back door" (a secret way to get back in) Second 5-15: They set up everything the wrecking specialist needs Second 15-22: Wrecking specialist arrives and starts causing problems

The break-in specialist isn't just leaving a door open. They're rolling out the red carpet. They're putting the tools in place. They're making it as easy as possible for the wrecking specialist to start causing chaos immediately.

Why This Matters for Your Business

You might think: "I'm not a big company. Who would target me?"

Here's the thing: break-in specialists cast a huge net. They send thousands of fake emails. They don't care who opens them—they just need someone to open one.

Once they're in, they sell access to your business to wrecking specialists. Your business becomes an item on a menu. Different wrecking specialists might buy access and try different attacks:

  • Lock your files and demand money (ransomware)
  • Steal your customer information
  • Read your private documents
  • Pretend to be you and trick your customers

The Prior Compromise Problem

Even worse: you might already be broken into and not know it.

Security researchers found that 30% of ransomware attacks happen because bad guys were already in the system from a previous break-in [1]. They've been sitting there, waiting for the right moment to strike.

It's like someone secretly living in your attic for months, then one day they come down and rob your house. You didn't know they were there. But they've been there the whole time.

How to Protect Your Business

Make It Hard to Break In

The first line of defense is stopping break-in specialists:

  • Use special keys: Security keys (like YubiKeys) are much harder to steal than passwords
  • Train your team: Teach people to spot fake emails and weird requests
  • Keep software updated: Old software has cracks that bad guys know about

Make It Hard to Wreck Things

Even if bad guys get in, you can make it hard for them to cause damage:

  • Separate important stuff: Don't keep everything on one computer or network
  • Use good backups: Keep copies of important files somewhere safe
  • Limit who can do what: Not everyone needs access to everything

Act Fast When Something Seems Wrong

Remember: 22 seconds is all it takes. When something seems wrong:

  • Don't wait: If you see something suspicious, check it out immediately
  • Have a plan: Know what to do before something bad happens
  • Get help: Sometimes you need a computer security expert to figure out what's going on

The Backup Secret Weapon

The best defense against ransomware is good backups. Here's why:

Bad guys lock your files and demand money to unlock them. If you have good backups, you can say "no thanks" and restore your files yourself.

But your backups need to be smart:

  • Automatic: They happen without you having to remember
  • Separate: Not on the same computer as your regular files
  • Tested: You should actually try restoring files to make sure it works

Think of backups like a spare tire. You don't think about it until you need it. But when you need it, you really need it—and it better work.

What You Can Do Right Now

Here's your checklist:

  1. Turn on two-factor authentication everywhere you can (especially for email and banking)
  2. Back up your important files to a separate location
  3. Update your software when it asks you to (especially security updates)
  4. Talk to your team about what to do if something seems wrong
  5. Have a plan for what to do if you get attacked

FAQ

Yes. Break-in specialists send thousands of fake emails to all kinds of businesses. Size doesn't matter to them.

It's hard to tell without special tools. Signs include: weird pop-ups, slow computers, files you didn't create, or passwords that stop working. A security expert can check for you.

Backups protect against ransomware (when bad guys lock your files). But they don't stop bad guys from stealing information. You need both good backups AND good defenses.

Not necessarily. Basic protections like good passwords, security keys, and updates go a long way. For some businesses, professional security help makes sense.

Start with the basics: good passwords, regular updates, backups, and training. These things don't cost much money but protect against most attacks.

References

[1] Mandiant, "M-Trends 2026: Data, Insights, and Strategies From the Frontlines," Google Cloud, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/

[2] National Cyber Security Centre, "Small Business Guide," NCSC, 2025. [Online]. Available: https://www.ncsc.gov.uk/guidance/small-business-guide

[3] CISA, "Ransomware Guide," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/stopransomware

[4] Australian Cyber Security Centre, "How to Stay Secure Online," ACSC, 2025. [Online]. Available: https://www.cyber.gov.au/learn

[5] Stay Safe Online, "Backups and Recovery," National Cyber Security Alliance, 2025. [Online]. Available: https://staysafeonline.org/backups-and-recovery

Bad guys are getting faster, but good defenses still work. lilMONSTER helps businesses protect against modern threats with practical, affordable security. Learn more at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=m-trends-2026-handoff-eli10

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation