Over the past year, the Kaspersky Global Emergency Response Team and MDR service have investigated a wide range of security incidents across diverse industry verticals. The adversary tactics, techniques, and tooling uncovered during these engagements form the foundation of our Anatomy of a Cyber World Global Report 2026. From those findings, we’ve selected three real-world case studies to demonstrate how modern threat actors operate, and, more importantly, how they’ve been able to pull off these attacks.

Case Study #1. A single compromised account leads to data being taken hostage enterprise-wide

What happened?

In an incident targeting a Latin American company, attackers gained access to an SMTP server by compromising a local administrator account. There was no advanced exploit involved — just a simple credential theft. From there, they executed a textbook privilege escalation.

1. Using the Mimikatz utility, the attackers dumped password hashes from memory. They then leveraged the pass-the-hash technique with the help of the Invoke-TheHash utility to acquire user privileges.
2. Next, they deployed an additional tool to elevate privileges by exploiting a vulnerable driver, which allowed them to distribute ransomware to endpoints across the corporate network.

How did this happen?

Most organizations still defend their networks by trying to detect explicitly malicious behavior rather than monitoring legitimate actions performed under authorized credentials. The threat actor playbook is clearly visible in the data from our aforementioned Anatomy of a Cyber World Global Report. The adversary starts by compromising a user account. The conversion metrics of attacker techniques into actual breaches break down as follows:

• Password guessing — 34.8%
• Valid account abuse — 34,5%

Once a single account is hijacked, the attacker establishes a persistent foothold in the compromised infrastructure:

• Local account creation — 34.7%
• Account manipulation — 32.0%

Next, the attackers begin scanning network services.

• Network service discovery — 31.2%

If you lack visibility into this traffic — or fail to consider it a security incident — you’ve already lost the battle before the active phase of the attack even begins.

Case Study #2. When the monitoring server becomes a Trojan horse

What happened?

The organization fell victim to a Black Nivas ransomware attack. Much like the previous case study, the adversary’s initial entry point into the corporate network was through compromised credentials. While scanning the internal network, the attackers discovered a PRTG (Paessler Router Traffic Grapher) server — an infrastructure monitoring tool. By leveraging that server, the adversary pivoted into the broader network, located the organization’s ESXi servers, and encrypted the virtual environment in its entirety.

How did this happen?

Two classic mistakes were made:

1. The monitoring server was configured with too many privileges, granting it access to all corporate assets across both physical and virtual environments.
2. A user account was compromised.

Case Study #3. When a patch exists, but has yet to be deployed

What happened?

In this scenario, the adversary deployed a wiper rather than standard ransomware, rendering the targeted data permanently unrecoverable.

The attackers gained initial access by exploiting a known SAP NetWeaver server vulnerability, which they exploited to drop a web shell on perimeter servers. They then executed a password spraying attack to compromise higher-privileged user accounts.

Once inside the infrastructure, the adversary leveraged Active Directory and Group Policy Objects to deploy the malware with wiper functionality across the corporate network. The malicious payload itself was sideloaded by exploiting vulnerabilities in Microsoft Defender and an e-reader application. The wiper used cryptographically secure RSA to fully encrypt small files. For medium-sized files, it used RSA for the headers and AES for the rest. Large files were truncated to 5MB, with the rest of the data replaced with zeroes. Because of this specific algorithm, complete recovery of the damaged files was mathematically impossible.

How did this happen?

The patch for the SAP NetWeaver vulnerability had been released several years prior to the attack. The organization simply failed to prioritize its deployment.

Unfortunately, this isn’t an isolated incident. As Konstantin Sapronov, the lead of the Global Emergency Response Team, points out: “The most frequently targeted public-facing applications so far in 2026 have been Microsoft Exchange, SharePoint, and Active Directory. Although patches for vulnerabilities in those products have long been available, organizations have consistently failed to install them in a timely manner.”

How to keep your organization out of the headlines

None of the incidents described above required the adversary to possess groundbreaking technical ingenuity. They relied on recycled techniques and known vulnerabilities. To defend against cyberattacks like the ones described here, we recommend building a strategy that pairs comprehensive, specialized software with managed cybersecurity services.

• Round-the-clock monitoring. If your organization lacks the resources to maintain a round-the-clock SOC — or if you want to elevate the capabilities of your existing security operations team — onboard a third-party MDR vendor. Kaspersky Managed Detection and Response delivers direct access to deep expertise and global threat intelligence, providing 24/7 monitoring and early-stage threat detection before an attack can escalate.
• Rapid incident response. Whether you suspect a breach has already occurred or simply want to ensure your team is prepared for that scenario, Kaspersky Incident Response (IR) is ready to assist. Deploying MDR alongside IR grants your organization 24/7 monitoring and detection, a round-the-clock access to IR experts, continuous threat hunting, triage of security events, rapid threat containment, attack chain reconstruction across the entire infrastructure, reverse engineering and advanced DFIR analysis, coordination and recommendations on business recovery, and finally, a custom incident report with guidance.
• Patching beyond the checklist. The above-mentioned SAP NetWeaver vulnerability had been patched years before the actual breach occurred. If you lack visibility into which specific CVEs are critical for your infrastructure, implement routine vulnerability scanning and patch prioritization. Leverage MDR to monitor for exploitation attempts against known CVEs, and conduct a Compromise Assessment to ensure hackers haven’t already capitalized on legacy vulnerabilities you might have missed.
• Security audits and hardening. The PRTG server from Case Study #2 was granted excessive privileges — a classic symptom of poorly defined access management and monitoring processes. Addressing these systemic issues is exactly what Kaspersky SOC Consulting is built for. Backed by real-world experience and proven frameworks and methodologies, our experts help you design your security operations. We assist in architecting your SOC, developing detection use cases to flag anomalies, drafting runbooks for your team, and defining KPIs to measure your SOC’s effectiveness.

Additionally, we recommend tracking the tactics, techniques, and tooling actively deployed by threat actors. We aim to explain these complexities in plain language through our blog posts, podcasts, interviews, and industry conference presentations. Specifically, the full Anatomy of a Cyber World Global Report 2026 outlines which threat groups are actively targeting organizations, the methods they deploy, how to detect these threats before they escalate into high-impact incidents, and where to invest to build bullet-proof cyber-resilience. Furthermore, this year’s report marks the first time we’ve integrated data directly from our SOC Consulting and Compromise Assessment services. It covers cyberthreat trends, high-severity incident breakdowns, and industry- and region-specific attack vectors, while delivering insights into where corporate blind spots are and why misconfigurations often fly under the radar. We also recommend watching the recording of our webinar, Anatomy of a Cyber World, in which our experts dissect the evolving threat landscape and explain why human-operated attacks continue to pose one of the greatest risks to businesses.