Threat actors are accelerating their attacks and adopting innovative new ways to circumvent endpoint detection mechanisms, according to a new report from ReliaQuest.
The threat intelligence vendor claimed in its latest Threat Spotlight report for the period June–August 2025 that average breakout time – the period from initial access to lateral movement – dropped to 18 minutes.
One attack from the Akira came in at just six minutes, way below the lowest breakout time recorded in 2024, of 27 minutes.
The figure keeps falling. In January, ReliaQuest claimed breakout time in 2024 was 22% shorter than the previous year. Once adversaries reach this stage, attacks become harder to detect and contain.
Threat actors are not just getting faster but also smarter, ReliaQuest warned. There’s been a sharp rise in ransomware operations using the SMB file-sharing protocol for remote file encryption – from 20% to 29% of ransomware attacks.
Read more from ReliaQuest: Automation and Vulnerability Exploitation Drive Mass Ransomware Breaches.
“Using compromised credentials, attackers access shared files on a network via a single compromised host, often through unmanaged devices or VPNs,” the report noted.
“By encrypting data remotely, they bypass endpoint protections entirely, operating quietly and efficiently within the network. This highlights a critical flaw in endpoint-focused defenses: Attacks don’t stop at the endpoint, and neither should your defenses.”
USB Malware on the Rise
ReliaQuest also warned that drive-by-compromise remains the most popular tactic for initial access, accounting for 34% of incidents. That’s versus 12% for spear phishing links and, remarkably, 12% for USB malware.
“USB-based malware is thriving because of weak policy enforcement and inconsistent endpoint controls. It’s easy to overlook the dangers of plugging in unvetted USBs and attackers exploit this to infiltrate corporate networks,” the report noted.
It pointed to the Gamarue variant as particularly prevalent in the period.
“Gamarue hides its malicious Dynamic Link Libraries (DLLs) so well that most employees wouldn’t know they’re infected,” ReliaQuest said. “The infection trigger – a malicious LNK file – disguises itself as a legitimate file already present on the USB, making it even harder to spot.”
