Ransomware affiliate tradecraft doesn’t stand still. The techniques that reliably converted initial access into successful deployment two years ago — PSExec with stolen credentials, straightforward LSASS dumping, manual group policy abuse — have become detection targets. Groups that keep operating at volume have adapted. H1 2026 shows a clear shift in technique across the affiliate ecosystem, driven by three dynamics: improved EDR coverage forcing endpoint bypass innovation, widening initial access variety, and a deliberate move toward destroying backups before encryption.
This report covers the TTP clusters that have become dominant in 2026 and what they mean for defenders.
BYOVD: The Standard EDR Bypass
Bring Your Own Vulnerable Driver (BYOVD) has moved from an advanced technique to standard practice among capable ransomware affiliates. The pattern: drop a legitimate but vulnerable signed kernel driver to disk, load it, and use the kernel-level access to terminate EDR agent processes that are otherwise protected by tamper protection.
The Poortry driver (tracked as truesight.sys, dbutil_2_3.sys, and other filenames depending on the signed binary used) is the most commonly observed tool in this role in 2026, documented in intrusions attributed to Osiris ransomware, Embargo, and Qilin affiliates. The technique works because tamper protection in Windows protects EDR agent processes from user-mode termination but cannot prevent a kernel-mode driver from unloading kernel components.
Defenders face a narrow window: the driver load itself is detectable via Sysmon Event ID 6 (driver loaded) and is increasingly flagged by Microsoft Vulnerable Driver Blocklist — but affiliates continuously rotate to new drivers when existing ones appear on blocklists, and the blocklist update cadence is slower than the rotation cadence.
What’s changed in 2026: the pool of affiliates using BYOVD has grown significantly. Previously this technique required meaningful reverse engineering capability. Purpose-built BYOVD toolkits circulating in the initial access broker ecosystem have lowered that bar. Groups that weren’t technically capable of building their own BYOVD chain in 2024 are using commodity tooling to achieve the same result in 2026.
Supply Chain and Developer Toolchain Initial Access
Several significant intrusion chains in H1 2026 originated not through phishing or external vulnerability exploitation but through the developer toolchain: malicious packages in public registries, compromised CI/CD secrets, and typosquatted internal package dependencies.
The ChocoPoC campaign, identified by YesWeHack and Sekoia in July 2026, illustrates the pattern. Attackers created fake GitHub repositories presenting as proof-of-concept exploit code for disclosed vulnerabilities. Researchers and security engineers cloning these repos executed a malicious dependency that established persistence. The C2 used Mapbox’s mapping API as a dead-drop resolver — a technique that avoids direct C2 infrastructure detection because the initial beacon goes to a legitimate third-party service.
The targeting of security researchers and developers is intentional. These individuals often have access to high-privilege internal systems, CI/CD pipelines, code signing infrastructure, and credential stores — exactly the access a ransomware affiliate needs for pre-encryption positioning. The dwell time between initial access through a developer machine and ransomware deployment is typically short: if the developer has direct write access to production systems or can modify deployment pipelines, the escalation path is immediate.
For defenders: developer workstations should not be treated as lower-priority endpoints. They often have the most dangerous combination of privileges (production deployment access, credential stores, VPN access) with less security monitoring than server infrastructure.
Citrix and VPN Appliance Exploitation
VPN and remote access appliance vulnerabilities remain a primary initial access vector. The pattern that emerged with Citrix Bleed (CVE-2023-4966) in 2023 — mass exploitation of a single high-severity appliance vulnerability by multiple ransomware affiliate groups simultaneously — has repeated with subsequent Citrix, Ivanti, and Fortinet vulnerabilities.
In 2026, ransomware groups have demonstrated increasingly automated exploitation pipelines: detect the vulnerable appliance, obtain session tokens, enumerate internal access, deploy tooling, and hand off to a human operator — all within hours of exploitation. The automation reduces the cost per target and allows high-volume campaigns that don’t require per-target customisation.
The operational implication is that the window between public vulnerability disclosure (or PoC release) and exploitation across the affiliate ecosystem has compressed. For Citrix and Ivanti vulnerabilities in particular, treating a high-severity advisory as a 30-day patching task is too slow. Emergency patching windows of 24-72 hours are warranted for network-edge appliances with known exploitation.
ESXi Hypervisor Targeting
The shift to targeting VMware ESXi hypervisors directly — rather than Windows endpoints — reflects the evolution of enterprise infrastructure. Large organisations increasingly run production workloads on ESXi, and a single successful ESXi encryption can take down more systems than hundreds of individual workstation encryptions.
ESXi targeting has been present since 2022 (ESXiArgs campaign) but has matured. In 2026, purpose-built ESXi encryptors are standard offerings in several RaaS programmes. Affiliates with ESXi access use the hypervisor’s native management interface rather than requiring IPMI or OOB access — esxcli commands to shut down VMs and modify VMDK files are accessible to any user with administrative access to the host.
The initial access paths to ESXi in observed campaigns: compromised vCenter credentials from Windows domain compromise (ESXi joins AD and inherits domain admin access), direct exploitation of ESXi management interface vulnerabilities (OpenSLP, DHCP client vulnerabilities), and credential stuffing against management interfaces exposed to internal networks.
Hardening for ESXi specifically: disable OpenSLP if not required, enforce management interface access through jump hosts with MFA, restrict which AD accounts have ESXi management access, and ensure vCenter is not exposed to the internal network without additional authentication controls.
Backup Destruction as a Precondition
Encrypting files is no longer the first offensive action in organised ransomware campaigns — it’s the last. In the intrusions with the highest ransom payments observed in H1 2026, backup destruction preceded encryption by hours to days. Attackers spend dwell time mapping backup infrastructure, confirming backup health (ensuring there are complete recent backups to destroy), and ensuring backup deletion is irreversible before the encryption run starts.
Common backup destruction techniques observed: deletion of Volume Shadow Copies (vssadmin delete shadows /all /quiet), deletion of Windows Server Backup jobs, targeting of on-premises backup repositories (Veeam, Commvault) through compromised management consoles, and in cloud environments, deletion of snapshot schedules and S3 object versioning before encryption.
The detection opportunity: backup system access by accounts that don’t normally interact with backup infrastructure is anomalous and often precedes encryption by enough time to interrupt the attack if alerts are actionable. Monitoring for vssadmin, wbadmin, and backup console access from non-backup-admin accounts should be a high-priority detection rule.
Defensive Adjustments
These TTP shifts suggest specific adjustments:
- BYOVD: Deploy Microsoft Vulnerable Driver Blocklist and keep it current. Alert on driver loads outside of your known-good baseline. Memory integrity (HVCI) prevents many BYOVD driver loads.
- Developer toolchain: Apply the same endpoint protection, monitoring, and network controls to developer workstations as production servers. Verify package hashes before installation in CI pipelines.
- Appliance patching: Create a separate fast-track patching process for network-edge appliances (VPN, remote access, load balancers) with a 24-72 hour target for critical severity.
- ESXi: Audit vCenter and ESXi management access. Ensure ESXi management interfaces are not reachable from general internal network segments.
- Backup integrity: Alert on backup system access by non-backup accounts. Maintain immutable backups (S3 Object Lock, Veeam Hardened Repository) that cannot be deleted from production credentials.
The tactical evolution in 2026 reflects a maturing criminal ecosystem that is responsive to defensive improvements. BYOVD spread because EDR coverage improved. Supply chain targeting spread because perimeter defences improved. The pattern is adaptive, not static.