The Numbers Are In: Its Getting Worse
1–20–2026 (Tuesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I'm your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, January 20, 2026, and the news this week is reinforcing what many of us already suspected: breaches are up, attackers are getting smarter, and both nation states and ransomware gangs are coming after the same targets because they're the ones that are vulnerable.
The Numbers Are In: It’s Getting Worse
Let's start with the numbers. According to Comparitech's year-end report, global ransomware attacks rose 32% in 2025 - that's 7,419 attacks, up from 5,631 the year before. Manufacturing was the hardest hit, with attacks up 56% and ransom demands more than doubling to an average of $1.16 million. The U.S. remains the top target with 3,810 attacks - nearly half the global total.
But it's not just ransomware gangs. Cisco Talos released research this week on a Chinese APT they're calling UAT-8837, which has been systematically breaching North American critical infrastructure organizations over the past year. Their entry points? Compromised credentials and unpatched servers - including a zero-day in SiteCore products that federal agencies were mandated to patch back in September.
And here's what keeps me up at night: both the nation state actors and the ransomware crews are using the same playbook. Compromised identities. Unpatched systems. Stolen credentials leading to lateral movement. The lines between espionage and extortion are blurring.
Attackers Remain Clever
What's changing is the sophistication. Researchers at Group-IB discovered that the DeadLock ransomware group is now using Polygon blockchain smart contracts to store their command-and-control infrastructure. Instead of servers that can be taken down, they're storing proxy addresses on-chain - distributed across blockchain nodes worldwide. There's no central server to seize, making it cheap, decentralized, and nearly impossible to disrupt. And, as we know, other attackers will quickly adopt this approach because of its effectiveness, making it proliferate and even harder to defend.
Other clever techniques are also being seen in the wild, with a new malware loader called CastleLoader having been found targeting nearly 500 devices across U.S. government agencies and critical infrastructure. It uses memory-based execution to evade file-based detection, deploys through social engineering, and its primary job is stealing credentials and establishing persistent access, again feeding back to the idea of stolen credentials as the entry point.
What This Means For You
For middle market companies, the takeaway is clear: the fundamentals still matter, but the margin for error is shrinking.
Compromised identities remain the number one entry point. That means you need MFA everywhere - not just on the VPN, but on your admin accounts, your cloud services, and your privileged access. It means actually reviewing who has access and whether they still need it.
Unpatched systems are still getting exploited - including zero-days that get added to CISA's catalog and then sit unpatched for months. If you don't have a handle on your patch management, especially for internet-facing systems, you're rolling the dice every day.
And the clever techniques? They're a reminder that your security tools need to evolve too. Legacy, file-based antivirus isn't catching memory-resident malware. Traditional takedowns aren't stopping blockchain-based infrastructure - and even though we saw Microsoft notch one for the good guys in taking down the RedVDS cybercrime virtual desktop this week, we know that more baddies will come in to fill that space.
The good news is that none of this requires exotic solutions. It requires discipline - identity hygiene, patch management, and detection capabilities that actually work. The bad news is that 32% more organizations found out the hard way last year that they didn't have that discipline in place.
Don't be one of them in 2026.
Fundraising
From a fundraising perspective, another big week, with more than $30B in newly committed capital, and that's NOT counting the news that PE giant Clayton Dubilier & Rice is seeking $26B for its next flagship fund. What we did see is:
Coller Capital raised $17b for its ninth flagship PE secondaries fund;
Sixth Street raised €3.75b for its third European direct lending fund;
H.I.G. Capital raised €1.6b for its fourth European midmarket fund; and
New Mountain Capital raised $1.2b for its second non-control PE fund.
The public markets, despite the macro environment, seems to be continuing on - with the Dow, S&P, and NASDAQ all essentially flat last week. Whether that trend continues is anybody's guess, but we'll see at least a few big bets being made out of these new funds.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and sign up for our monthly newsletter, the Intentional Dispatch.
We'll see you next week for another edition of the Intentional Brief.
Links
https://www.comparitech.com/news/worldwide-ransomware-roundup-2025-end-of-year-report/
https://therecord.media/china-hackers-apt-cisco-talos
https://crypto.news/ransomware-polygon-smart-contracts-evade-takedowns-2026/
https://cyberpress.org/castleloader-malware-targets-us-government/