Ransomware in 2026: An Evolving Threat Landscape – Report Highlights

On International Anti-Ransomware Day (May 12), Kaspersky released its annual report on the global and regional ransomware landscape. The findings reveal a threat that remains persistent and adaptive, even as attack numbers decline. Key trends include the emergence of post-quantum cryptography in ransomware, a shift toward encryptionless extortion, and the growing sophistication of initial access brokers and defense evasion techniques. Below, we explore the most critical questions about the state of ransomware in 2026.

What does the Kaspersky report say about overall ransomware activity in 2026?

Kaspersky’s data shows that the share of organizations hit by ransomware decreased slightly in 2025 compared to 2024 across all regions. However, the threat remains severe. Attackers have refined their tactics to operate more efficiently, and the likelihood of an attack is still high for most sectors. For instance, in manufacturing alone, ransomware attacks may have caused over $18 billion in losses during the first three quarters of the year. This paradox—fewer attacks but major financial impact—highlights how operators are now targeting larger, higher-value victims with more precise and disruptive campaigns.

Why are some ransomware groups now using encryptionless extortion?

As ransom payments have dropped, some groups have shifted to encryptionless extortion tactics. Instead of locking files, they steal sensitive data and threaten to leak it publicly unless a ransom is paid. This approach reduces technical complexity and avoids the need for developing or deploying encryption algorithms. It also puts pressure on victims who fear regulatory fines or reputation damage from a data breach. The trend reflects a broader adaptation in the ransomware business model: when one revenue stream dries up, attackers pivot to alternatives that still generate income without requiring heavy technical investment.

What role do initial access brokers play in the 2026 ransomware ecosystem?

Initial access brokers remain a critical cog in the ransomware market. These specialists specialize in gaining footholds into corporate networks and then selling that access to ransomware groups. In 2026, brokers have shown an increased focus on compromising RDWeb (Remote Desktop Web Access) as their preferred entry method. RDWeb is widely used for remote work and is often poorly configured or inadequately patched, making it an attractive target. By selling pre‑obtained access, brokers enable ransomware operators to bypass perimeter defenses and launch attacks more quickly and reliably.

How are ransomware operators using EDR killers and defense evasion tools?

In 2026, neutralizing endpoint detection and response (EDR) systems has become a standard preliminary step in ransomware attacks. Attackers deploy so‑called “EDR killers” to terminate security processes and disable monitoring agents. A common technique is Bring Your Own Vulnerable Driver (BYOVD), where adversaries exploit legitimate, signed drivers to gain kernel‑level access. This allows them to blend into normal system activity while gradually eroding defensive visibility. The result: evasion is no longer opportunistic but a planned, repeatable phase of the attack lifecycle. Organizations now face the dual challenge of detecting ransomware and keeping their own defenses operational.

What is post-quantum ransomware, and why does it matter?

Kaspersky predicted that quantum‑resistant ransomware would appear by 2025, and that prediction has come true. Advanced groups now use post‑quantum cryptography in their payloads, making encrypted data nearly impossible to decrypt even with future quantum computers. An example is the PE32 ransomware family, which implements the ML‑KEM (Module‑Lattice‑Based Key‑Encapsulation Mechanism) standard. This ensures that victims cannot recover files using either classical or quantum decryption tools, forcing them to consider paying the ransom. The adoption of post‑quantum ciphers raises the stakes for defenders, as traditional decryption methods become obsolete.

How is the manufacturing sector specifically affected by ransomware?

Manufacturing remains a prime target due to its reliance on operational technology (OT) and the high cost of downtime. Kaspersky, in collaboration with VDC Research, estimated that ransomware attacks on the manufacturing sector caused over $18 billion in losses in just the first three quarters of the year. These figures include both ransom payments and the indirect costs of production stoppages, supply chain disruptions, and remediation. Attackers exploit the sector’s complex IT/OT convergence, often using initial access gained through remote access tools like RDWeb to spread laterally and encrypt critical systems.