Ransomware in 2026: Key Trends and Emerging Threats

On International Anti-Ransomware Day (May 12), Kaspersky released its annual report on the global ransomware landscape for 2026. While the number of attacks has slightly declined year-over-year, the threat remains severe due to evolving tactics, advanced encryption methods, and increasingly strategic attacks on security defenses. This Q&A examines the most critical developments transforming ransomware today.

Why did ransomware attacks decline in 2025?

According to Kaspersky Security Network, the percentage of organizations hit by ransomware fell across all regions in 2025 compared to 2024. This decrease is not a sign that ransomware is fading—rather, it reflects the growing sophistication of attackers. Operators are now focusing on quality over quantity, targeting high-value victims with more precise, well-funded campaigns. They invest in defense evasion, custom tools, and extended dwell times to maximize impact. As a result, even with fewer incidents, the damage per attack has increased. In manufacturing alone, losses from ransomware in the first three quarters of 2025 exceeded $18 billion, according to Kaspersky and VDC Research.

How are EDR killers changing the ransomware landscape?

By 2026, neutralizing endpoint defenses has become a standard pre-attack step. Ransomware operators now routinely deploy EDR killers—tools that terminate security processes and disable monitoring agents. One prevalent method is the Bring Your Own Vulnerable Driver (BYOVD) technique, where attackers exploit signed drivers to blend in with legitimate system activity. This turns evasion from an opportunistic step into a deliberate, repeatable phase of the intrusion. Organizations can no longer rely solely on detection; they must also ensure their security controls survive targeted attacks. The rise of EDR killers underscores the need for layered defenses and robust endpoint hardening.

What is post-quantum cryptography ransomware?

As predicted by Kaspersky in 2025, advanced ransomware groups have begun using post-quantum cryptography (PQC) to encrypt victims' files. One example is the PE32 ransomware family, which implements the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard. This encryption is resistant to both classical and quantum computer decryption attempts, making it nearly impossible for victims to recover data without paying. The adoption of PQC is a direct response to the evolution of quantum computing, and it signals a new arms race between ransomware developers and security researchers. For now, PQC ransomware is limited to elite groups, but its spread could dramatically increase the cost and difficulty of data recovery.

Why are initial access brokers targeting RDWeb?

In the constantly shifting ransomware ecosystem, initial access brokers (IABs) have refined their focus. By 2026, they show a clear preference for compromising RDWeb (Remote Desktop Web Access) as the primary gateway into corporate networks. RDWeb is widely used for remote work and often inadequately secured, making it a soft target. Once inside, IABs sell access to ransomware operators, who can then move laterally and deploy payloads. This specialization has turned RDWeb vulnerabilities into a major commodity on darknet forums. Organizations relying on remote desktop solutions must enforce strict multi-factor authentication and regular patching to reduce exposure.

What are encryptionless extortion attacks?

As ransom payments drop, some ransomware groups are experimenting with encryptionless extortion. Instead of encrypting files, these attackers exfiltrate sensitive data and threaten to publish it unless a ransom is paid. This approach bypasses the need for complex encryption and avoids triggering traditional ransomware alarms. It can be faster, quieter, and often equally damaging—especially for industries that handle proprietary or personal data. Encryptionless attacks are part of a broader shift toward pure data theft and double extortion, where victims face both operational disruption and reputational harm. Defending against these attacks requires strong data loss prevention (DLP) and rapid incident response capabilities.

How severe are ransomware losses in manufacturing?

The manufacturing sector has become a prime target for ransomware due to its critical role in global supply chains and often outdated operational technology (OT) systems. Kaspersky and VDC Research estimated that ransomware attacks caused over $18 billion in losses in manufacturing during just the first three quarters of 2025. These losses include production downtime, ransom payments, forensic recovery, and long-term reputational damage. Attackers exploit the fact that manufacturers cannot afford prolonged shutdowns, increasing their willingness to negotiate. The sector’s growing reliance on IT-OT convergence also creates new entry points for intruders. Mitigation requires not only cybersecurity measures but also business continuity planning that accounts for ransomware incidents.

What can organizations do against 2026 ransomware tactics?

To counter the trends described above, organizations must adapt their defenses. First, EDR killer detection should be integrated into security operations—monitoring for driver abuse and unexpected process terminations. Second, update encryption standards: while PQC ransomware is rare today, preparing for it means maintaining strong backup and recovery procedures that don't rely on decryption. Third, secure remote access solutions like RDWeb with MFA and limited exposure. Fourth, train incident response teams to handle encryptionless extortion by focusing on data exfiltration and leak monitoring. Finally, sector-specific risk assessments, particularly in manufacturing, can help prioritize investments in OT security and air-gapped backups. The ransomware threat is evolving, but with proactive measures, organizations can reduce both the likelihood and impact of attacks.