Ransomware in 2026: Key Questions and Answers

On May 12, International Anti-Ransomware Day, Kaspersky released its annual review of ransomware threats globally and regionally. The report highlights that while attack volumes have dipped slightly from 2025 peaks, ransomware remains one of the most resilient and adaptive cyber threats. New families are adopting post-quantum encryption, ransom payments are declining, and operators are shifting toward encryptionless extortion and advanced evasion techniques. Initial access brokers continue to thrive, particularly targeting RDWeb. This Q&A breaks down the key trends and findings from the 2026 report.

How has the ransomware threat landscape changed in 2026?

Ransomware attacks overall decreased in 2025 compared to 2024, but the threat remains significant. The percentage of organizations hit by ransomware fell across all regions according to Kaspersky Security Network data. However, attackers have become more efficient, focusing on high-value targets and refining their methods. New ransomware families now employ post-quantum encryption algorithms, making data recovery without payment nearly impossible. Additionally, some groups have turned to encryptionless extortion, stealing data and threatening to leak it rather than encrypting files. Initial access brokers have also shifted their focus to exploiting remote desktop web (RDWeb) access, a popular entry point for remote work environments.

Ransomware in 2026: Key Questions and Answers — Source: securelist.com

Why are ransomware attacks declining yet still a major threat?

The formal decline in attack volume does not reflect a decrease in risk. Attackers are concentrating on fewer, more lucrative victims and investing in higher-quality tools. For example, in the manufacturing sector alone, ransomware caused over $18 billion in losses during the first three quarters of 2025, as reported by Kaspersky and VDC Research. The drop in overall infections is partly due to improved defenses, but cybercriminals have adapted by using more precise targeting and advanced evasion tactics. This means organizations face a high likelihood of a successful attack, especially if they lack robust detection and response capabilities.

What new tactics are ransomware groups using to evade defenses?

In 2026, ransomware operators prioritize neutralizing endpoint defenses before deploying payloads. Tools known as "EDR killers" have become standard in attack playbooks, allowing attackers to terminate security processes and disable monitoring agents. A common technique is Bring Your Own Vulnerable Driver (BYOVD), where adversaries use signed drivers to blend into legitimate system activity while gradually degrading visibility. This marks a shift from opportunistic evasion to a deliberate, repeatable phase of the attack lifecycle. Organizations now struggle not only to detect ransomware but also to maintain control over environments where security controls are actively targeted.

How are ransomware groups using post-quantum cryptography?

As predicted, advanced ransomware groups began incorporating post-quantum cryptography in 2025. Quantum-resistant encryption makes data decryption nearly impossible even with future quantum computers. One example is the PE32 ransomware family, which uses the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard. This encryption technique ensures that victims cannot decrypt files without paying the ransom, regardless of computing power. The adoption of such algorithms signals a new level of sophistication, forcing organizations to rethink their data recovery strategies and invest in proactive protections rather than relying on decryption tools.

What role do initial access brokers play in the ransomware ecosystem?

Initial access brokers continue to be a critical component of the ransomware supply chain. These brokers specialize in gaining and selling access to corporate networks. In 2026, they have increased their focus on RDWeb (Remote Desktop Web Access) as the preferred method of remote access. This shift reflects the growth of remote work and the ease of exploiting misconfigured or unpatched RDWeb portals. By purchasing access from brokers, ransomware operators can skip the initial reconnaissance phase and launch attacks more efficiently. This market remains highly active, with constant changes in threat actor groups and access pricing.

Are there encryptionless extortion attacks in 2026?

Yes, as ransom payments decline, some ransomware groups have adopted encryptionless extortion strategies. Instead of encrypting files, they steal sensitive data and threaten to leak it publicly unless a ransom is paid. This approach lowers the technical barrier for attackers and can increase pressure on victims, particularly those in industries with strict data privacy regulations. Encryptionless extortion also reduces the risk of detection, as there is no noticeable encryption process. It represents a tactical shift that complements traditional ransomware, giving groups more flexibility in extorting victims.

Which industries are most affected by ransomware losses?

Manufacturing stands out as the hardest-hit sector, with losses exceeding $18 billion in the first three quarters of 2025, according to joint research by Kaspersky and VDC Research. Other industries such as healthcare, finance, and critical infrastructure also face high risk. The manufacturing sector's reliance on operational technology (OT) and supply chain integration makes it particularly vulnerable. Ransomware disruptions can halt production lines, leading to massive revenue losses and reputational damage. As operators continue to refine their tactics, organizations in all sectors must prioritize ransomware preparedness and defense-in-depth strategies.

Tags: