Kaspersky's 2026 ransomware threat report highlights three major trends: the rise of EDR-killing tools using BYOVD techniques, the emergence of post-quantum cryptography in ransomware (notably the PE32 family using ML-KEM/Kyber1024), and a growing shift toward encryptionless extortion where attackers steal data rather than encrypt it. Ransom payments dropped to 28% in 2025, pushing groups toward pure data-leak extortion models. Initial access brokers continue industrializing access sales, with RDWeb portals becoming a preferred target. Qilin emerged as the dominant RaaS group in 2025 after RansomHub went dormant. Law enforcement seized several dark web forums including RAMP and LeakBase. The report concludes with recommendations covering patch management, remote access hardening, EDR deployment, network segmentation, and offline backups.
Table of contents
Ransomware attacks decline but remain a major threatThe continued rise of EDR killers and defense evasion toolingThe appearance of new families adopting post-quantum cryptographyThe shift to encryptionless extortionIndustrialization of initial access (Access-as-a-Service)Ransomware developments on the dark webLaw enforcement actionsTop ransomware groups in 2025New actors in 2026Conclusion and protection recommendationsSort: