Ransomware in 2026: Key Threats and Trends Revealed

On International Anti-Ransomware Day, Kaspersky released its annual report on the evolving ransomware landscape. Despite a slight decline in attacks, ransomware remains a persistent and adaptive threat in 2026. New families are emerging with post-quantum cryptography, some groups shift to encryptionless extortion, and initial access brokers increasingly target RDWeb. Below, we answer the most pressing questions about the state of ransomware this year.

What is the overall state of ransomware in 2026?

Ransomware is still one of the most persistent and adaptive cyberthreats. In 2026, new families continue to appear, now adopting post-quantum cryptography ciphers to resist decryption. At the same time, as ransom payments drop, some groups have turned to encryptionless extortion attacks, threatening to leak data rather than lock it. The ecosystem of threat actors remains dynamic, with initial access brokers playing a key role by focusing on RDWeb as the preferred remote access method. While the number of organizations affected has slightly decreased compared to 2025, the threat level remains high due to refined tactics and increased operational efficiency.

How have ransomware attack rates changed regionally?

According to Kaspersky Security Network data, the share of organizations hit by ransomware declined in every region during 2025 versus the previous year. However, despite this formal decrease, businesses across all sectors still face a high likelihood of attack. Ransomware operators have simply become more efficient, scaling their operations while honing their methods. The regional differences are narrowing, meaning no area is safe. The key takeaway: the drop in figures should not breed complacency—the threat is evolving, not disappearing.

What are the financial impacts, especially in manufacturing?

The manufacturing sector has been hit especially hard. A joint study by Kaspersky and VDC Research estimates that ransomware attacks caused over $18 billion in losses in just the first three quarters of the year. This staggering figure highlights how targeted and damaging these attacks have become. Production lines, supply chains, and intellectual property are all at risk. The financial toll goes beyond ransom payments, encompassing downtime, recovery costs, and reputational damage. As attackers refine their tactics, manufacturing remains a prime target due to its high disruption potential and critical infrastructure dependencies.

Why are EDR killers becoming a standard tool for ransomware operators?

In 2026, ransomware groups are increasingly prioritizing the neutralization of endpoint defenses before deploying their payloads. Tools known as EDR killers have become a standard component of attack playbooks. These tools exploit trusted components—like signed drivers—using the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate security processes and disable monitoring agents. Evasion is no longer opportunistic; it is a planned, repeatable phase of the attack lifecycle. Organizations now face the dual challenge of detecting ransomware while maintaining control in environments where security controls themselves are actively targeted.

How are ransomware groups adopting post-quantum cryptography?

As predicted, advanced ransomware groups have started using post-quantum cryptography in 2025–2026. This quantum-resistant encryption is designed to withstand decryption attempts from both classical and quantum computers, making it nearly impossible for victims to recover data without paying. A notable example is the PE32 ransomware family, which uses the cutting-edge ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard. This evolution forces defenders to rethink recovery strategies, as traditional decryption tools become obsolete against such ciphers. The race between quantum computing and cyber extortion is accelerating.

What role do initial access brokers play in 2026?

Initial access brokers (IABs) remain a critical cog in the ransomware ecosystem. In 2026, they have shifted their focus to RDWeb, a remote desktop gateway, as the preferred method for gaining entry into corporate networks. By selling pre‑compromised access, IABs enable ransomware groups to bypass the initial breach phase, making attacks faster and more targeted. This specialization fuels a constantly changing threat landscape where the lines between different actors blur. As more organizations rely on remote access solutions, the demand for RDWeb‑related access is expected to grow, posing new challenges for security teams.