Ransomware in 2026: Evolution, Evasion, and Extortion Tactics

As we mark International Anti-Ransomware Day on May 12, the threat landscape for 2026 reveals a mixed picture. While formal attack numbers have dipped compared to previous years, ransomware remains a persistent and adaptive menace. Groups are refining their methods—deploying post-quantum cryptography, leveraging initial access brokers who favor RDWeb, and even moving toward encryptionless extortion as ransom payments fall. The following Q&A dives into these trends, drawing on the latest annual report from Kaspersky.

1. What is the overall state of ransomware in 2026?

Ransomware continues to be one of the most persistent cyberthreats, despite a notable decline in the percentage of organizations affected across all regions in 2025 compared to 2024. According to Kaspersky Security Network, this drop does not signal the end of the threat. Instead, ransomware operators are scaling their operations with greater efficiency and refining their tactics. For example, the manufacturing sector alone suffered over $18 billion in losses from ransomware attacks in the first three quarters of the year, based on data from Kaspersky and VDC Research. The threat remains high because cybercriminals are adapting—embracing new encryption methods, exploiting remote access points, and investing in defense evasion tools to ensure their attacks succeed.

2. Why are ransomware attacks declining yet still considered dangerous?

The decline in the percentage of affected organizations does not mean ransomware is less dangerous—it reflects a shift in attacker strategy. Groups are now focusing on quality over quantity, targeting high-value victims with more sophisticated, hands-on intrusions. They invest time in understanding their targets' defenses, often spending weeks mapping networks before deploying ransomware. This methodical approach makes each attack more likely to succeed and cause severe damage. Additionally, the rise of defense-evasion tools, such as EDR killers, allows attackers to bypass security controls, making detection harder. As a result, while fewer organizations may face an attack, those that do encounter a more devastating and harder-to-mitigate incident.

3. How are ransomware operators evading defenses in 2026?

In 2026, neutralizing endpoint defenses has become a standard step before executing ransomware payloads. Attackers use so-called “EDR killers” to terminate security processes and disable monitoring agents. A common technique is Bring Your Own Vulnerable Driver (BYOVD), where they exploit signed but flawed drivers to gain kernel-level access. This allows them to blend into legitimate system activity while gradually degrading visibility. Evasion is no longer opportunistic; it is a planned, repeatable phase of the attack lifecycle. Consequently, organizations face the challenge of maintaining control in environments where their own security tools are actively being targeted and dismantled. Proactive threat hunting and behavioral detection are becoming essential.

4. What is post-quantum cryptography, and how are ransomware groups using it?

Post-quantum cryptography refers to encryption algorithms designed to resist attacks from both classical and quantum computers. In 2025, as predicted, advanced ransomware groups began adopting these standards. One notable example is the PE32 ransomware family, which leverages the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard. This makes decryption nearly impossible without the attacker's key, even for law enforcement or security firms with powerful computing resources. By adopting post-quantum ciphers, ransomware operators future-proof their attacks against any potential quantum-based decryption efforts. Victims face a stark choice: pay the ransom or lose their data permanently. This trend underscores the importance of offline backups and robust incident response plans.

5. Why are some ransomware groups moving to encryptionless extortion?

As victims become more reluctant to pay ransoms—and as decryption tools improve—some ransomware groups are turning to encryptionless extortion. In these attacks, cybercriminals steal sensitive data but skip the encryption step. They then threaten to leak the information publicly unless a ransom is paid. This approach reduces the technical complexity of the attack and speeds up the extortion cycle. It also sidesteps the need for sophisticated encryption code that might be analyzed and broken. The shift reflects a broader trend toward pure data-theft extortion, which can be equally damaging to businesses facing regulatory fines, reputational harm, or intellectual property loss. Organizations must now prepare for breaches where data confidentiality, not just availability, is at stake.

6. What role do initial access brokers play, and why is RDWeb targeted?

Initial access brokers (IABs) remain key players in the ransomware ecosystem. They specialize in breaching networks or purchasing stolen credentials, then sell access to ransomware groups. In 2026, IABs have increasingly focused on access to RDWeb—a Microsoft Remote Desktop Web interface. RDWeb allows remote users to connect to corporate networks via a web browser, making it a prime target. Attackers exploit weak passwords, unpatched vulnerabilities, or misconfigurations to gain entry. Once inside, they hand off the access to ransomware operators, who then deploy their payloads. This specialized market lowers the barrier to entry for cybercriminals and accelerates attacks. To counter this, organizations should enforce multi-factor authentication on all remote access portals and monitor for unusual login patterns.