In 2025, the share of ransoms paid dropped to 28% — a single figure that, according to Kaspersky, helps explain why attackers are increasingly skipping encryption entirely and selling stolen data instead.
Ransomware attacks fell in 2025, yet damage and risk remain
Kaspersky reports that the share of organizations affected by ransomware decreased in 2025 across all regions compared to 2024, according to the Kaspersky Security Network. Still, the threat is far from over: attackers are refining tactics and operating more efficiently, and the business impact remains severe. Kaspersky and VDC Research estimate that ransomware attacks in the manufacturing sector alone may have caused over $18 billion in losses in the first three quarters of the year. The decline in reported incidents has not eliminated the high likelihood of attack for organizations across sectors.
Post-quantum ransomware: PE32, ML‑KEM and Kyber1024
Kaspersky documents the arrival of ransomware families that adopt post‑quantum cryptography. The PE32 family is singled out for leveraging the ML‑KEM (Module‑Lattice‑Based Key‑Encapsulation Mechanism) standard to protect AES keys, implementing the Kyber1024 algorithm to generate and transmit shared secrets. Kaspersky notes that this framework — Kyber1024 — provides Level 5 security roughly equivalent to AES‑256, and that the underlying cryptographic approach was recently selected by NIST as the primary standard for post‑quantum defense. The report also highlights that TLS 1.3 and QUIC protocols have already adopted the X25519Kyber768 hybrid model, reflecting a broader movement toward quantum‑resistant primitives in standard protocols.
EDR killers and BYOVD: defense evasion becomes a planned phase
Ransomware actors in 2026 increasingly prioritize neutralizing endpoint defenses before delivering payloads. Tools referred to as “EDR killers” are now a standard element of playbooks. Attackers attempt to terminate security processes and disable monitoring agents, often by exploiting trusted components such as signed drivers — a technique Kaspersky describes as Bring Your Own Vulnerable Driver (BYOVD). BYOVD allows adversaries to blend into legitimate system activity while degrading defensive visibility. In response, Kaspersky recommends enabling Microsoft’s Vulnerable Driver Blocklist for Windows environments, automating patch management, and deploying advanced EDR solutions (for example, Kaspersky NEXT EDR) to monitor for suspicious driver loading and process termination.
Access‑as‑a‑service, RDWeb focus, and commoditization of initial access
The ransomware ecosystem remains highly industrialized. Initial access brokers (IABs) continue to sell pre‑compromised access — a model Kaspersky calls “access‑as‑a‑service.” The primary access vectors offered for sale are RDP, VPN, and RDWeb. As defenders have taken steps to reduce public RDP exposure, attackers have shifted toward RDWeb portals, which are frequently vulnerable and sometimes inadequately protected. The net effect: unauthorized access is commoditized, lowering the barrier to launch ransomware. Kaspersky stresses that preventing initial compromise alone is insufficient; organizations must also detect misuse of credentials, minimize lateral movement, and harden remote access (avoid direct internet exposure of RDP/RDWeb, use VPN or ZTNA, and adopt multi‑factor and continuous authentication).
Dark‑web markets, law enforcement takedowns, and leading actors
Telegram channels and underground forums continue to distribute compromised datasets, access credentials, and even ransomware for sale. Kaspersky notes that law enforcement has made notable seizures: the RAMP forum was seized in January 2026 and LeakBase in March 2026. Earlier takedowns in 2025 included forums such as Nulled, Cracked, and XSS, and the data leak sites (DLSs) of BlackSuit and 8Base were seized. These disruptions cause friction for actor coordination, but Kaspersky expects similar forums to reemerge over time. On the operational side, Qilin became the dominant RaaS platform from Q2 2025, while Clop is identified for large‑scale supply‑chain style attacks and Akira for steady, consistent activity. RansomHub’s sudden dormancy in 2025 reshaped affiliate distribution, and actors such as DragonForce are described as exerting broader ecosystem influence. New entrants in 2026 include The Gentlemen — notable for targeted, professionalized operations that exploit FortiOS/FortiProxy, SonicWall VPN, and Cisco ASA appliances, and that emphasize data‑centric extortion over blunt encryption. Other emerging names flagged by Kaspersky include Devman, MintEye, DireWolf, NightSpire, Vect, Tengu, and Kazu.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: prioritize patching and automated vulnerability management, enable Microsoft’s Vulnerable Driver Blocklist in Windows, deploy advanced EDR to detect driver loading and process termination, and implement network segmentation and session logging.
- Policymakers and law enforcement: takedowns of forums and DLSs (for example, RAMP and LeakBase) disrupt actor coordination, but Kaspersky cautions that similar markets may reappear — sustained disruption and international cooperation will be required to keep pressure on infrastructure.
- Affected enterprises and procurement leaders: assume backups alone do not solve the problem as attackers move to encryptionless extortion; maintain offline or immutable backups, test incident response plans, monitor for credential exposure in underground channels, and avoid paying ransoms when alternatives exist. Kaspersky also points to free decryptors it provides for certain families as a resource after an incident.
Ransomware in 2026, as Kaspersky lays out, is a study in adaptation: operators are shifting from noisy, encryption‑first disruption to stealthy, data‑focused monetization while simultaneously upgrading cryptography to resist future decryption attempts. The practical implication is clear — technical hardening, credential hygiene, layered detection, and tested recovery plans are no longer optional. For organizations that until now framed ransomware as primarily a continuity problem, Kaspersky’s findings demand a recalibration: this is now equally a data‑security and compliance crisis.




