Key Takeaways
- Ransomware attacks in 2026 hit fewer organizations overall, but the groups that remain active are running more targeted, lucrative campaigns.
- Endpoint‑Detection‑and‑Response (EDR) killers have become a standard early‑stage step; attackers frequently use “Bring Your Own Vulnerable Driver” (BYOVD) to silence security tools before payload execution.
- Qilin now tops the ransomware‑group rankings, followed by Clop (supply‑chain focus) and Akira (steady output).
- A growing share of groups have abandoned encryption, relying instead on data‑leak extortion; this shortens dwell time and makes backup‑only recovery ineffective.
- New ransomware families are experimenting with post‑quantum key‑encryption (e.g., ML‑KEM/Kyber1024), meaning decryption without the attacker’s key is practically impossible today.
- Initial access remains dominated by RDP, VPN, and RDWeb, supplied via an access‑as‑a‑service market; defending against credential misuse and lateral movement is as crucial as blocking the entry point.
- The decisive defensive moment is the loss of telemetry from security agents; detecting an EDR‑kill event early can contain the attack before encryption begins.
Overview of Ransomware Trends in 2026
Kaspersky’s annual State of Ransomware report, released around International Anti‑Ransomware Day on May 12, shows a counter‑intuitive picture: while the share of organizations hit by ransomware has declined compared with 2024 across every measured region, the financial impact remains severe. In manufacturing alone, Kaspersky and VDC Research estimate losses exceeding US $18 billion for the first three quarters of 2025. The decline in incident frequency is offset by the sophistication and profitability of the campaigns that do succeed, indicating a shift from volume‑based to precision‑based extortion.
EDR Kill Techniques and the Rise of BYOVD
A central theme of the 2026 report is the maturation of defense‑evasion tooling. EDR killers—utilities designed to terminate endpoint monitoring before the ransomware payload runs—are now a planned, repeatable phase in attacker playbooks. The most common implementation is Bring Your Own Vulnerable Driver (BYOVD): threat actors load a legitimate‑looking, digitally signed kernel driver that contains a known exploitable flaw. Once the driver is in kernel space, it can disable security processes from inside the operating system’s trusted boundary, causing the defender’s monitoring console to go dark just minutes before encryption starts. This transforms the remediation question from “can we restore from backup?” to “did anyone notice the agent stopped reporting?”
Threat Actor Landscape: Qilin, Clop, and Akira
The report details a reshuffling of the ransomware‑group hierarchy. Qilin ascended to the top spot in 2025 after RansomHub went dormant, leveraging a high‑volume affiliate model that depends on scalable evasion playbooks. Clop holds second place through its signature supply‑chain strategy, compromising file‑transfer and enterprise‑software providers to achieve one‑to‑many infections. Akira ranks third, noted for maintaining consistent output without the operational turbulence that fragmented several rival groups. These groups illustrate how specialization—whether in affiliate scaling, supply‑chain exploitation, or steady execution—drives success in the current ransomware ecosystem.
Encryption‑Less Extortion and the Decline of Payment Rates
With ransom payment rates falling to just 28 % in 2025, several actors have abandoned encryption altogether, opting for encryption‑less extortion. Groups such as ShinyHunters monetize solely via data‑leak sites; the mere threat of exposing stolen information serves as the ransom. This approach shortens dwell time, shrinks the detection window, and neutralizes traditional backup‑based recovery, because backups protect against file destruction but not against regulatory penalties, reputational harm, or legal liability stemming from a data breach. The trend underscores that defenders must now guard against data exfiltration as rigorously as they guard against file encryption.
Post‑Quantum Encryption Experiments in Ransomware
A forward‑looking development highlighted in the report is the adoption of post‑quantum cryptography by emerging ransomware families. The PE32 family, for example, has begun encrypting AES keys with the National Institute of Standards and Technology’s ML‑KEM (Module‑Lattice‑Based Key‑Encapsulation Mechanism), specifically the Kyber1024 algorithm, which provides NIST Security Level 5—resistance against both classical and future quantum attacks. The practical implication is stark: organizations cannot rely on a future cryptanalytic breakthrough to recover files encrypted by these strains. The only viable defense is to prevent the ransomware from reaching the encryption stage in the first place, reinforcing the importance of early detection and blocking.
Initial Access Vectors Remain Unchanged
Despite evolutions in evasion and monetization, the entry point for ransomware has stayed consistent. Kaspersky identifies RDP, VPN, and RDWeb as the top three access vectors purchased from initial access brokers. RDWeb has gained particular attention as organizations have hardened direct RDP exposure to the internet, pushing attackers toward the web‑based gateway. The access‑as‑a‑service market commoditizes the hardest part of an intrusion—gaining a foothold—allowing ransomware operators to focus on post‑compromise activities such as lateral movement, credential theft, and defense evasion. Consequently, preventing initial compromise is only one half of the defensive equation; detecting misuse of legitimate credentials and restricting lateral movement are equally vital.
Defensive Implications: Monitoring Integrity Over Backup Reliance
The case study of the mid‑market manufacturer whose EDR agent fell silent on a domain controller illustrates the new defensive priority. By the time a responder arrived, the EDR process had been replaced by a malicious kernel driver, and the attack was already in its third hour. The agent‑kill event was the moment the intrusion was still containable; once encryption launched, containment became far more difficult. This underscores that the defender’s response in 2026 is no longer primarily a recovery question (“Can we restore from backup?”) but a monitoring‑integrity problem. Security teams must invest in telemetry‑health checks, anomaly‑based detection of agent tampering, and rapid response playbooks that trigger when endpoint reporting ceases. Complementary controls—such as privileged‑access management, network segmentation, and behavioral analytics for lateral movement—remain essential to catch the attack after the initial evasion phase but before data is encrypted or exfiltrated.
Conclusion
Kaspersky’s 2026 State of Ransomware report paints a landscape where fewer infections coexist with higher‑impact, more methodical operations. EDR killing via BYOVD has become a routine prelude to ransomware execution, while encryption‑less extortion and post‑quantum key encryption push defenders toward prevention rather than recovery. The persistent reliance on RDP/VPN/RDWeb for initial access highlights the enduring value of securing remote‑entry points and monitoring credential use. Ultimately, the ability to detect and respond to the loss of security‑agent telemetry may be the decisive factor that separates a containable incident from a costly, large‑scale ransomware disaster.