Ransomware 2026: Extortion Tactics Pivot Beyond File Encryption

On May 12, 2026, coinciding with International Anti-Ransomware Day, Kaspersky released its annual "State of Ransomware in 2026" report, documenting a radical mutation in the cybercrime ecosystem. The traditional logic of file encryption is being supplanted by pure extortion based on data theft and the threat of public disclosure. Simultaneously, endpoint defenses have become priority tactical targets, while new malware families are beginning to integrate offensive resilience against future quantum computing capabilities.

Declining Ransom Payments Reshape the Attack Economy

In 2025, the percentage of organizations that opted to pay a ransom fell to 28%, according to Kaspersky data. This decline marks a strategic watershed: attackers recognize that encryption—the traditional lever for disrupting business continuity—is losing its efficacy. Organizations have significantly matured their investments in backups, recovery strategies, and operational resilience. The classic ransomware model—encrypt, demand, wait—is yielding diminishing returns.

The threat actor’s response is "encryptionless extortion." As documented in the report, groups like ShinyHunters are increasingly "leaving out the 'ware' in 'ransomware'" to focus purely on sensitive data exfiltration. The primary weapon is no longer system downtime, but the threat of publication on data leak sites and the looming consequences: GDPR fines, contractual breaches, and reputational damage reflected in lost contracts and stock devaluations. In this model, backups are rendered irrelevant; once data is exfiltrated, an offline copy cannot prevent its public disclosure.

While the report does not specify the exact methodology behind the 28% figure, and independent verification within the dossier is limited, the data aligns with other industry indicators. Although the percentage of organizations targeted decreased across all regions in 2025 compared to 2024, the threat has not diminished—it has simply evolved into a form that is harder to contain with traditional recovery tools.

The Shift to Post-Quantum Cryptography

While some actors are moving away from encryption, others are radically reinforcing it. Kaspersky documents that PE32, a new ransomware family, is "adopting post-quantum cryptography ciphers" by implementing the ML-KEM standard via the Kyber1024 algorithm. This is classified as Level 5 security, roughly equivalent to the robustness of AES-256.

The architecture is hybrid: Kyber1024 generates quantum-resistant shared secrets that protect the underlying AES keys. This mirrors the defensive paradigm being adopted by TLS 1.3 and QUIC, here inverted for offensive use. The immediate threat is not yet realized, as current quantum systems do not yet jeopardize traditional asymmetric encryption. Instead, this move is preparatory—a long-term investment in offensive resilience against future quantum cryptanalysis.

The actual prevalence of this trend remains unclear. PE32 is cited as a specific technical milestone rather than a dominant family. The report does not quantify how many families have implemented post-quantum schemes or provide a timeline for mass adoption. It serves as a strategic signal from malware developers rather than a completed industry-wide transformation.

EDR Killers and BYOVD: The Endpoint as a Tactical Target

The systematic neutralization of endpoint defenses represents a second major battlefield. Ransomware operators in 2026 are no longer merely attempting to bypass EDR (Endpoint Detection and Response) solutions; they are attacking them directly. The report documents the widespread use of "EDR killer" tools and "Bring Your Own Vulnerable Driver" (BYOVD) techniques to terminate security processes and disable monitoring agents.

This technique leverages legitimate, signed, but vulnerable drivers that are loaded into the target system to execute kernel-level operations outside the visibility of antivirus software. This is no longer treated as opportunistic evasion; it has become a planned, repeatable phase integrated into attack playbooks. The endpoint has shifted from a defensive perimeter to a combat theater where attackers and defenders compete for control of the same hardware.

This shift has profound architectural implications. Security models that rely solely on the endpoint as the primary barrier are showing structural fragility. If an agent can be silenced or blinded, the rest of the kill chain proceeds unimpeded. Consequently, network segmentation, access control, and infrastructure-level behavioral monitoring are becoming more critical than standalone perimeter protection on individual devices.

RDWeb and the Industrialization of Initial Access

The foundation for these attacks is prepared by a mature, structured market. Initial Access Brokers (IABs) maintain a central role in 2026, though their technical focus has shifted. The report documents a growing preference for RDWeb as a "preferred method of remote access," responding to organizations reducing their public RDP exposure.

RDWeb (Remote Desktop Web Access) allows access to virtual desktops via HTTPS and a browser. While it may appear more manageable, it remains technically exposed if the underlying infrastructure (Active Directory, gateways, certificates) contains flaws or weak configurations. While RDP, VPN, and RDWeb remain the three primary vectors sold in the underground, the trend illustrates how IABs adapt to defensive measures: as one door closes, attackers shift demand to less-guarded entry points.

The report also notes significant law enforcement pressure, with major infrastructure seizures in 2025 and 2026 targeting forums like Nulled, Cracked, and XSS, as well as data leak sites for BlackSuit and 8Base. RAMP was targeted in January 2026, followed by LeakBase in March 2026. However, this pressure has not stifled the market; it has merely driven it toward more resilient actors and decentralized or transient platforms.

"Qilin was the most active group executing targeted attacks in 2025"

The Qilin group emerged as a dominant actor starting in the second quarter of 2025, followed by Clop for large-scale supply-chain attacks and Akira for operational stability. This hierarchy, noted in the report, confirms that the 2026 ransomware ecosystem is defined by functional specialization: Qilin for targeted hits, Clop for supply-chain scaling, and Akira for continuity.

Regarding financial impact, the report cites over $18 billion in damages to the manufacturing sector in the first three quarters of 2025, based on research from Kaspersky and VDC Research. While this figure cannot be independently verified, it serves as a scale indicator for a sector historically vulnerable due to OT/IT convergence and a low tolerance for production downtime.

Strategic Defensive Adjustments

The shifts documented in this report require a recalibration of defensive strategies rather than a simple tool update.

Protect data against exposure, not just loss. While backup and disaster recovery remain effective against encryption, they do not prevent data leaks. Organizations must prioritize data minimization, criticality-based classification, granular access controls, and encryption-at-rest to ensure exfiltrated data is unusable to attackers.

Assume EDR compromise and build redundant visibility. Network monitoring, centralized infrastructure logs, and behavioral analysis at the proxy and DNS levels provide observation points that do not depend on the integrity of an endpoint agent. Cross-layer correlation is now essential; no single tool can be the sole source of truth.

Apply RDP-level scrutiny to RDWeb and expand Zero Trust. Browser-based remote access is not inherently secure. It requires Active Directory hardening, certificate pinning, session monitoring, and continuous identity verification. Micro-segmentation and Just-In-Time (JIT) access can limit the blast radius even when credentials are compromised.

Initiate the post-quantum transition for data-at-rest. If attackers are preparing for quantum cryptanalysis, defenders cannot afford to wait. Maintaining a cryptographic asset inventory, evaluating hybrid ML-KEM/X25519 algorithms, and establishing a NIST-compliant migration roadmap must be part of the three-year planning cycle.

An Ecosystem Adapting Faster Than Its Targets

The 2026 Kaspersky report describes an economic and technical reorganization of the threat landscape. Declining ransom payments have disincentivized encryption as a primary tool; the response is a "cleaner" form of extortion that is harder to mitigate with traditional tools and more deeply rooted in organizational vulnerabilities. The commoditization of initial access lowers the barrier to entry, while post-quantum upgrades and the targeting of endpoint defenses increase the operational resilience of sophisticated actors.

The primary challenge for organizations is no longer post-incident recovery, but preventing the initial breach and minimizing the fallout of data disclosure. Backups save systems, but they do not save reputations. EDR protects endpoints—until it is deactivated. In this environment, the most effective security is that which prevents the attacker from reaching the data, rather than attempting to defeat them once they are inside.

Frequently Asked Questions

Are backups now useless against ransomware?
No. Backups remain essential against file encryption, which is still a widely used technique. However, they are insufficient against encryptionless extortion, where the threat is the disclosure of stolen data. A dual-layer strategy is required: recovery for availability and data protection for confidentiality.

Is post-quantum ransomware encryption an immediate risk?
Not immediately. Current quantum computers do not threaten RSA or ECC standards. The adoption of ML-KEM/Kyber1024 by families like PE32 is an investment in long-term offensive resilience, preparing malware for future quantum cryptanalysis. Defenders must begin their transition with similar foresight.

Why has RDWeb become a preferred vector over RDP?
As organizations have hardened RDP via VPNs and conditional access, IABs have pivoted to RDWeb as a less-monitored alternative that still provides browser-based access to virtual desktops. It is a clear example of the threat landscape adapting to defensive improvements.

Information has been verified against cited sources and is current as of the date of publication.

Sources

• https://securelist.com/state-of-ransomware-in-2026/119761/