Ransomware 2026: Post-Quantum Ciphers, Encryptionless Extortion, and the Rise of EDR-Killers

On May 12, 2026, Kaspersky released its annual report, redefining the ransomware landscape. While the total percentage of targeted organizations saw a decline in 2025, the economic fallout remains critical: the manufacturing sector alone recorded over $18 billion in losses during the first three quarters of 2025. The convergence of post-quantum ciphers, encryptionless extortion, and the industrialization of initial access is making traditional defense paradigms obsolete—even as the rate of victims paying ransoms fell to 28% in 2025.

Future-Proofing the Payloads: The Rise of Post-Quantum Ciphers

The most significant technical development in 2026 is the adoption of post-quantum algorithms. The PE32 ransomware family has implemented the ML-KEM standard with Kyber1024 parameters, meeting NIST’s Level 5 security requirements. This cryptographic choice secures the symmetric AES keys used to lock files, making them resistant to both classical brute-force and future quantum-assisted decryption. This shift represents a qualitative leap in the computational complexity required for unauthorized recovery.

According to the report: "The encryption techniques used by this quantum-proof ransomware could be used to resist decryption attempts from both classical and quantum computers, making it nearly impossible for victims to decrypt their data without having to pay a ransom." This evolution means organizations can no longer rely on the long-term hope of future decryption via increased computing power. Once keys are lost, data remains mathematically inaccessible with a theoretical robustness far exceeding previous standards.

The use of ML-KEM has moved from academic theory to operational reality. Threat actors are now actively securing their leverage against law enforcement recovery efforts and security researchers. These cryptographic standards force a pivot toward proactive defense, as the post-compromise phase offers almost zero room for file recovery without the original attacker-controlled keys.

Encryptionless Extortion: When Backups Are No Longer Enough

Parallel to cryptographic advances, 2026 has seen the consolidation of encryptionless extortion. Groups like ShinyHunters have adopted a model where, as Kaspersky notes, "attackers leave out the 'ware' in 'ransomware' and focus on extracting sensitive data and leveraging the threat of public disclosure as their primary means of extortion." The objective is no longer to paralyze operations, but to seize sensitive information and monetize the threat of its release.

This tactical shift effectively neutralizes the protective value of backups. If data is exfiltrated rather than encrypted, system availability remains intact, but confidentiality is shattered. The ransom payment becomes a fee to avoid regulatory fines and catastrophic reputational damage. In 2025, the share of victims who paid ransoms dropped to 28%, signaling that operational lockout is losing its effectiveness compared to data-driven blackmail.

The decline in payments does not indicate a weakening threat, but a change in negotiation dynamics. When the only stake is data exposure, the decision to pay depends entirely on the sensitivity of the stolen information. This model reduces technical complexity for the attacker, as they no longer need to maintain stable encryption routines that are frequently flagged by security monitoring systems.

Neutralizing the Perimeter: BYOVD as an Industry Standard

The systematic neutralization of security solutions is now a mandatory phase in the modern attack playbook. Operators are increasingly utilizing "EDR-killer" tools and the Bring Your Own Vulnerable Driver (BYOVD) technique. BYOVD exploits legitimate but vulnerable drivers to gain kernel-level privileges and disable endpoint protection agents. This combination drastically degrades defensive visibility during the critical window between initial access and final data exfiltration.

The result is a significant increase in attacker dwell time. Endpoint defenses, once considered the final line of defense, are often blinded before the primary payload is even deployed. This pattern is deeply integrated into the offerings of Initial Access Brokers (IABs), who frequently provide ransomware groups with detailed intelligence on a victim's defensive posture, allowing them to pre-select the most effective evasion toolkit.

The Industrialization of Access: RDWeb as the Primary Vector

Initial Access Brokers remain central to the ecosystem, with a marked preference for Remote Desktop Web Access (RDWeb). RDWeb allows attackers to log in via a browser using legitimate credentials purchased on Telegram or underground forums. The use of valid accounts minimizes detectable anomalies, masking the attack as authorized traffic and removing the need for zero-day exploits. This lowers the technical barrier for affiliates, making intrusions more frequent and harder to track.

Despite the high-profile shutdowns of platforms like RAMP (January 2026) and LeakBase (March 2026), the ecosystem has simply fragmented into private channels. While law enforcement successfully seized sites like Nulled, Cracked, and XSS—along with the infrastructure of BlackSuit and 8Base—in 2025, these actions did not halt the access market. Instead, they pushed actors toward more resilient, distributed infrastructures, making broker activity more opaque than ever.

Strategic Resilience: Mitigating Modern Threats

To counter these evolving threats, organizations must update their resilience strategies based on 2026 trends, focusing on four specific areas.

Driver Hardening and BYOVD Prevention: As BYOVD becomes standard, organizations must implement strict driver allow-listing policies, blocking known vulnerable drivers used to disable EDR agents. Kernel integrity protection is now a top priority for maintaining defensive visibility.

MFA and Credential Rotation for RDWeb: Given the focus on RDWeb, every remote entry point must be secured by multi-factor authentication (MFA). It is critical to implement proactive rotation of administrative credentials and monitor for logins from unusual geographic locations or outside standard business hours.

Data Classification and Confidentiality: To combat encryptionless extortion, the focus must shift from restoration to confidentiality. Critical data must be mapped and classified, access must be strictly limited, and outbound traffic volumes must be monitored for anomalies that could indicate exfiltration.

Incident Response for Pure Exfiltration Scenarios: Incident response plans must be updated to handle events where systems remain operational but data has been stolen. This includes pre-identifying legal counsel and communication protocols to manage the threat of public disclosure and regulatory implications.

"In 2025, the share of ransoms paid dropped to 28%." — Kaspersky Securelist

The High-Value Targeting Paradox

Kaspersky Security Network data shows a decrease in the percentage of organizations hit in 2025 compared to 2024. However, the $18 billion in losses within the manufacturing sector proves that fewer attacks do not correlate to less damage. Victim selection has become more surgical: attackers are prioritizing fewer operations against high-value targets, often through supply chain compromises.

Qilin emerged as the most active group starting in Q2 2025, followed by Clop—which specializes in supply chain attacks—and Akira. The market's rationalization has eliminated less sophisticated operators, concentrating cybercrime in the hands of groups with the resources to develop custom tools and purchase high-quality access. The result is an industry that is more efficient, less noisy, and far more economically lethal.

FAQ

Is quantum computing already being used to decrypt data?

No. The use of post-quantum ciphers like ML-KEM is a preemptive measure by attackers to ensure data remains indecipherable in the future. It does not mean quantum decryption is currently operational; rather, it secures the ransom leverage against long-term technological advancements.

Why are groups shifting toward encryptionless extortion?

Pure exfiltration is harder for security systems to detect, avoids the instability of complex encryption processes, and allows attackers to target organizations that have robust backups. The leverage shifts from system availability to reputational damage and privacy fines.

Have underground forum seizures reduced the risk?

While the 2026 takedowns of RAMP and LeakBase disrupted the ecosystem, the Initial Access Broker (IAB) market simply migrated to more private channels. The threat has not diminished; it has become more fragmented and difficult to monitor on a global scale.

Sources

• https://securelist.com/state-of-ransomware-in-2026/119761/