Ransomware Attacks Decline but Adopt Dangerous New Tactics
Ransomware attacks are decreasing in frequency globally, but the threat is evolving with alarming new techniques, including post-quantum encryption and systematic defense evasion, according to a breaking annual report from Kaspersky released ahead of International Anti-Ransomware Day on May 12.
“The ransomware ecosystem is in a state of continuous transformation,” said Ivan Kwiatkowski, senior security researcher at Kaspersky. “While fewer organizations are being hit, those that are face far more sophisticated and harder-to-detect attacks.”
New Ransomware Families Adopt Post-Quantum Cryptography
Advanced ransomware groups have begun integrating post-quantum cryptography into their encryption engines. Kaspersky researchers identified the PE32 ransomware family, which uses the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard—a cutting-edge cipher resistant to both classical and quantum decryption attempts.
“This makes it nearly impossible for victims to recover their data without paying a ransom,” the report states. The adoption follows Kaspersky’s 2025 prediction that quantum-resistant ransomware would emerge as quantum computing capabilities advance.
EDR Killers and Defense Evasion Become Standard
In 2026, ransomware operators increasingly prioritize disabling endpoint defenses before executing payloads. Tools known as “EDR killers” have become a standard component of attack playbooks, using techniques such as Bring Your Own Vulnerable Driver (BYOVD) to terminate security processes via legitimate signed drivers.
“Evasion is no longer opportunistic—it’s a planned, repeatable phase of the attack lifecycle,” said Kwiatkowski. Organizations now face the dual challenge of detecting ransomware while maintaining security control in environments where defenses themselves are targeted.
Declining Attack Numbers Mask Rising Costs
Kaspersky Security Network data shows the percentage of organizations affected by ransomware decreased across all regions in 2025 compared to 2024. Despite this formal decline, the likelihood of attack remains high as operators refine tactics and scale operations.
In manufacturing alone, ransomware attacks may have caused over $18 billion in losses during the first three quarters of the year, according to joint research by Kaspersky and VDC Research. “Even a single successful breach can be catastrophic,” the report warns.
Encryptionless Extortion and Initial Access Brokers
As ransom payments drop, some groups have turned to encryptionless extortion attacks—stealing sensitive data and threatening to leak it without encrypting files. Meanwhile, initial access brokers now focus increasingly on RDWeb as a preferred remote access method, maintaining a key role in the threat ecosystem.
Background
Ransomware has been a persistent global cyberthreat for over a decade, evolving from simple lock-screen scams to complex, multi-stage extortion operations. The emergence of post-quantum encryption marks a potential breakthrough in attack capabilities, while EDR-killing tools represent a shift toward methodical, defense-aware intrusions.
Kaspersky has tracked ransomware trends since 2010, and its annual reports are closely watched by cybersecurity professionals. The 2026 findings underscore a landscape where attackers are adapting faster than many organizations can defend.
What This Means
For businesses, the message is clear: ransomware is becoming harder to prevent and recover from. The rise of post-quantum cryptography means that traditional backup-based recovery may fail if attackers can encrypt data with ciphers that defy current decryption methods. Despite lower attack percentages, the financial risk per incident continues to climb.
Organizations must invest in layered defenses that can withstand targeted attacks on security tools, and consider quantum-safe encryption for their own systems. “The threat is not going away—it’s transforming,” Kwiatkowski concluded. “Proactive defense is the only sustainable strategy.”