Ransomware in 2026: Evolving Threats and the Race for Quantum Resilience

Introduction: The Persistent Evolution of Ransomware

On May 12, International Anti-Ransomware Day, Kaspersky released its annual report on the global ransomware landscape. The findings highlight a threat that continues to adapt with alarming sophistication. While overall attack rates have declined, ransomware remains a pervasive danger, driven by new families exploiting post-quantum cryptography, rising use of encryption-less extortion, and a sustained focus on initial access brokers who favor RDWeb as a gateway. This article explores the key trends shaping ransomware in 2026.

Ransomware Attacks Decline but Remain a Major Threat

According to Kaspersky Security Network data, the proportion of organizations affected by ransomware fell across all regions in 2025 compared to the previous year. However, this statistical dip does not signal a retreat. Threat actors are refining their tactics and scaling operations more efficiently, ensuring that the overall risk remains high. In the manufacturing sector alone, ransomware attacks inflicted over $18 billion in losses during the first three quarters of the year, according to research by Kaspersky and VDC Research.

Regional Trends

While the percentage of affected organizations decreased globally, the threat landscape remains uneven. Some regions saw sharper declines, but others still experience elevated rates of infection as attackers diversify their targets. The report emphasizes that no sector is immune, and the financial impact continues to grow.

The Rise of EDR Killers and Defense Evasion

A pivotal trend in 2026 is the growing use of tools designed to neutralize endpoint defenses before ransomware executes. Commonly called “EDR killers,” these utilities have become a standard component of attack playbooks. Attackers are methodically disabling security processes and monitoring agents, often by exploiting trusted components like signed drivers through a technique known as Bring Your Own Vulnerable Driver (BYOVD). This allows them to blend into legitimate system activity while gradually eroding visibility.

Implications for Security Teams

Evasion is no longer an opportunistic step; it is a planned and repeatable phase of the attack lifecycle. Organizations now face the dual challenge of detecting ransomware while maintaining control over environments where security controls themselves are actively targeted. This underscores the need for layered defenses and constant vigilance.

The Emergence of Post-Quantum Ransomware

A significant development predicted years ago has now materialized: advanced ransomware groups are adopting post-quantum cryptography. As quantum computing evolves, these encryption techniques resist decryption attempts from both classical and quantum computers, making it nearly impossible for victims to recover data without paying. One notable example is the PE32 family, which uses the cutting-edge ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard to secure its payloads.

The PE32 Family and ML-KEM

PE32 represents a new breed of ransomware that leverages quantum-resistant algorithms. This not only complicates decryption efforts but also signals a broader shift toward future-proof encryption methods. Security experts warn that such tools could become more common as quantum computing becomes more accessible.

Conclusion: An Ever-Adapting Threat

The state of ransomware in 2026 is a story of adaptation. From the weaponization of EDR killers and the rise of encryption-less extortion to the advent of post-quantum ransomware, the threat landscape continues to evolve. While attack numbers may have dipped, the sophistication and impact of each incident have grown. Organizations must stay ahead by investing in robust defenses, monitoring for emerging techniques, and preparing for a future where quantum-resistant malware becomes routine. The fight against ransomware is far from over.