Ransomware Threats in 2026: Post-Quantum Encryption and EDR Evasion on the Rise
Table of Contents
Overview of the Ransomware Landscape
On May 12, International Anti-Ransomware Day, Kaspersky published its annual report detailing the state of ransomware around the world. The data reveals that while the percentage of organizations hit by ransomware declined in 2025 compared to 2024, the threat remains acute. Threat actors continue to innovate, adopting more sophisticated techniques to evade detection and extract payments.
Global Trends: Declining Attacks but Persistent Risks
According to Kaspersky Security Network, the share of affected organizations fell across all regions in 2025. However, this formal decrease masks a troubling reality: ransomware operators are refining their tactics and scaling operations with greater efficiency. In the manufacturing sector alone, losses from ransomware attacks exceeded $18 billion in the first three quarters of the year, based on research from Kaspersky and VDC Research. The message is clear: even with fewer reported incidents, the financial and operational impact remains severe.
Regional Variations: Decline Across All Regions
Every region experienced a drop in the proportion of organizations affected by ransomware. This widespread decline may be attributed to improved cyber hygiene, better detection tools, and perhaps the shifting strategies of criminals. Yet attackers compensate by targeting higher-value victims and employing more destructive methods, ensuring that the overall threat level remains high.
The Shift in Ransomware Tactics
Encryptionless Extortion on the Rise
As ransom payments dwindle—partly due to victims refusing to pay—some ransomware groups are pivoting to encryptionless extortion. Instead of encrypting files, they threaten to leak sensitive data unless a ransom is paid. This approach reduces the technical complexity of the attack while still exerting coercive pressure on targeted organizations. It also makes recovery harder because simply restoring from backups does not prevent data exposure.
Initial Access Brokers Target RDWeb
Initial access brokers (IABs) continue to play a vital role in the ransomware ecosystem. These specialists sell access to compromised networks, enabling other criminals to launch attacks. In 2026, IABs have shown an increased focus on gaining entry through RDWeb (Remote Desktop Web Access). RDWeb is a popular method for remote access, and its widespread use makes it an attractive attack surface. By compromising RDWeb credentials, brokers can offer reliable, high-value access to enterprise networks.
The Growing Threat of Defense Evasion
EDR Killers Become Standard
Ransomware operators are increasingly prioritizing the neutralization of endpoint defenses before deploying their payloads. Tools known as “EDR killers” have become a standard component of attack playbooks. These utilities target endpoint detection and response (EDR) systems, disabling security processes and monitoring agents. The goal is to blind the victim’s security team, allowing ransomware to execute without triggering alerts.
BYOVD: Exploiting Trusted Drivers
A key technique in this evasion arsenal is Bring Your Own Vulnerable Driver (BYOVD). Attackers leverage signed, legitimate drivers that contain known security flaws. By exploiting these drivers, they can terminate security software from within the kernel, bypassing user-mode protections. This method blends malicious activity with trusted system components, making it difficult to detect. Defense evasion is no longer an afterthought; it is a planned, repeatable phase of the attack lifecycle. As a result, organizations face the dual challenge of detecting ransomware while also defending the very tools meant to protect them.
Post-Quantum Ransomware: A New Frontier
How Quantum-Resistant Encryption Works
Earlier predictions suggested that quantum-resistant ransomware would emerge around 2025. That forecast has become reality. Advanced ransomware groups are now deploying post-quantum cryptography (PQC) ciphers to secure their encryption keys. These algorithms are designed to resist decryption attempts from both classical and quantum computers. For victims, this means that even with massive computing power, recovering encrypted files without the ransom key becomes virtually impossible.
The PE32 Family Example
One concrete example is the PE32 ransomware family. This strain uses the cutting-edge ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard, which is a finalist in the NIST post-quantum cryptography competition. By adopting such advanced encryption, PE32 ensures that traditional decryption tools are ineffective. This marks a significant escalation in the arms race between threat actors and defenders.
Conclusion: Preparing for the Future
The ransomware landscape in 2026 is defined by evolution. Attacks may be statistically declining, but the remaining incidents are more targeted, more evasive, and technologically advanced. Organizations must adapt by investing in defense-in-depth strategies that include endpoint resilience, behavioral monitoring, and rapid response capabilities. As post-quantum encryption and EDR-killing tools become mainstream, proactive cybersecurity is no longer optional—it is essential for survival in a digital-first world.