On International Anti-Ransomware Day, May 12, Kaspersky shares a report with an overview of ransomware trends that marked 2025 and insights into what the threat landscape holds in 2026. According to Kaspersky Security Network, in 2025 Latin America had the highest share of organisations with ransomware attacks detected (8.13%), followed by the Asia-Pacific region (7.89%), Africa (7.62%), Middle East (7.27%), the Commonwealth of Independent States (CIS, 5.91%) and Europe (3.82%). The report highlights the rise of “encryption-less” extortion attacks, the use of post-quantum cryptography by ransomware groups, and the persistent use of Telegram channels by cybercriminals to distribute compromised data sets and credentials.
Despite a slight decline in the overall share of organisations attacked by ransomware in 2025 compared to 2024, users remain at significant risk as attackers industrialise their operations, automate intrusion methods, and increasingly focus on stealing and leaking sensitive data rather than simply encrypting systems.
One of the trends in 2025 is the continued rise of endpoint detection and response (EDR) “killers” – tools specifically designed to disable endpoint security solutions before executing the malware itself. EDR killers have become a standard component of attacks, which means more deliberate and methodical intrusions.
Researchers also noted the emergence of ransomware families adopting post-quantum cryptography standards – this was predicted by Kaspersky previously. The development signals a concerning shift toward encryption methods that could resist future quantum computing decryption attempts.
The role of Initial Access Brokers (IABs) – cybercriminal intermediaries that sell pre-compromised corporate access through underground forums and messaging platforms – is growing. RDWeb portals (websites through which devices can be controlled remotely) are increasingly targeted as ransomware groups continue to industrialise attacks through “Access-as-a-Service” operations. As a result, the barrier to launching ransomware attacks declines.
Telegram channels and dark web forums continuously function as platforms for the distribution and for the sale of compromised data sets and accesses including those that were obtained as a result of ransomware attacks. A major underground forum, RAMP, which also functioned as a platform through which threat actors advertised their ransomware services and published service‑related updates, got seized by authorities in January 2026. Another underground forum, LeakBase, where malicious actors distributed exfiltrated and compromised data, was seized in March 2026. However, while law enforcement agencies are actively shutting down dark web platforms and ransomware data leak sites, similar portals may appear over time.
Active groups
Among the most active ransomware groups in 2025 based on data leak sites, Kaspersky identified Qilin as the dominant ransomware-as-a-service (RaaS) operator following RansomHub’s seizure of operations. Clop ranked as the second most active group, with Akira in the third place.
While several major ransomware groups stopped operation in 2025, new actors emerge. Looking at 2026, the Gentlemen is one of the most important new ransomware actors due to the group’s rapid growth, structured operations, and increasing focus on data-centric extortion. The group may include attackers formerly associated with other major ransomware operations. The Gentlemen exemplify a broader shift in the ransomware ecosystem away from chaotic, high-noise campaigns toward scalable, business-like extortion models focused primarily on stealing sensitive data and leveraging reputational and regulatory pressure rather than relying solely on disruptive file encryption.
“Ransomware has evolved into a highly organised ecosystem focused on monetising stolen data, disabling defences, and scaling attacks with business-like efficiency. Threat actors are quickly adapting, weaponising legitimate tools, exploiting remote access infrastructure, and even adopting post-quantum cryptography years earlier than many expected. The purpose of Anti-Ransomware Day is to raise global awareness about the threats posed by ransomware and to promote best practices for prevention and response, and we urge all users to stay secure, set up layered defences, invest in backups and boost cyberliteracy levels to counter attacks,” comments Fabio Assolini, Lead Security Researcher at Kaspersky GReAT.
On Anti-Ransomware Day and beyond, Kaspersky encourages organisations to follow these best practices to safeguard from ransomware:
- Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.
- Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
- Focus your defence strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
- Companies from non-industrial sector can protect themselves by installing anti-APT and EDR solutions that enable capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Organisations can also provide their SOC teams with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Next.
The full report is available on Securelist.
