A surprisingly positive development: ransomware is on the decline. The share of organizations affected by the persistent cyber threat has dropped across all regions. But, just as we were ready to uncork the champagne bottles, Kaspersky brings some harsh realities. Its annual report on ransomware threats shows attackers moving on to more sophisticated tactics, selling access, and fragmenting as a whole.
Not too long ago, we could count the number of sizable ransomware groups on one hand. But whereas Conti, LockBit, Akira and others have at one point claimed a third of all such attacks, no collective has reached a “market share” of more than 10.98 percent across 2025. Notably, many notorious groups such as ShinyHunters or Scattered Spider have claimed headlines without deploying ransomware. It seems cybercrime and state actors have reached the conclusion that many will pay simply to keep personal and enterprise data private, without even needing to regain access.
Alternative business models mature
With the drop in ransomware victims, a similar drop in attacks ought to be expected. However, previous research showed that 2025 was actually a record year once again. NCC Group counted 7,900 incidents, 1,022 of which were inflicted by Qilin. Kaspersky now notes another dimension here, with new tactics added to attackers’ playbooks.
One such emergent tool is the EDR killer. “Deliberate and methodical intrusions” are thus increasing, Kaspersky notes. Other evasion tactics include BYOVD, or “Bring Your Own Vulnerable Driver”, where attackers will patch systems to an exploitable state. This can of course be repelled by stricter policies around driver management, making high-privileged account compromises more valuable than ever.
Speaking of account compromises, the already noted trend of threat actors selling on credentials is continuing. Access-as-a-Service is being “industrialized” by initial access brokers, Kaspersky says. In other words: login data and valuable permissions to accompany them are worth collecting in and of themselves at a massive scale, with the dark web connecting sellers of such information to cyber criminals willing to exploit it.
Extortion is similarly becoming more complex. With ransom payments dropping to 28 percent, adversaries in 2026 are seeking to extort companies without any encryption. As noted above, the motivation to keep data hidden from the public for a variety of reasons may be enough to convince a victim to pay up.
More mature malware
Another development revolves around the technical underpinnings of the malware itself. Cyber attackers appear fragmented, even if the pool of hackers might not have changed all that much since the days of the consolidated dominance of LockBit and others. The secret to the success of some of these collectives is their methodology, facilitated by their software.
We noted with some amusement that the push towards memory safety is apparently becoming ubiquitous enough for even malware “practicioners” to become a fervent adopter of Rust. We mention the amusement not because the topic is a laughing matter, not at all, but because it prompted the suggestion that the unpleasant software at least won’t have vulnerabilities of its own.
Beyond becoming memory-safe, new ransomware groups are even preparing for a post-quantum computing reality. Quantum-resistant ransomware was anticipated by Kaspersky last year, and this prophecy appears to be fulfilled (although we must ask: how self-fulfilling are such suggestions?). At any rate, the PE32 ransomware family is cited as adhering to the ML-KEM standard, one method of encryption asserted to be post-quantum ready. It has received lots of scrutiny and prompted fervent defences by its proponents. It may not be suitable for all applications given its larger key/ciphertext sizes, but for ransomware, it appears to be just fine. The extra level of security is giving attackers a leg up on researchers looking to pry open their malware.
Conclusion: take some positives
We must emphasize that the report of a downward trend in ransomware victims is encouraging. This can’t simply be met by cynically saying other, perhaps far worse attacks are happening. Threat actors usually use methods until they need to change, and the only way to spin the ransomware victim decrease negatively is to suggest data leaks are damaging enough already. The positive assertion, one we cannot base upon direct data, may be that deploying ransomware on systems has become tougher.
At any rate, more targeted attacks, more resistant-to-research malware and a greater rate of attacks suggest that there is plenty of work to be done by cyber defenders. Perhaps the tactics mentioned being employed above will highlight just how they can make the lives of their adversaries that little bit more difficult.