Marking yesterday’s International Anti-Ransomware Day, Kaspersky has shared a report with an overview of ransomware trends that marked 2025, as well as insights into what the threat landscape holds in 2026.
The cybersecurity specialist says that in 2025, Latin America had the highest share of organisations with ransomware attacks detected (8,13%), followed by the Asia-Pacific region (7,89%), Africa (7,62%), Middle East (7,27%), the Commonwealth of Independent States (CIS, 5,91%) and Europe (3,82%). The report highlights the rise of “encryption-less” extortion attacks, the use of post-quantum cryptography by ransomware groups, and the persistent use of Telegram channels by cybercriminals to distribute compromised data sets and credentials.
Despite a slight decline in the overall share of organisations attacked by ransomware in 2025 compared to 2024, users remain at significant risk as attackers industrialise their operations, automate intrusion methods, and increasingly focus on stealing and leaking sensitive data rather than simply encrypting systems.
One of the trends in 2025 is the continued rise of endpoint detection and response (EDR) “killers” – tools specifically designed to disable endpoint security solutions before executing the malware itself. EDR killers have become a standard component of attacks, which means more deliberate and methodical intrusions.
Researchers also noted the emergence of ransomware families adopting post-quantum cryptography standards as Kaspersky had previously predicted. This development signals a concerning shift toward encryption methods that could resist future quantum computing decryption attempts.
The role of Initial Access Brokers (IABs) – cybercriminal intermediaries that sell pre-compromised corporate access through underground forums and messaging platforms – is growing. RDWeb portals (websites through which devices can be controlled remotely) are increasingly targeted as ransomware groups continue to industrialise attacks through “Access-as-a-Service” operations. As a result, the barrier to launching ransomware attacks declines.
Telegram channels and dark web forums continuously function as platforms for the distribution and for the sale of compromised data sets and accesses including those that were obtained as a result of ransomware attacks. A major underground forum, RAMP – which also functioned as a platform through which threat actors advertised their ransomware services and published service‑related updates – got seized by authorities in January 2026. Another underground forum, LeakBase, where malicious actors distributed exfiltrated and compromised data, was seized in March 2026. However, while law enforcement agencies are actively shutting down dark web platforms and ransomware data leak sites, similar portals may appear over time.
Active groups
Among the most active ransomware groups in 2025 based on data leak sites, Kaspersky identified Qilin as the dominant ransomware-as-a-service (RaaS) operator following RansomHub’s seizure of operations. Clop ranked as the second most active group, with Akira in third place.
While several major ransomware groups stopped operation in 2025, new actors emerged.
Looking at 2026, the Gentlemen is one of the most important new ransomware actors due to the group’s rapid growth, structured operations, and increasing focus on data-centric extortion. The group may include attackers formerly associated with other major ransomware operations. The Gentlemen exemplify a broader shift in the ransomware ecosystem away from chaotic, high-noise campaigns toward scalable, business-like extortion models focused primarily on stealing sensitive data and leveraging reputational and regulatory pressure rather than relying solely on disruptive file encryption.
“Ransomware has evolved into a highly organised ecosystem focused on monetising stolen data, disabling defences, and scaling attacks with business-like efficiency,” says Fabio Assolini, lead security researcher at Kaspersky GReAT. “Threat actors are quickly adapting, weaponising legitimate tools, exploiting remote access infrastructure, and even adopting post-quantum cryptography years earlier than many expected.
“The purpose of Anti-Ransomware Day is to raise global awareness about the threats posed by ransomware and to promote best practices for prevention and response – and we urge all users to stay secure, set up layered defences, invest in backups and boost cyberliteracy levels to counter attacks,” Assolini adds.