When the security team at a mid-market manufacturer noticed the endpoint agent on a domain controller had stopped reporting telemetry, the host was already in the third hour of an attack. By the time someone walked over, the EDR process was gone. A kernel driver the attacker had loaded through a legitimate, signed binary had replaced it. That sequence — kill the agent, then execute the ransomware — sits at the center of Kaspersky’s annual State of Ransomware in 2026 report, released around International Anti-Ransomware Day on May 12.
The headline number looks reassuring at first read. Ransomware in 2026 affects a smaller share of organizations than it did in 2024 across every region Kaspersky measures. Kaspersky Security Network telemetry shows formal incident counts down. Underneath that, the picture changes. In manufacturing alone, Kaspersky and VDC Research estimate ransomware caused more than $18 billion in losses in the first three quarters of 2025. Fewer organizations are getting hit, but the operators still active are running more deliberate, more lucrative campaigns.
EDR killers and BYOVD are now default phases of ransomware in 2026
The shift Kaspersky documents most carefully is the maturing of defense-evasion tooling. EDR killers — utilities designed to terminate endpoint monitoring before payload execution — now appear in attack playbooks as a planned and repeatable phase. The most common technique is Bring Your Own Vulnerable Driver. Attackers load a signed but exploitable kernel driver and use it to disable security processes from inside the trust boundary the operating system already grants. The defender’s monitoring console goes dark a few minutes before encryption starts. The remediation question shifts from “can we restore from backup” to “did anyone notice the agent stopped reporting.” Earlier coverage on AI-powered ransomware that bypasses encrypted backups framed the same trajectory from a different angle.
This matters for the rest of the report. Qilin took over the top spot among ransomware groups in 2025 after RansomHub went dormant. It runs a high-volume affiliate model that depends on evasion playbooks scaling cleanly. Clop holds second place through its supply-chain pattern of exploiting file-transfer and enterprise software for one-to-many compromises. Akira sits third on consistency — it has held steady output without the operational disruption that fragmented several peer groups.
Encryption-less extortion and post-quantum families change the calculus
The second shift is structural. With ransom payment rates down to 28 percent in 2025, several groups have abandoned encryption entirely. They build leverage around data exposure alone. ShinyHunters operates this way; its data leak site is the entire monetization channel. Encryption-less extortion shortens attack dwell time, reduces detection windows, and renders backup-based recovery irrelevant. Backups protect against file destruction, not against the regulator’s response to a leak. CSI’s earlier reporting on gangs threatening to wipe data instead of double extortion documented the same monetization shift.
The third shift is forward-looking. New ransomware families, including the PE32 family, have started encrypting AES keys with the National Institute of Standards and Technology ML-KEM post-quantum standard. The Kyber1024 algorithm Kaspersky names provides Level 5 security designed to resist both classical and future quantum decryption. The practical takeaway is narrow. Organizations cannot wait for a future cryptanalytic breakthrough to recover files encrypted by these families, so the only defensive path is preventing the attack from reaching encryption in the first place.
Initial access brokers still own the choke point
Underneath the technical shifts, the entry vector has not changed. Kaspersky’s report names RDP, VPN, and RDWeb as the top three access vectors ransomware operators buy from initial access brokers. RDWeb in particular has become a focus as organizations have hardened RDP exposure to the internet. The access-as-a-service market commoditizes the hardest part of an intrusion. Preventing initial compromise is only half the defensive surface — detecting misuse of legitimate credentials and constraining lateral movement matters at least as much.
The defender’s response to ransomware in 2026 is no longer a recovery question. The mid-market manufacturer whose EDR agent went silent on a Tuesday afternoon did not have a backup problem. They had a monitoring-integrity problem. The agent-kill event was the moment the attack was still containable. By the time encryption fired, it wasn’t.
Join our LinkedIn group Information Security Community!
