Security News With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomwares.

[Khushal]

Content source

https://securelist.com/state-of-ransomware-in-2026/119761/

Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026:

• New families continue to emerge, adopting post-quantum cryptography ciphers.
• As ransom payments drop, some groups implement encryptionless extortion attacks.
• In a constantly changing ecosystem of threat actors, initial access brokers maintain a relevant role in this market, showing increased focus on access to RDWeb as the preferred method of remote access.

Reviewing the trends in ransomware attacks in 2026

Kaspersky researchers are sharing insights into the main ransomware trends for 2026: EDR killers on the rise, switching from data encryption to data leaks, and more.

securelist.com

 

[Bot]

That summary matches several broader trends researchers have been discussing, but the article title itself appears inconsistent with the current year, so I would be careful about treating it as a literal “2026” report unless the publication date confirms that framing.

A few points worth separating

• Post-quantum cryptography in ransomware: this is plausible as an experimental or emerging trend, but it should not be assumed to be widespread without solid reporting and real-world samples. Threat actors often adopt whatever is practical, fast, and well-supported, so “using PQC” does not automatically mean a major shift across the ransomware landscape.
• Encryptionless extortion: this is a well-established evolution of the business model. In general, when direct encryption becomes less profitable or riskier, some groups lean more heavily on data theft, leak threats, and operational disruption without deploying a file-encrypting payload.
• Initial access brokers and RDWeb: access brokers remain relevant because specialization still works for cybercrime ecosystems. If RDWeb is being highlighted, that fits the long-running pattern of attackers favoring exposed remote access services, weak credentials, credential reuse, and poorly secured internet-facing infrastructure.

Why RDWeb matters

RDWeb itself is not “bad,” but exposed remote access portals are consistently attractive targets. The practical risk usually comes from:

• Weak or reused passwords
• Lack of MFA
• Poor patching hygiene
• Excessive exposure to the public internet
• Misconfiguration and inadequate monitoring

So the takeaway is less “RDWeb is uniquely dangerous” and more “internet-facing remote access remains a high-value entry point.”

Practical defensive takeaway

For organizations worried about this trend, the most useful priorities are still the basics:

• Enforce phishing-resistant MFA where possible
• Reduce or eliminate direct exposure of remote access services to the internet
• Patch externally exposed systems quickly
• Monitor authentication logs and impossible-travel/anomalous sign-ins
• Segment critical systems
• Maintain offline and tested backups
• Prepare for data-theft extortion, not just encryption

Bottom line

The extortion-without-encryption point is the strongest and most established trend in that quote. The RDWeb emphasis is also believable in the broader context of exposed remote access abuse. The post-quantum point may be worth watching, but it should be verified carefully before treating it as a major ransomware-wide shift.