KASPERSKY’S State of ransomware in 2026 notes that International Anti-Ransomware Day on May 12 frames a year in which ransomware remains persistent and adaptive, with new families adopting post-quantum cryptography ciphers and a growing shift towards encryptionless extortion as attacks evolve.
The report highlights that ransom payments have dropped, while some groups are adopting data-leak based extortion methods, and that initial access brokers remain central to the market via an access‑as‑a‑service model, with RDWeb increasingly targeted as a remote access vector alongside RDP and VPN.
It also describes a tightening threat landscape in which EDR killers and BYOVD techniques are used to neutralise defences, and notes that law enforcement actions in 2026 have seized underground forums such as RAMP in January and LeakBase in March. In the manufacturing sector, the report quotes a figure of over $18 billion in potential losses in the first three quarters of 2025, underscoring the continuing financial impact despite a regional or global decline in infections.
The piece lists new actors like The Gentlemen and several others to watch, illustrating a dynamic ecosystem where data-centric extortion and post‑quantum readiness are shaping the threat.