Ransomware in 2026: Post-Quantum Encryption and EDR Killers Reshape Cyber Extortion

Breaking: Ransomware Attacks Decline but New Quantum-Resistant Strains Emerge

Ransomware attacks dropped across all regions in 2025, but the threat is far from over. Kaspersky's annual report reveals that attackers are now deploying post-quantum encryption and specialized tools to disable security defenses, making each incident more damaging than before.

Ransomware in 2026: Post-Quantum Encryption and EDR Killers Reshape Cyber Extortion — Source: securelist.com

"The decline in the percentage of affected organizations is a silver lining, but the threat landscape is more sophisticated than ever," said Dr. Elena Petrova, Head of Global Research and Analysis at Kaspersky. "Attackers are investing in tools that disable security software and in encryption that can withstand future quantum computers."

Quantum-Proof Ransomware Arrives

Advanced ransomware groups have begun using post-quantum cryptography ciphers, such as the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard. The PE32 ransomware family is one example, making it nearly impossible for victims to decrypt data without paying a ransom, even with quantum computing power.

"We predicted quantum-resistant ransomware in 2025, and now it's here," said Petrova. "Organizations must prepare for encryption that cannot be broken by any current or near-future technology."

EDR Killers Become Standard Issue

Attackers increasingly neutralize endpoint defenses before executing payloads. Tools known as "EDR killers" are now a standard part of attack playbooks, often exploiting signed drivers via Bring Your Own Vulnerable Driver (BYOVD) techniques. Evasion is no longer opportunistic but a planned phase of the attack lifecycle.

"The rise of EDR killers means that even well-protected environments can be blinded to ongoing intrusions," warned Dmitry Bestuzhev, Senior Security Researcher at Kaspersky. "Maintaining visibility is now as critical as detecting the ransomware itself."

Initial Access Brokers Shift to RDWeb

In a changing ecosystem of threat actors, initial access brokers are increasingly focusing on RDWeb (Remote Desktop Web Access) as the preferred method for gaining entry. This reflects a broader trend of exploiting remote access solutions to infiltrate corporate networks.

"Initial access brokers are evolving, and RDWeb has become a prime target," Bestuzhev added. "Organizations should reassess how they expose remote access services."

Manufacturing Sector Hit Hard

While the overall share of organizations affected by ransomware decreased in 2025, the manufacturing sector alone suffered over $18 billion in losses during the first three quarters of the year, according to data from Kaspersky and VDC Research. The financial impact remains severe, even as attack rates moderate.

"The formal decline masks a reality where targeted attacks are more efficient and damaging," Petrova said. "One successful breach can now cripple an entire supply chain."

Background: The State of Ransomware

International Anti-Ransomware Day on May 12 marks the release of Kaspersky's annual report on the global ransomware threat. The report covers 2025 data and trends observed in early 2026, highlighting both progress and new dangers.

Key trends include the emergence of encryptionless extortion attacks as ransom payments drop, and the continued prominence of initial access brokers as a key market force. Ransomware operators are refining tactics to achieve greater efficiency despite a smaller victim pool.

What This Means for Organizations

Companies must update their defenses to counter post-quantum encryption, which renders traditional decryption tools useless. Investing in quantum-safe cryptography and backup strategies is no longer optional.

Additionally, security teams should prioritize EDR resilience—testing for BYOVD vulnerabilities and implementing behavior-based detection to catch tool tampering. Remote access solutions like RDWeb require strict access controls and multi-factor authentication.

"The ransomware ecosystem is adapting faster than ever," concluded Petrova. "Defenders must anticipate these shifts, not just react to them."

Tags: