Ransomware in 2026: Post-Quantum Encryption and EDR Killers Reshape Cyberthreats

Breaking: Ransomware Attacks Decline but Grow More Sophisticated, Kaspersky Warns

May 12, 2026 – On International Anti-Ransomware Day, Kaspersky released its annual report revealing that while the percentage of organizations hit by ransomware fell across all regions in 2025, the threat is far from over. Attackers are now deploying post-quantum cryptography and specialized 'EDR killer' tools to bypass defenses, making attacks more lethal and harder to stop.

The report, based on data from Kaspersky Security Network, shows the global share of affected organizations dropped in 2025 compared to 2024. Yet the manufacturing sector alone suffered over $18 billion in losses during the first three quarters of 2025, according to joint research by Kaspersky and VDC Research.

Key Findings

• New ransomware families are adopting post-quantum cryptography ciphers, such as the ML-KEM standard seen in the PE32 family.
• Ransom payments are declining, leading some groups to pivot to encryptionless extortion attacks that steal and threaten to leak data without encrypting files.
• Initial access brokers remain pivotal, increasingly focusing on RDWeb as the preferred remote access vector.
• EDR killers have become standard in attack playbooks, using techniques like Bring Your Own Vulnerable Driver (BYOVD) to disable endpoint defenses before ransomware execution.

Post-Quantum Cryptography Meets Malware

One of the most alarming trends is the emergence of ransomware families that use quantum-resistant encryption. The PE32 family, for example, implements the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard, making decryption virtually impossible without the attacker’s key—even with future quantum computers.

“This is a paradigm shift,” said Maxim Pushkin, Lead Security Researcher at Kaspersky. “Attackers are future-proofing their extortion by adopting ciphers that will resist both classical and quantum decryption attempts. Victims can no longer hope for technological breakthroughs to recover data.”

Rise of EDR Killers and Defense Evasion

Ransomware operators now prioritize neutralizing endpoint defenses before launching payloads. Tools like BYOVD exploit legitimate signed drivers to disable security processes and monitoring agents, blending into normal system activity.

“Evasion is no longer opportunistic; it’s a planned, repeatable phase of the attack lifecycle,” noted Anastasia Ivanova, Senior Security Analyst at Kaspersky. “Organizations must maintain operational visibility even when their security controls are under direct attack.”

Background

Ransomware has been a top cyberthreat since the 2010s, evolving from crude encryptors to sophisticated, multi-extortion operations. By 2025, despite law enforcement takedowns and improved defenses, ransomware-as-a-service (RaaS) models expanded, lowering the barrier to entry for smaller criminal groups.

The decline in attack rates likely reflects better detection and response, but adversaries compensate with higher-impact, targeted strikes. The use of initial access brokers to sell remote desktop access (especially to RDWeb) has become a key enabler.

What This Means

Organizations must update their cybersecurity strategies urgently. Traditional antivirus and signature-based detection are insufficient against zero-day malware that uses post-quantum encryption. Endpoint detection and response (EDR) solutions must be hardened against EDR-killer attacks, and defenses should include file integrity monitoring and behavioral analytics.

Additionally, businesses should prepare for encryptionless extortion—where stolen data alone is used as leverage—by strengthening data backup policies and incident response plans. The ransomware landscape is not retreating; it is retooling for a more dangerous era.

For more details, visit Key Findings, Post-Quantum Threats, or Background.