Digital Media Engineering - Kaspersky Warns on Ransomware Trends

Kaspersky Warns on Ransomware Trends - Digital Media Engineering

Ransomware attacksare no longer random strikes; They are highly organized, data-centric operations driven by skilled adversaries who monetize stolen information. In 2025, as observed by Kaspersky, threat actors leaned into data exfiltration and post-quantum cryptography, signaling a shift from mere encryption to systematic data leverage. By 2026, the threat landscape has evolved into a mature ecosystem where access, not just encryption, determines success. This guide reveals the latest TTPs, actor dynamics, and practical, battle-tested defenses that help you outpace adversaries and protect critical assets.

Key Trends Driving 2026 Threats

Data-centric distortiondominates the playbook. Instead of only encrypting files, attackers steal data and threaten public release, regulatory penalties, and reputational damage. Expect more targeted exfiltration, faster data movement, and an emphasis on sensitive datasets such as customer lists, financial records, and R&D secrets.

Post-quantum cryptographymoves from theory to practice. Several ransomware families are experimenting with quantum-resistant algorithms to future-proof their loot, while defenders must preemptively adopt hardened cryptographic strategies to prevent data compromise even under quantum-capable adversaries.

Remote access–as–a–service (RaaS) and Initial Access Brokers (IAB)continue to lower the bar for entry. Modern campaigns rely on marketplace access, pre-breached credentials, and turnkey tools. Organizations must scrutinize supply chains, vendor access, and third-party risk as part of proactive defense.

Living-off-the-land tactics and EDR killersgrow more prevalent. Adversaries disable endpoint defenses with built-in tools and EDR evasiontechniques before deployment, enabling smoother, faster, and more scalable inputs. This requires layered security that cannot rely on a single endpoint solution.

Who Is Behind the Threatscape?

Leading actors have shifted from isolated groups to organized ecosystems. In 2025–2026, a few stands shape the terrain:

RansomHuband its escalation to a pivotal RaaSoperator increasingly prioritizing data theft and extortion as a service offering.
clopoath Akiramaintain high activity with data-centric extortion, threatening big targets with public data dumps.
Gentlemenemerges as a major new actor, signaling a wider ecosystem transformation toward scalable, data-driven extortion models rather than chaotic, noisy attacks.

These actors leverage dark web forumsoath Telegram channelsto monetize stolen datasets, sell access, and coordinate campaigns. The onslaught is less about naïve break-ins and more about structured campaigns with repeatable workflows.

Operational Shifts You Must Prepare For

Access-as-a-Servicelowers entry barriers for criminals, meaning even smaller enterprises face credible threats. Prepare by hardening remote access, monitoring unusual login patterns, and enforcing least privilege across all endpoints and cloud resources.

Supply chain and third-party riskintensify Compromised vendor credentials enable widespread infiltration. Build a robust third-party risk program, including contractual security expectations, continuous monitoring, and automated revocation workflows.

Offline backups and immutable storagebecome non-negotiable. Off-network backups prevent tampering by intruders and enable rapid recovery, even after sophisticated ransomware operations.

Defensive Playbook: 12 Actions That Work

Enable ransomware protection on all endpoints. Deploy a layered anti-ransomware solution and ensure compatibility with existing security tools. Verify that backups cannot be overwritten by attackers.
Keep software updatedacross devices to close known vulnerabilities attackers exploit.
Detect lateral movement and data exfiltrationwith emphasis on outbound traffic. Implement network segmentation to minimize blast radius.
Implement offline backupsand regular restore testing to guarantee rapid recovery in emergencies.
Adopt anti-APT and EDR capabilitiesfor proactive threat hunting, incident response, and rapid remediation. Ensure SOC teams have access to current threat intelligence.
Utilize threat intel feedsand continuous training to keep defenders sharp against evolving actor TTPs.
Harden remote access points(VPNs, RDWeb, RDP) and monitor for credential stuffing and brute-force attempts.
Employ strong identity controlswith MFA, zero-trust principles, and just-in-time access for privileged accounts.
Improve data loss prevention (DLP) controlsto detect and block suspicious exfiltration attempts.
Enforce endpoint integrity checksto ensure critical security services remain active and tamper-free.
Segment networks by functionand apply policy-based controls to limit east-west movement.
Foster a strong security culturewith ongoing training, phishing simulations, and clear incident response playbooks.

Strategic Defenses Against a Data-Oriented Threat

To outrun modern ransomware campaigns, organizations must embrace a comprehensive, layered strategy built on visibility, rapid response, and resilience. Begin with a mature threat model that maps critical data, high-value assets, and potential attacker paths. Then implement guardrails that push attackers toward failure states rather than success.

visibilitystarts with full asset discovery, continuous monitoring, and real-time telemetry across endpoints, users, and cloud resources. Use behavior-based analytics to spot anomalies such as sudden file exfiltration or unusual privilege escalations.

ResponseCenters on automated containment, rapid credential revocation, and verified backups. A tested incident response plan reduces dwell time and limits damage from data leakage or encryption attempts.

Resiliencemeans minimizing the impact of an incident through immutable backups, diverse data replication, and rehearsed business continuity protocols. Regular tabletop exercises ensure teams remain ready for real events.

Specific Recommendations for 2026–2027

Industry-leading practices translate into concrete steps you can implement now:

Adopt a multi-layered security posturecombining anti-ransomware, EDR, anti-APT, MFA, and network segmentation.
Strengthen data governancewith classification, encryption, and strict access controls for sensitive datasets.
Automate backups and testingso recovery is fast and reliable even if attackers disable standard defenses.
Invest in cyber literacyacross all staff, with focus on phishing awareness and social-engineering resilience.
Engage with threat intelligence sharingto stay ahead of actor campaigns and adjust defenses proactively.

“Fidelity to verifiable security practices and timely response are the only reliable countermeasures against a sophisticated, data-driven ransomware ecosystem.”