Europol’s IOCTA 2026 Report: Ransomware, AI, and Hybrid Threats Reshape Cybercrime Landscape
Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) 2026 reveals a rapidly evolving cybercrime ecosystem, marked by professionalized ransomware operations, the exploitation of AI, and deepening ties between cybercriminals and hybrid threat actors. The report, covering trends from 2025, highlights a shift in extortion tactics, the rise of ransomware-as-a-service (RaaS), and the growing intersection of cybercrime with broader criminal networks.
Ransomware Dominates, Tactics Evolve
Ransomware remains the EU’s most pervasive cyber threat, with over 120 active brands observed in 2025. Attackers are moving away from traditional data encryption, instead favoring pure data theft and extortion, leveraging psychological pressure tactics such as DDoS attacks, corporate email spamming, and cold-calling victims. The report notes that enterprises are often less prepared for data leaks than encryption, making this shift particularly effective.
The RaaS model has lowered the barrier to entry, enabling even low-skilled actors to launch attacks using bundled toolkits. These platforms now offer integrated services, including botnets for payload delivery, data exfiltration infrastructure, machine learning support, and ransom negotiation tools. Operators take a cut of each payment, incentivizing the development of streamlined, all-in-one offerings.
Key ransomware groups in 2025 include:
- Qilin: A dominant player with ties to the defunct Conti group, offering high affiliate payouts (up to 85%) and automated exploitation of Fortinet SSL VPN vulnerabilities.
- Akira: Linked to Conti, expanding attacks to virtualized environments via SonicWall VPN flaws.
- DragonForce: A modular, service-driven group using leaked Conti and LockBit code, specializing in tailored extortion for high-value targets.
- LockBit: Struggled to recover after its 2024 takedown but released a cross-platform variant with enhanced anti-forensics.
- Cl0p & Play: Closed groups operating with strict internal security, targeting critical infrastructure and deploying double extortion.
A new alliance between DragonForce, LockBit, and Qilin emerged in late 2025, signaling deeper collaboration in the ransomware ecosystem. Meanwhile, semi-closed and closed groups such as Fog and BlackBasta are adopting tighter control, recruiting only trusted affiliates and developing proprietary tools to evade detection.
Hybrid Threats and Cybercrime-as-a-Service
The IOCTA 2026 report warns of blurring lines between cybercriminals and hybrid threat actors, with state-linked groups increasingly using criminal networks as proxies for disruptive operations. In the cybercrime-as-a-service (CaaS) economy, hybrid actors are simply another customer, complicating attribution and enforcement.
A notable development is the Scattered LAPSUS$ Hunters (SLSH) alliance, formed in August 2025 by Scattered Spider, ShinyHunters, and LAPSUS$. These English-speaking groups specialize in SIM swapping, social engineering, insider recruitment, and large-scale data theft, targeting corporations, healthcare, and transport sectors. Their tactics include persistent harassment post-payment, and some members have ties to The Com network, a criminal ecosystem linked to extremism and child exploitation.
AI, Infostealers, and DDoS as Enablers
Cybercriminals are rapidly adopting AI tools to automate attacks, enhance social engineering, and blur the line between legitimate and malicious technology. Infostealers remain a critical enabler, fueling a broad illicit market that supplies ransomware affiliates, fraudsters, and initial access brokers (IABs).
DDoS attacks persist as a low-effort, high-impact tool, often used for extortion or ideological disruption. While mitigation measures have improved, the minimal resources required make DDoS a sustainable strategy for destabilization, with targets including governments and critical infrastructure.
Law Enforcement Challenges and Future Outlook
Europol’s Executive Director, Catherine De Bolle, emphasized the urgent need for proactive, collaborative efforts to counter cybercrime’s accelerating pace. The report calls for:
- Investment in AI capabilities for law enforcement.
- Stronger cross-border cooperation and data retention policies.
- Closer private-sector collaboration to access critical data held by online service providers.
The IOCTA 2026 report concludes that the cybercrime landscape will continue evolving at speed, driven by advanced tools and complex criminal networks. Law enforcement’s ability to close the "velocity gap" matching the pace of cybercriminal innovation will determine its effectiveness in the coming years.
Philips Professional Displays cybersecurity rating report: https://www.rankiteo.com/company/philips-professional-display-solutions
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
Drakontas LLC cybersecurity rating report: https://www.rankiteo.com/company/drakontas-llc
RavensGuard Security cybersecurity rating report: https://www.rankiteo.com/company/ravensguard-security
"id": "PHISONFORDRARAV1777458596",
"linkid": "philips-professional-display-solutions, sonicwall, fortinet, drakontas-llc, ravensguard-security",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['multiple'],
'location': 'EU',
'type': ['enterprises',
'critical infrastructure',
'healthcare',
'transport sectors']}],
'attack_vector': ['Ransomware-as-a-Service (RaaS)',
'exploitation of VPN vulnerabilities (Fortinet SSL VPN, '
'SonicWall VPN)',
'social engineering',
'SIM swapping',
'insider recruitment',
'AI-enhanced attacks'],
'data_breach': {'data_encryption': ['partial (ransomware strains)',
'none (pure data theft extortion)'],
'data_exfiltration': 'yes',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'corporate data',
'sensitive business '
'information']},
'date_publicly_disclosed': '2026',
'description': 'Europol’s latest Internet Organised Crime Threat Assessment '
'(IOCTA) 2026 reveals a rapidly evolving cybercrime ecosystem, '
'marked by professionalized ransomware operations, the '
'exploitation of AI, and deepening ties between cybercriminals '
'and hybrid threat actors. The report highlights shifts in '
'extortion tactics, the rise of ransomware-as-a-service '
'(RaaS), and the intersection of cybercrime with broader '
'criminal networks.',
'impact': {'brand_reputation_impact': 'high (due to data leaks and extortion '
'tactics)',
'data_compromised': 'high-volume data theft and exfiltration',
'identity_theft_risk': 'high (due to infostealers and PII '
'exposure)',
'operational_impact': 'persistent harassment post-payment, '
'psychological pressure tactics (DDoS, email '
'spamming, cold-calling)',
'payment_information_risk': 'high (due to data exfiltration and '
'ransomware attacks)',
'systems_affected': ['enterprise systems',
'critical infrastructure',
'healthcare',
'transport sectors']},
'initial_access_broker': {'data_sold_on_dark_web': 'yes (infostealer logs, '
'PII, corporate data)',
'entry_point': ['VPN vulnerabilities',
'social engineering',
'insider recruitment'],
'high_value_targets': 'enterprises, critical '
'infrastructure, healthcare, '
'transport sectors'},
'investigation_status': 'ongoing (trends from 2025 analyzed in 2026 report)',
'lessons_learned': 'Enterprises are less prepared for data leaks than '
'encryption; RaaS has lowered the barrier to entry for '
'cybercriminals; hybrid threats are blurring lines between '
'cybercrime and state-linked actors; AI is being rapidly '
'adopted by cybercriminals.',
'motivation': ['financial gain',
'extortion',
'data theft',
'disruption',
'ideological motives'],
'post_incident_analysis': {'corrective_actions': ['Patch management for VPN '
'and critical systems',
'Enhanced monitoring and '
'AI-driven threat detection',
'Cross-border law '
'enforcement collaboration',
'Private-sector data '
'sharing initiatives'],
'root_causes': ['RaaS model lowering entry '
'barriers',
'exploitation of unpatched VPN '
'vulnerabilities',
'AI-enhanced attack automation',
'blurring lines between '
'cybercriminals and hybrid threat '
'actors',
'lack of preparedness for data '
'leak extortion']},
'ransomware': {'data_encryption': ['yes (some strains)',
'no (pure data theft extortion)'],
'data_exfiltration': 'yes',
'ransomware_strain': ['Qilin',
'Akira',
'DragonForce',
'LockBit',
'Cl0p',
'Play',
'Fog',
'BlackBasta']},
'recommendations': ['Investment in AI capabilities for law enforcement',
'Stronger cross-border cooperation and data retention '
'policies',
'Closer private-sector collaboration to access critical '
'data held by online service providers',
"Proactive measures to close the 'velocity gap' between "
'cybercriminal innovation and law enforcement response'],
'references': [{'source': 'Europol’s Internet Organised Crime Threat '
'Assessment (IOCTA) 2026'}],
'response': {'enhanced_monitoring': 'recommended for future incidents',
'law_enforcement_notified': 'Europol and cross-border agencies '
'involved in analysis and response'},
'stakeholder_advisories': 'Law enforcement agencies, private sector, and '
'critical infrastructure operators advised to '
'enhance collaboration and AI-driven defenses.',
'threat_actor': ['Qilin',
'Akira',
'DragonForce',
'LockBit',
'Cl0p',
'Play',
'Fog',
'BlackBasta',
'Scattered Spider',
'ShinyHunters',
'LAPSUS$',
'The Com network'],
'title': 'Europol’s IOCTA 2026 Report: Ransomware, AI, and Hybrid Threats '
'Reshape Cybercrime Landscape',
'type': ['ransomware',
'data extortion',
'cybercrime-as-a-service',
'DDoS',
'infostealer attacks'],
'vulnerability_exploited': ['Fortinet SSL VPN vulnerabilities',
'SonicWall VPN flaws',
'virtualized environment exploits']}