Ransomware Evolves into Stealthier, More Destructive Threat in 2026
In 2026, ransomware attacks have shifted from opportunistic strikes to highly calculated, multi-stage operations, adapting to global anti-ransomware efforts. A new Kaspersky report reveals that while overall attack volumes declined in 2025, the sophistication of these threats has surged with manufacturing alone facing an estimated $18 billion in potential losses.
Attackers are now exploiting trusted system components to evade detection before deploying their payloads. A key tactic is the "Bring Your Own Vulnerable Driver" (BYOVD) technique, where cybercriminals use legitimate, signed drivers to disable security tools including EDR killers that terminate monitoring agents. This method turns evasion into a repeatable phase of the attack lifecycle, systematically eroding defensive visibility.
Ransomware developers are also future-proofing their malware with post-quantum cryptography, such as the PE32 family’s use of ML-KEM (Kyber1024), which offers encryption strength comparable to AES-256. This ensures victims have virtually no chance of recovering files without paying.
With global ransom payments dropping to just 28% in 2025, threat actors are pivoting to encryptionless extortion. Instead of locking files, they steal sensitive data and threaten public disclosure, turning ransomware into a data security and compliance crisis one that backups alone cannot mitigate.
The criminal ecosystem has also seen a shift. Following the disappearance of RansomHub in 2025, Qilin has emerged as the dominant ransomware-as-a-service (RaaS) platform, while new groups like "The Gentlemen" operate with structured, business-like efficiency. Other emerging actors Devman, MintEye, and DireWolf demonstrate how low the barrier to entry remains, often targeting enterprise hardware from Fortinet, SonicWall, and Cisco.
As ransomware evolves, organizations face an increasingly hostile landscape where even their own security tools are under siege.
Source: https://cyberpress.org/byovd-attacks-bypass-defenses/
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "SONFOR1778660813",
"linkid": "sonicwall, fortinet",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Manufacturing', 'type': 'Manufacturing'}],
'attack_vector': ['Exploitation of trusted system components',
'Bring Your Own Vulnerable Driver (BYOVD)'],
'data_breach': {'data_encryption': 'Yes (post-quantum cryptography - '
'ML-KEM/Kyber1024)',
'data_exfiltration': 'Yes (encryptionless extortion)',
'sensitivity_of_data': 'High (personally '
'identifiable/sensitive business data)',
'type_of_data_compromised': 'Sensitive data'},
'date_publicly_disclosed': '2026',
'description': 'In 2026, ransomware attacks have shifted from opportunistic '
'strikes to highly calculated, multi-stage operations, '
'adapting to global anti-ransomware efforts. Attackers exploit '
'trusted system components to evade detection, using '
"techniques like 'Bring Your Own Vulnerable Driver' (BYOVD) to "
'disable security tools. Ransomware developers are using '
'post-quantum cryptography (e.g., ML-KEM/Kyber1024) to ensure '
'file recovery is impossible without payment. With ransom '
'payments declining, threat actors pivot to encryptionless '
'extortion, stealing data and threatening public disclosure. '
'New ransomware groups like Qilin, The Gentlemen, Devman, '
'MintEye, and DireWolf target enterprise hardware from '
'Fortinet, SonicWall, and Cisco.',
'impact': {'data_compromised': 'Sensitive data (encryptionless extortion)',
'financial_loss': '$18 billion (manufacturing sector alone)',
'systems_affected': ['Manufacturing sector',
'Enterprise hardware (Fortinet, SonicWall, '
'Cisco)']},
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'root_causes': ['Exploitation of trusted system '
'components',
'Use of legitimate signed drivers '
'(BYOVD)',
'Lack of detection for EDR '
'killers']},
'ransomware': {'data_encryption': 'Yes (post-quantum cryptography - '
'ML-KEM/Kyber1024)',
'data_exfiltration': 'Yes (encryptionless extortion)',
'ransom_paid': '28% of victims (2025)',
'ransomware_strain': ['PE32 family',
'Qilin',
'The Gentlemen',
'Devman',
'MintEye',
'DireWolf']},
'references': [{'source': 'Kaspersky report'}],
'threat_actor': ['Qilin', 'The Gentlemen', 'Devman', 'MintEye', 'DireWolf'],
'title': 'Ransomware Evolves into Stealthier, More Destructive Threat in 2026',
'type': 'Ransomware',
'vulnerability_exploited': ['Legitimate signed drivers',
'Enterprise hardware vulnerabilities (Fortinet, '
'SonicWall, Cisco)']}