Ransomware Evolution: Encryptionless Extortion and EDR Bypass Tactics Rise

Severity: High (Score: 60.5)

Sources: Gbhackers, Technadu

Summary

Kaspersky's 2026 report indicates a decline in ransomware incidents, yet the threat remains significant. Attackers are increasingly using EDR killers and BYOVD techniques to bypass security measures. The PE32 ransomware family employs post-quantum cryptography, specifically the ML-KEM standard, to secure its operations. With global ransom payments dropping to 28% in 2025, groups like ShinyHunters are shifting to encryptionless extortion, focusing on data theft and public leaks. The industrialization of ransomware attacks is supported by initial access brokers exploiting RDP and VPN vulnerabilities. Qilin emerged as the most active ransomware group, alongside Cl0p and Akira. Law enforcement has responded with takedowns of major dark web platforms, including RAMP and LeakBase, to disrupt these operations. The overall landscape shows a shift towards more sophisticated and varied attack methodologies. Key Points: • Ransomware incidents decreased globally, but threats remain sophisticated and entrenched. • Attackers are increasingly using EDR killers and BYOVD techniques to disable security tools. • ShinyHunters and other groups are moving towards encryptionless extortion, focusing on data theft.

Key Entities

• Data Breach (attack_type)
• Ransomware (attack_type)
• Die Linke (company)
• Manufacturing (industry)
• T1003 - OS Credential Dumping (mitre_attack)
• T1021 - Remote Services (mitre_attack)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1486 - Data Encrypted for Impact (mitre_attack)
• Akira (ransomware_group)
• Cl0p (ransomware_group)
• DragonForce (ransomware_group)
• Medusa (ransomware_group)
• PE32 (ransomware_group)
• ShinyHunters (apt_group)
• BYOVD (vulnerability)
• EDR Killers (tool)
• VX Crypt (malware)