Full Report
Kaspersky researchers are sharing insights into the main ransomware trends for 2026: EDR killers on the rise, switching from data encryption to data leaks, and more.
Analysis Summary
# Industry News: Kaspersky Forecasts the State of Ransomware in 2026
## Summary
Kaspersky researchers have released a strategic outlook for ransomware in 2026, predicting a shift from high-volume encryption to targeted data exfiltration and "EDR killers." The report highlights the professionalization of cybercrime syndicates and the increasing use of specialized tools designed to deactivate security software before payloads are deployed.
## Key Details
- **Date:** November 2024 (Forecast for 2026)
- **Companies Involved:** Kaspersky (Lead Researcher)
- **Category:** Market Analysis and Predictions
## The Story
The ransomware landscape is undergoing a fundamental transformation. According to Kaspersky's analysis of current trajectories, by 2026, many threat actors will move away from traditional data encryption (the "locker" model) in favor of pure data exfiltration and public shaming. This "encryption-less" ransomware reduces the operational overhead for attackers while maintaining high leverage over victims through the threat of GDPR fines and reputation damage.
Furthermore, attackers are increasingly utilizing "EDR Killers"—dedicated malware strains designed specifically to disable Endpoint Detection and Response (EDR) systems. As defensive technologies have become more sophisticated, attackers have responded by moving "left" in the attack chain, prioritizing the neutralization of security tools as a prerequisite for the main breach.
## Business Impact
### For the Companies Involved
- **Kaspersky:** Strengthens its position as a global threat intelligence leader. By forecasting these trends, Kaspersky aligns its "Kaspersky Next" and Enterprise product lines with the need for tamper-proof security and behavior-based detection.
### For Competitors
- **EDR/XDR Vendors (CrowdStrike, SentinelOne, Microsoft):** Faces increased pressure to innovate "anti-tampering" mechanisms. The rise of EDR killers shifts the competitive battleground from "who can detect the best" to "who can survive an active termination attempt."
### For Customers
- **Shift in Recovery Strategy:** Organizations can no longer rely solely on backups to mitigate ransomware; since the threat is now data leakage, the business impact is irreversible once the data is stolen.
- **Budget Realignment:** Businesses may need to invest more in Data Loss Prevention (DLP) and internal encryption rather than just perimeter and endpoint defense.
### For the Market
- **Insurance Volatility:** Cyber insurance providers may raise premiums or demand stricter proof of EDR hardening as attackers find ways to bypass standard security stacks.
- **Professionalization of Crime:** The ransomware-as-a-service (RaaS) market is expected to become more fragmented but specialized, with "initial access brokers" and "EDR specialists" becoming standard roles in the underground economy.
## Technical Implications
The trend toward disabling security software relies on the use of vulnerable "Bring Your Own Vulnerable Driver" (BYOVD) attacks. Attackers use legitimate but flawed kernel-mode drivers to gain high-level privileges and terminate security processes that would otherwise be protected by the operating system. Additionally, the move toward "encryption-less" ransomware means that detection based on high-intensity disk I/O (a hallmark of encryption) will become less effective.
## Strategic Analysis
- **Market Positioning:** Kaspersky is positioning itself as a proactive partner for the "post-encryption" era, emphasizing the need for comprehensive threat hunting.
- **Competitive Advantage:** Vendors who can demonstrate "self-healing" or "un-killable" security agents will gain significant market share in 2026.
- **Challenges:** The primary obstacle is the speed of attacker innovation; as quickly as defenders patch vulnerable drivers, new ones are discovered, leading to a perpetual arms race at the kernel level.
## Industry Reactions
- **Analyst Opinions:** Analysts generally agree that the focus on "leakware" is a logical evolution, as it sidesteps the technical hurdles of robust encryption and the increasing effectiveness of decryption tools.
- **Market Response:** There is a growing demand for "Managed Detection and Response" (MDR) services to provide 24/7 human oversight, as automated tools are increasingly targeted for deactivation.
## Future Outlook
- **Predictions:** Expect to see "triple extortion" become the norm: (1) ransom for the data, (2) ransom to prevent leak, and (3) ransom paid by the victim’s clients whose data was stolen.
- **What to watch for:** Keep a close eye on the development of "AI-driven EDR killers" that can autonomously scan a system for security software and adapt their termination techniques in real-time.
## For Security Professionals
Practitioners should prioritize **EDR Hardening**. It is no longer enough to "install and forget" security agents. Admins must enable tamper-protection features, monitor for the loading of unsigned or suspicious drivers, and ensure that security logs are exported to a remote, immutable SIEM so that if an EDR killer succeeds, the "dying breath" of the agent is recorded and alerted upon.