2026-05-135 minhigh

State of ransomware in 2026

The 2026 ransomware landscape is characterized by the adoption of post-quantum cryptography to thwart decryption efforts and a significant shift toward encryptionless, data-centric extortion. Threat actors are increasingly professionalizing their operations, standardizing EDR evasion via BYOVD (Bring Your Own Vulnerable Driver), and relying on Initial Access Brokers targeting edge infrastructure like RDWeb and VPNs.

Conf:highAnalyzed:2026-05-12Google

Authors: Fabio Assolini

ActorsPE32ShinyHuntersQilinClopAkiraRansomHubDragonForceThe GentlemenDevmanMintEyeDireWolfNightSpireVectTenguKazuRostova

Initial Access Brokers BYOVD Ransomware Post-Quantum Cryptography Encryptionless Extortion

Source:Kaspersky

IOCs · 4

domain
RAMP4U[.]ioDomain associated with the seized RAMP underground ransomware forum.
url
hxxp://vectordnticrtmfkcm4alni734tbcrmd5[.][.][.]sp4lqal6noqrgnbyd[.]onion/Partial Onion URL for Vect Ransomware data leak site identified in dark web forum post.
url
hxxp://xpod6h3ngodwb6fhbpaunfr5hmngzlb77[.][.][.]nyid[.]onionPartial Onion URL for Rostova Ransomware data leak site identified in dark web forum post.
url
hxxps://s3[.]ap-southeast-2[.]wasabisys[.]com/[.][.][.]aders=hostPartial Wasabi S3 bucket URL used to host exfiltrated database dumps.

Detection / HunterGoogle

What Happened

Ransomware attacks are evolving to use advanced, unbreakable encryption and, in many cases, skipping encryption entirely to just steal and threaten to leak sensitive data. Organizations worldwide are affected, particularly those with exposed remote access systems like virtual private networks (VPNs) and remote desktops. This matters because traditional backups cannot protect against data theft and public exposure, leading to severe reputational damage and regulatory fines. To defend against this, organizations must strictly secure remote access with multi-factor authentication, apply security updates promptly, and use advanced monitoring to catch attackers before they can steal data.

Key Takeaways

Ransomware groups are adopting post-quantum cryptography (e.g., ML-KEM/Kyber1024 used by PE32) to make decryption mathematically impossible.
Encryptionless extortion is rising, with groups like ShinyHunters and The Gentlemen focusing purely on data exfiltration and public disclosure.
EDR evasion using Bring Your Own Vulnerable Driver (BYOVD) techniques is now a standard, planned phase in ransomware attack lifecycles.
Initial Access Brokers (IABs) are heavily targeting remote access infrastructure, particularly RDWeb, RDP, and VPNs.
New professionalized groups like 'The Gentlemen' are exploiting edge devices (FortiOS, SonicWall, Cisco ASA) for data-centric extortion.

Affected Systems

Windows OS
RDWeb portals
RDP infrastructure
VPN appliances
FortiOS / FortiProxy
SonicWall VPN
Cisco ASA appliances

Attack Chain

Initial access is typically procured via Initial Access Brokers (IABs) targeting vulnerable edge devices (VPNs, RDWeb) or using compromised credentials. Once inside, attackers systematically deploy EDR killers using Bring Your Own Vulnerable Driver (BYOVD) techniques to blind defenses. Depending on the group's model, they either exfiltrate data for encryptionless extortion or deploy advanced ransomware payloads utilizing post-quantum cryptography (like ML-KEM) to permanently lock systems.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules but recommends behavioral monitoring for driver loading and process termination.

Detection Engineering Assessment

EDR Visibility: Medium — EDR visibility is actively threatened by the standardized use of BYOVD and EDR killers, which attempt to blind or terminate security agents before payload execution. Network Visibility: Medium — Network monitoring can detect initial access via VPN/RDWeb and large-scale data exfiltration, but internal lateral movement may blend with legitimate administrative traffic. Detection Difficulty: Hard — Attackers are professionalizing, using valid credentials, exploiting edge devices, and actively neutralizing endpoint telemetry, making detection highly reliant on behavioral anomalies.

Required Log Sources

Windows System Event ID 7045 (Service Creation - Driver Load)
Windows Security Event ID 4624 (Logon)
EDR Telemetry (Process Termination/Tampering)
Network Flow Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Hunt for unexpected or unsigned driver loads (or known vulnerable signed drivers) preceding the unexpected termination of security-related processes.	Windows System Event ID 7045, EDR Process/Service events	Defense Evasion	Medium
Monitor for anomalous authentication patterns to RDWeb or VPN portals, especially from unusual geolocations or without MFA.	VPN/Firewall Authentication Logs, Windows Security Event ID 4624	Initial Access	Low
Look for large outbound data transfers to cloud storage providers (e.g., Wasabi, Mega) indicating potential data exfiltration for encryptionless extortion.	Network Flow Logs, Proxy/Firewall Logs	Exfiltration	Medium

Control Gaps

Lack of MFA on remote access portals
Unpatched edge devices (VPNs, firewalls)
Permissive driver loading policies (not using Microsoft's Vulnerable Driver Blocklist)

Key Behavioral Indicators

Loading of unusual .sys files
Security agent process crashes or unexpected stops
High volume of data read operations followed by outbound network connections

False Positive Assessment

Recommendations

Immediate Mitigation

Enable Microsoft's Vulnerable Driver Blocklist to thwart BYOVD attacks.
Audit and secure all exposed RDP and RDWeb instances, placing them behind VPN or ZTNA.
Enforce Multi-Factor Authentication (MFA) on all remote access points.

Infrastructure Hardening

Implement automated patch management for OS, software, and edge devices (FortiOS, SonicWall, Cisco).
Segment networks to limit lateral movement by isolating critical systems.
Implement the Principle of Least Privilege (PoLP) across all user and service accounts.

User Protection

Deploy advanced EDR solutions to monitor for suspicious driver loading and process termination.
Ensure complete and immediate offboarding for departing employees, with automatic revocation of unused access.

Security Awareness

Conduct simulated phishing exercises and train employees to recognize AI-crafted emails.
Develop and test an incident response plan to minimize potential downtime and costs.
Maintain offline or immutable backups that are tested regularly to ensure rapid recovery.

MITRE ATT&CK Mapping

T1133 - External Remote Services
T1078 - Valid Accounts
T1562.001 - Impair Defenses: Disable or Modify Tools
T1068 - Exploitation for Privilege Escalation
T1567 - Exfiltration Over Web Service
T1486 - Data Encrypted for Impact

Additional IOCs

Domains:
- RAMP4U[.]io - Seized RAMP ransomware forum domain.
Urls:
- hxxp://xpod6h3ngodwb6fhbpaunfr5hmngzlb77[.][.][.]nyid[.]onion - Rostova Ransomware DLS (partial)
- hxxp://vectordnticrtmfkcm4alni734tbcrmd5[.][.][.]sp4lqal6noqrgnbyd[.]onion/ - Vect Ransomware DLS (partial)
- hxxps://s3[.]ap-southeast-2[.]wasabisys[.]com/...aders=host - Data exfiltration hosting link (partial)