The economic toll of ransomware could be staggering. VDC Research and Kaspersky conducted an estimation which showed that in the manufacturing sector alone, potential losses from ransomware attacks (if they had succeeded) could have exceeded $18 billion in the first three quarters of 2025. Regionally, Asia-Pacific bears the brunt of this, contributing $11.5 billion in potential losses and underscoring how rapid digitisation in emerging economies expands attack surfaces.
In 2025, ransomware showed both resilience, evolution and adaptation. Ransomware-as-a-Service (RaaS) models dominated. They have lowered the barriers for entry-level cybercriminals, offering malware, affiliate programmes, and even initial access brokering, resulting in a 90/10 ransom split favouring operators. Platforms like RansomHub (now dismantled) were quickly replaced by other groups, such as Qilin, Akira, Cl0p and Sinobi. Tactics have also evolved alarmingly, especially those using signed vulnerable drivers. These leverage the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique, as seen via MedusaLocker attacks. Double and triple extortion – encrypting data while exfiltrating it for leaks to customers, regulators, or competitors – has become standard.
Attackers are bypassing traditional defences by targeting unconventional entry points: IoT devices, smart appliances, and even webcams, as seen with the Akira gang. The integration of AI, particularly Large Language Models (LLMs), has accelerated this. Groups like FunkSec, emerging in late 2024, use AI-generated code for low-cost, high-volume attacks on government, finance, and education sectors in regions like India and Europe.
Hacktivist groups, such as Head Mare and Twelve, have weaponised ransomware against manufacturing and other targets. In Africa, while prevalence is lower due to limited digitisation, hotspots like South Africa and Nigeria see rising incidents in finance. Europe, bolstered by regulations like GDPR, has fared better, but disruptions like RansomHub’s hit on Kawasaki’s offices highlight supply chain vulnerabilities.
As we peer into 2026, ransomware isn’t just persisting – it’s poised for a leap, supercharged by AI’s rapid integration into cybercrime. Agentic AI systems, which can reason autonomously and adapt in real time, will likely automate attack chains, from initial reconnaissance to the final extortion demands, executing them at speeds many times faster than human operators. AI-fueled Ransomware-as-a-Service platforms may empower even novice hackers to unleash polymorphic malware that mutates on the fly or deploys deepfake videos to blackmail executives. The victim count of these attacks could explode, as attackers scale high-volume operations against third-party vendors. Extortion tactics may evolve toward insidious data tampering and reputational sabotage, eroding trust in brands overnight.
To stay ahead, Kaspersky advises organisations to invest in threat intelligence and proactive detection, and implement immutable, air-gapped backups. There should be thorough supply chain audits and advanced multi-factor authentication. Targeted training should be rolled out to counter AI-enhanced phishing schemes.
Ransomware’s 2025 rampage – marked by AI boosts, targeted strikes, and ballooning costs – serves as a warning for the business world. Come 2026, autonomous threats could overwhelm the unprepared, but with due attention to resilient protection models, companies can not only survive, they can thrive. The choice is clear: evolve faster than the attackers, or risk becoming their next headline casualty.
To effectively counter ransomware, start by enabling dedicated protection across all endpoints. For non-industrial companies, implement anti-APT and EDR tools to enhance threat discovery, detection, investigation, and rapid incident remediation. Additionally, equip SOC teams with up-to-date threat intelligence and ongoing professional training, all of which can be accessed through comprehensive platforms like Kaspersky Next to build a resilient defence strategy.
For organisations in the industrial sector, adopt a specialised ecosystem such as Kaspersky Industrial CyberSecurity (KICS), which combines OT-grade technologies, expert insights, and a native Extended Detection and Response (XDR) platform tailored for critical infrastructure. This solution offers robust network traffic analysis, endpoint protection, and response capabilities, bridging traditional IT security with industrial-specific measures to thwart sophisticated threats.
