The Asia-Pacific region was among the areas most affected by ransomware attacks in 2025, according to a new Kaspersky report that outlines major ransomware trends and risks expected to continue into 2026.

Kaspersky Security Network data showed Latin America recorded the highest share of organizations with ransomware detections at 8.13 percent, followed by Asia-Pacific at 7.89 percent, Africa at 7.62 percent, the Middle East at 7.27 percent, the Commonwealth of Independent States at 5.91 percent and Europe at 3.82 percent.

The report said ransomware activity slightly declined overall compared with 2024, but organizations and users remain at risk as attackers increasingly focus on stealing and leaking sensitive data instead of only encrypting systems.

Data theft becomes central to ransomware attacks

Kaspersky said “encryption-less” extortion attacks became more prominent in 2025, with cybercriminal groups using stolen data to pressure victims. Researchers also observed the use of post-quantum cryptography by some ransomware families, a trend the company had previously predicted.

The report said endpoint detection and response “killers” also became a standard part of many attacks. These tools are used to disable security systems before malware is deployed, making intrusions more deliberate and harder to stop.

Initial Access Brokers also played a growing role in ransomware operations by selling pre-compromised corporate access through underground forums and messaging platforms. Kaspersky said remote access portals, including RDWeb systems, were increasingly targeted as ransomware groups expanded “Access-as-a-Service” operations.

Telegram and dark web forums remain key channels

The report said Telegram channels and dark web forums continued to be used for distributing and selling compromised data, credentials and corporate access.

Authorities seized the underground forum RAMP in January 2026 and LeakBase in March 2026. Both platforms had been linked to ransomware-related services or the distribution of compromised data, according to the report.

Kaspersky identified Qilin as the most active ransomware-as-a-service operator in 2025 based on data leak sites, followed by Clop and Akira. The company said new actors also emerged after several major ransomware groups stopped operations.

Looking ahead to 2026, Kaspersky highlighted The Gentlemen as a ransomware actor to watch because of its rapid growth, structured operations and focus on data-centric extortion.

Fabio Assolini, Lead Security Researcher at Kaspersky GReAT, said ransomware has developed into an organized ecosystem focused on monetizing stolen data, disabling defenses and scaling attacks efficiently.

Kaspersky advised organizations to keep software updated, use ransomware protection across endpoints, maintain backups, strengthen cyberliteracy and invest in layered security, threat intelligence and professional training for security teams.

Also read: Kaspersky survey flags cybersecurity gaps and shadow IT risks in Pakistan workplaces