In 2025, ransomware showed that it was resilient and could evolve and adapt. To combat ransomware attacks this year, organisations are urged to invest in threat intelligence and proactive detection, and implement immutable, air-gapped backups.

Ransomware in 2025 was marked by AI boosts, targeted strikes and growing costs to companies attacked, which serves as a warning for the business world, says cybersecurity company Kaspersky.

This year, autonomous threats could accelerate attacks, although resilient protection models can help companies survive and thrive, says Kaspersky Global Research and Analysis Team Americas and Europe research centre head Fabio Assolini.

During the first three quarters of 2025, and for the manufacturing sector alone, potential losses that could have occurred if failed ransomware attacks had succeeded was estimated at $18-billion.

Further, for the Asia-Pacific region's manufacturing sector, potential losses that could have occurred if failed ransomware attacks had succeeded was estimated at $11.5-billion, which underscores how rapid digitisation in emerging economies expands attack surfaces, he says.

Hacktivist groups, such as Head Mare and Twelve, have weaponised ransomware against manufacturing and other targets. Europe has fared better than many regions owing to regulations, but disruptions like RansomHub's hit on Kawasaki Motors Europe's offices highlight supply chain vulnerabilities, says Assolini.

This is why companies should also undertake thorough supply chain audits and implement advanced multifactor authentication to safeguard their operations. Targeted training should be rolled out to counter AI-enhanced phishing schemes, he adds.

Meanwhile, Kaspersky points out that while the prevalence of ransomware is lower in Africa owing to limited digitisation, hotspots like South Africa and Nigeria see rising incidents in finance.

Further, ransomware-as-a-service (RaaS) models dominated in 2025 because they lower the barriers for entry-level cybercriminals by offering malware, affiliate programmes, and even initial access brokering, and resulting in a 90% to 10% split of the ransom in favour of the operators.

Platforms like RansomHub, which has been dismantled, were quickly replaced by other groups, such as Qilin, Akira, Cl0p and Sinobi, he notes.

Tactics have also evolved, especially tactics using signed vulnerable drivers. These leverage the bring-your-own-vulnerable-driver technique, as seen via MedusaLocker attacks.

Additionally, double and triple extortion, namely encrypting data while exfiltrating it for leaks to customers, regulators or competitors, has become standard practice in ransomware attacks, Assolini says.

Attackers are bypassing traditional defences by targeting unconventional entry points, including Internet-of-Things devices, smart appliances and even webcams, as seen with the Akira gang, and the integration of AI, particularly Large Language Models, has accelerated this.

Groups like FunkSec, which emerged in late 2024, use AI-generated code for low-cost, high-volume attacks on government, finance, and education sectors in regions such as India and Europe, he illustrates.

This year, ransomware agentic AI systems, which can reason autonomously and adapt in real-time, will likely automate ransomware attack chains, from initial reconnaissance to the final extortion demands, and enable the execution of attacks at speeds many times faster than human operators.

Further, AI-fuelled RaaS platforms may empower even novice hackers to deploy polymorphic malware, and enabling attackers to scale high-volume operations against third-party vendors.

Additionally, in 2026, extortion tactics may evolve toward data tampering and reputational sabotage to erode trust in brands, he says.

Organisations should enable dedicated protection across all endpoints to counter ransomware.

Non-industrial companies should implement anti-advanced persistent threat and endpoint detection and response tools to enhance threat discovery, detection, investigation and rapid incident remediation.

Organisations in the industrial sector should adopt a specialised ecosystem that combines operational technology-grade technologies and extended detection and response capabilities.

An industrial cybersecurity solution must combine robust network traffic analysis, endpoint protection and response capabilities, as well as bridge traditional IT security with industrial-specific measures to combat sophisticated threats, Assolini recommends.