Cybersecurity company Kaspersky has shared new findings on ransomware activity, warning that cybercriminals are increasingly distributing and selling compromised user credentials and sensitive datasets through Telegram channels and dark web forums. The findings were revealed in a newly released report reviewing ransomware developments that shaped 2025 while also outlining key cybersecurity risks expected to influence the threat landscape in 2026. According to the report, cybercriminal groups continue to refine their methods through automation, organized operations, and evolving extortion strategies, creating ongoing risks for organizations and individual users despite a slight decline in ransomware incidents compared to the previous year.
According to data collected by Kaspersky Security Network, Latin America experienced the highest proportion of organizations impacted by ransomware attacks in 2025, accounting for 8.13 percent of detected incidents globally. Asia Pacific followed closely with 7.89 percent, while Africa recorded 7.62 percent and the Middle East reported 7.27 percent. Commonwealth of Independent States registered 5.91 percent, whereas Europe experienced the lowest ransomware detection share at 3.82 percent. Although the overall percentage of organizations targeted by ransomware declined slightly during 2025 compared to 2024, researchers warned that the threat environment remains highly active as cybercriminals increasingly industrialize operations and shift focus toward extracting sensitive information rather than solely encrypting systems for ransom payments. Security experts noted that many ransomware operators are now prioritizing data theft and leakage strategies, allowing attackers to pressure victims by threatening exposure of confidential information.
One of the notable trends identified in the report is the continued rise of what researchers describe as “encryption less” extortion attacks. Instead of relying exclusively on file encryption, threat actors increasingly focus on stealing sensitive data and using exposure threats to pressure victims into payment. The report also highlighted ransomware groups experimenting with post quantum cryptography, reflecting an effort to strengthen operational security and complicate defensive analysis or decryption efforts. Another significant concern identified by researchers is the increased use of endpoint detection and response killers, commonly referred to as EDR killers. These tools are specifically designed to disable endpoint security protections before ransomware payloads are executed, enabling more calculated and methodical intrusions. According to Kaspersky, EDR killers have increasingly become a common element within ransomware operations, allowing attackers to weaken organizational defenses and improve operational success.
Researchers also warned that Telegram channels and dark web forums continue to function as active marketplaces where cybercriminals exchange compromised credentials, datasets, and unauthorized access obtained through ransomware attacks and other cyber incidents. According to the report, these underground platforms remain central to cybercriminal activity, facilitating the sale of stolen information and enabling wider cybercrime operations targeting organizations and citizens. The company stressed that users should adopt immediate precautionary measures and remain vigilant, as compromised credentials and personal data continue circulating through criminal networks. The findings underscore how ransomware threats continue evolving beyond system encryption into broader ecosystems involving credential theft, unauthorized access trading, and data exploitation.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
