Latin America has become the global leader in ransomware incidents, with 8.13% of organizations affected in 2025. Kaspersky examines shifts toward encryptionless extortion and post-quantum cryptography, providing B2B stakeholders with data-driven insights to mitigate escalating cyber risks, financial losses, and regulatory challenges in 2026.
Latin America became the most targeted region for ransomware globally in 2025, with 8.13% of organizations experiencing attacks, according to the State of ransomware in 2026 study published by Kaspersky.
“Ransomware has evolved into a highly organized ecosystem focused on monetizing stolen data, disabling defenses, and scaling attacks with business-like efficiency,” says Fabio Assolini, Lead Security Researcher for Latin America, Kaspersky. “Threat actors are rapidly adapting by weaponizing legitimate tools, exploiting remote access infrastructures, and adopting post-quantum cryptography much earlier than expected.”
The data indicates that Latin America has surpassed all other geographic sectors in terms of attack density. The regional impact exceeds that of Asia-Pacific (7.89%), Africa (7.62%), the Middle East (7.27%), the Commonwealth of Independent States (5.91%), and the European Union (3.82%). Although the total share of organizations affected globally saw a marginal decrease compared to 2024, the severity and sophistication of individual intrusions have intensified.
The manufacturing sector serves as a primary example of the financial consequences of these attacks. Kaspersky and VDC Research report that ransomware caused more than US$18 billion in losses for the manufacturing industry during the first three quarters of 2025. This shift reflects a trend toward the industrialization of cybercrime, where attackers prioritize high-value targets over broad, opportunistic campaigns.
The barrier to entry for these attacks continues to decline due to the specialization of the criminal labor market. Initial access brokers (IABs) function as intermediaries who compromise corporate environments and sell that access to ransomware operators.
This “Access-as-a-Service” model relies heavily on stolen credentials obtained through phishing and infostealers. Attackers are increasingly targeting RDWeb portals, which are often inadequately protected compared to traditional VPN or RDP access points.
Evolution of Defensive Evasion and Integration of Post-Quantum Cryptography
A defining technical trend for 2026 is the standardization of tools designed to neutralize endpoint defenses before the execution of the main payload. These tools, known as “EDR killers,” allow adversaries to terminate security processes and disable monitoring agents. Attackers frequently employ a technique called Bring Your Own Vulnerable Driver (BYOVD) to achieve this.
By exploiting trusted, signed drivers that contain known vulnerabilities, threat actors can operate within legitimate system activity while degrading defensive visibility. This approach ensures that evasion is a planned phase of the attack lifecycle rather than an opportunistic step. Organizations now face the challenge of maintaining control in environments where the security controls themselves are the primary targets of the intrusion.
Kaspersky researchers have identified the emergence of ransomware families that adopt post-quantum cryptography (PQC) standards. This development indicates a transition toward encryption methods that can resist decryption attempts from both classical and future quantum computers.
For example, the PE32 ransomware family utilizes the ML-KEM standard to secure its AES keys. This specific framework, recently selected by the NIST as a primary standard for post-quantum defense, utilizes the Kyber1024 algorithm. This mechanism provides Level Five security, which is equivalent to the strength of AES-256.
The adoption of PQC ensures that data stolen and encrypted today cannot be recovered by future technological advances, complicating the long-term data recovery strategies of affected corporations.
The Rise of Encryptionless Extortion
The 2026 landscape is marked by a significant shift toward extortion incidents where no file encryption occurs. In 2025, the percentage of victims who paid ransoms dropped to 28%. In response, groups such as ShinyHunters have abandoned the “ware” in “ransomware” to focus on extracting sensitive data and using the threat of public disclosure as their primary leverage.
By avoiding encryption, attackers reduce the likelihood of immediate detection and shorten the duration of the attack. This model transforms ransomware from a business continuity issue into a broader data security and compliance challenge. While backups are effective against system disruption, they provide no protection against data exposure, reputational damage, or regulatory fines.
Key Actors and the Dark Web Ecosystem
Despite increased pressure from law enforcement, the ransomware market remains stable. In early 2026, authorities seized underground forums such as RAMP and LeakBase, which served as hubs for distributing stolen data and advertising RaaS services. However, threat actors have migrated to Telegram and other underground platforms to continue their operations.
Qilin emerged as the dominant RaaS platform in late 2025 after the dormancy of RansomHub. Other significant actors include Clop, which specializes in large-scale supply-chain attacks, and Akira, known for its operational consistency.
A new group, The Gentlemen, has caught the attention of researchers in early 2026. This group demonstrates a professionalized approach, focusing on data-centric extortion and the massive exploitation of hardware from companies like Cisco and SonicWall. The Gentlemen group likely consists of professional cybercriminals who have migrated from other prominent organizations.
To mitigate these evolving threats, Kaspersky recommends that organizations implement a multi-layered defense strategy. First, companies must prioritize proactive vulnerability management. Many attacks exploit unpatched software or drivers. Implementing automated patch management and enabling the Microsoft Vulnerable Driver Blocklist are critical steps to prevent BYOVD attacks.
Second, organizations should strengthen remote access infrastructure. Connections through RDP or RDWeb should never be exposed directly to the internet. Access must be managed through ZTNA or VPNs with mandatory multi-factor authentication. Adopting the “Principle of Least Privilege” ensures that users and processes only have the minimum access necessary to perform their functions.
Third, investment in immutable, offline backups remains essential. These backups must be stored in air-gapped environments to resist deletion or encryption by intruders. Finally, organizations should provide continuous training to employees to recognize AI-crafted phishing attempts, which remain a primary vector for initial compromise. By focusing on detection of lateral movement and exfiltration, businesses can identify threats before the extortion phase begins.
Click Here For The Original Source.
