Trend: Attackers are now layering encryption with data theft, distributed denial-of-service (DDoS) attacks, and direct client harassment to force payment, even when backups exist.

A robust backup strategy alone doesn’t cut it when ransomware is on the rise, because encryption is often just the final step in a much longer attack chain.

We’re witnessing the standardization of triple and quadruple extortion tactics designed to apply maximum pressure on targets, like the 2023 Black Cat/ALPHV attack, where Black Cat filed a complaint with the Securities and Exchange Commission (SEC) that MeridianLink, an attack victim, failed to report a cyberattack within four days.

This is how extortion tactics start:

1. Double extortion: Attackers pull sensitive data before locking your systems. They’ll threaten to leak this ransomware data on the dark web if you refuse to pay them for the decryptor, even if you can restore everything from backups.

2. Triple extortion: Attackers take the fight to your stakeholders. They’re contacting clients, patients, or partners directly, telling them that their data has been stolen and urging them to pressure you into paying.

3. Quadruple extortion: While you’re struggling to restore your servers and manage the legal fallout of a data breach, the attackers launch a DDoS attack against your public-facing website or customer portals. It paralyzes your communication channels and creates panic.

How this ransomware trend looks in the real world:

A chilling example of multi-extortion happened when threat actors breached Finnish psychotherapy provider Vastaamo and started individually extorting thousands of patients after the primary organization refused to pay. It proves that triple extortion can extend harm far beyond corporate boundaries.

It’s a total siege mentality that requires defense in depth, like the Huntress Managed Security Platform offers. That includes employee training to spot threats, SIEM for broad-based attack detection, and endpoint and identity detection and response when shady hackers slip through the cracks.

Trend: The cybercrime economy has industrialized, letting low-skilled affiliates lease enterprise-grade malware and infrastructure from established ransomware cartels.

Ransomware-as-a-Service (RaaS) is a business model where ransomware developers sell or lease their malware to affiliates who carry out the actual attacks, similar to legitimate software-as-a-service platforms. RaaS has effectively lowered the barrier to entry for cybercrime to zero. In 2026, it’s the dominant engine driving the threat landscape. This is how it works:

1. Develop: Major ransomware operators act as software vendors, developing the malware and even running fake customer support for victims.

2. Hand off: They then lease these tools to affiliates—often lower-skilled hackers or disgruntled insiders—who execute the attacks.

3. Profit: The operators take a cut of every successful ransom payment.

This structure has led to a huge uptick in attacks because the affiliates just need to know how to buy stolen credentials or click a button. Businesses of all sizes can now get hit by serious attacks that once targeted only big companies.

How this ransomware trend looks in the real world:

We see this industrialization in action with the Qilin ransomware operation. It became one of the most active groups in 2025 by using a turnkey RaaS model to carry out over 1,000 attacks—a 408% increase over previous years.

It’s also harder to attribute RaaS attacks to a single actor. You might get hit by the LockBit locker, but the person pulling the trigger could be a completely different actor with different motivations and negotiation tactics.

Trend: Threat actors are hijacking the trusted tools of MSPs and software distributors to compromise thousands of downstream victims in a single stroke.

Why hack one company when you can hack the company that manages a thousand others? This one-to-many attack vector is a top priority for ransomware groups in 2026. MSPs hold the keys to the kingdom for their clients, often having unchecked remote access to perform IT maintenance. If an attacker compromises an MSP, they can instantly push ransomware to every managed endpoint.

How this ransomware trend looks in the real world:

In July 2025, we saw a devastating example of this with the Ingram Micro incident. The ransomware group SafePay infiltrated the global technology distributor, disrupting operations for nearly a week.The attack paralyzed the supply chain for thousands of VARs and MSPs, preventing them from procuring licenses or hardware for their clients.

SafePay leveraged custom dynamic link libraries (DLLs) and sophisticated techniques to evade detection, proving that even industry giants are vulnerable. For MSPs, it’s a massive wake-up call: Your vendor’s security is your security. You need to verify the resilience of your supply chain and have incident response plans that account for upstream failures.

Trend: Hackers are evading antivirus detection by weaponizing legitimate administrative tools like PowerShell and remote monitoring and management (RMM) software instead of using custom malware.

If an intruder breaks into your house and uses your own kitchen knife to attack you, a metal detector at the front door wouldn’t have helped. That’s the idea behind LOTL attacks, which now account for 84% of high-severity breaches.

Attackers are now ditching custom malware that might get flagged by traditional antivirus signatures. Instead, they’re using the tools already installed on your computer:

• PowerShell: Used to script malicious commands

• RMM tools (like AnyDesk or ScreenConnect): Used to maintain persistence and remote control

• WMI (Windows Management Instrumentation): Used to move laterally across the network

Because Microsoft and other legit software vendors digitally sign these tools, they’re trusted by the operating system. To a legacy security tool, a hacker using PowerShell to encrypt files looks like an IT administrator doing their job. This camouflage lets attackers stay in networks for weeks, escalating privileges and stealing data before they ever deploy the final ransomware payload.

Trend: Adversaries are focusing their efforts on high-availability sectors like healthcare and manufacturing, as well as critical infrastructure, like emergency response services and municipal water providers, where downtime costs exceed ransom demands.

Ransomware groups go where the leverage (and therefore the cost of a ransomware attack) is highest. That means targeting industries where downtime translates to danger or big financial losses:

• Healthcare remains in the crosshairs for similar reasons. Hospitals can’t afford to have life-saving systems offline, so they are more likely to pay quickly.

• Manufacturing is a top target. When a production line stops, the costs spiral instantly: supply chains break, perishable goods spoil, and contracts are voided.

• Critical emergency services are increasingly vulnerable. Fire departments, 911 dispatch centers, and emergency management systems face literal life-or-death stakes when their systems go down, making them attractive targets for ransomware operators.

How this ransomware trend looks in the real world:

The Akira ransomware group aggressively targets high-availability sectors, collecting around $42 million in ransom payments by capitalizing on the urgency facing their victims. They know that for these organizations, the ransom is less costly than being offline for a week.

If you’re wondering what an hour of downtime could cost your business, use our downtime calculator to find out.

Trend: Generative AI is helpingthreat actors create hyper-realistic phishing campaigns and deepfake voice clones that bypass traditional security awareness.

The familiar phishing emails of the past aren’t sticking around. In their place is AI-generated correspondence that’s context-aware and highly persuasive. Tools like ChatGPT and dedicated FraudGPT variants let attackers generate thousands of tailored, believable phishing emails in seconds.

But it gets worse. Deepfakes have entered the chat. Attackers are using AI to clone the voices of CEOs and executives, generating a voice model that sounds exactly like your boss in just 15 seconds of source audio (easily found on YouTube or podcasts).

These deepfake voices are being weaponized to socially engineer help desks into resetting passwords, approve fraudulent wire transfers, or trick employees into sharing credentials—allowing attackers to simply log in rather than hack their way in.

AI’s changing and escalating ransomware attacks are happening at a fast pace:

Watch this breakdown of how convincing deepfakes can be:

This new reality means you need a new approach to managed security awareness training (SAT). You have to train employees to verify requests and be skeptical of urgency, even when it sounds familiar or appears to come from a known source.

Trend: Smaller businesses with limited security resources are high-volume targets for automated ransomware campaigns.

There’s a myth that hackers only target the Fortune 500. Key ransomware statistics show otherwise: Businesses have a 1-in-10 chance of experiencing at least one ransomware incident in the next 12 months, regardless of size.

The biggest targets have strengthened their defenses with 24/7 security operations centers (SOCs) and million-dollar budgets. But smaller, scaling businesses often rely on lean IT teams who are already stretched thin managing printers, passwords, and cloud migrations.

Ransomware cartels now use a high-volume, low-margin strategy. Attackers target lean teams for many reasons:

• Limited patching windows

• No 24/7 monitoring

• Shared admin credentials

• Exposed remote desktop protocol (RDP) or VPN services

These cartels are perfectly happy with $50,000 payouts from 100 smaller targets. For lean teams, a solution like Huntress acts as a force multiplier. It gives you the 24/7 human expertise of a massive SOC, but is tailored to the budget and operational realities of a more nimble team.

Trend: Major ransomware groups are forming strategic alliances to share data, resources, and negotiation leverage against victims.

One of the most alarming trends of 2026 is the consolidation of the enemy. We’re seeing the formation of a ransomware cartel—specifically the Scattered LAPSUS$ Hunters alliance or the link-upbetween major players like LockBit, Qilin, and DragonForce.

These groups went from competitors to partners. They’re sharing:

• Infrastructure: Groups are pooling servers and botnets to improve their resilience against law enforcement takedowns.

• Data: If you refuse to pay LockBit, they might pass your stolen data to DragonForce for release on another site, upping the pressure.

• Tactics: They’re standardizing their playbooks, meaning that a new exploit discovered by one group is quickly and easily adopted by the others.

This merger-and-acquisition activity on the dark web means defenders are facing a more unified and resourceful adversary than ever before.

The trends above describe who is attacking and why, but how are they getting in? The front doors haven’t changed much, but they’re being left unlocked more often. Initial access brokers (IABs) have emerged as specialized cybercriminals who focus exclusively on breaking in, then selling that access to ransomware groups on underground forums. This division of labor makes attacks even more efficient and harder to prevent.

1. Unpatched vulnerabilities in public-facing systems

Unpatched vulnerabilities remain the leading cause of breaches. Whether it’s a VPN (like SonicWall SSLVPN devices), an exposed remote desktop protocol (RDP), or a file transfer appliance, if it faces the internet and isn’t patched, it will be found. Automated scanners check the entire internet for these flaws within hours of a disclosure.

2. Phishing and compromised credentials 

Phishing is more effective than ever with AI. But often, attackers don’t even need to phish you. They just buy your credentials.

Infostealer malware (like RedLine) sucks up saved passwords from browser caches on personal devices, which are then sold on the dark web. Attackers just log in to your VPN or Microsoft 365 account. This is especially dangerous when employees reuse passwords across personal and work accounts—a single breach on a gaming forum or shopping site can give attackers the keys to your corporate network.

This is why security awareness training is so important: employees need to understand the risks of password reuse and the importance of unique, strong credentials for every account.

3. Weak or single-factor authentication 

If you don’t have multi-factor authentication (MFA) everywhere, you’re a target. But even withMFA for your business, you aren’t safe if you use weak methods.

Ransomware adversaries are organized, their strategies are stealthy, and the stakes are higher than ever. But you don’t have to fight them alone.

Huntress was built to catch the threats that slip past preventive tools like antivirus and firewalls. Our Managed EDR is backed by a 24/7 team of SOC analysts who investigate suspicious behavior—like a PowerShell script running at 3:00am—and shut it down before it becomes a full-blown ransomware incident. We protect the endpoints, the identities, and the humans behind them.

Don’t wait for the ransom note. See how Huntress helps fight ransomware and keeps your business going strong.

What is the difference between antivirus and EDR, and which one is better for handling ransomware? 

Antivirus handles prevention by blocking known threats. Endpoint detection and response (EDR) detects and responds to attackers who found a way in. You need both: antivirus to stop the noise, and EDR to stop the sophisticated LOTL attacks that bypass antivirus software.

If I use cloud-based backup, can I ignore the threat of double extortion? 

No, you can’t ignore the threat of double extortion. While cloud backups can help you restore your data and resume operations, they can’t stop an attacker from leaking the data they stole before they triggered the encryption. Double extortion targets your privacy and reputation, not just your access to files.

What is a gap most organizations have in defending against ransomware attacks? 

Most organizations lack 24/7 monitoring, detection, and response because the cost of doing so is unaffordable. Ransomware attacks are fast and often happen after hours. A human team (like a managed SOC) that watches your environment around the clock can help isolate and kick out hackers before they can deploy ransomware.