Regionally, Asia-Pacific bears the brunt of this, contributing $11.5 billion in potential losses and underscoring how rapid digitisation in emerging economies expands attack surfaces.

In 2025, ransomware showed both resilience, evolution and adaptation. Ransomware-as-a-Service (RaaS) models dominated.

They have lowered the barriers for entry-level cybercriminals, offering malware, affiliate programmes, and even initial access brokering, resulting in a 90/10 ransom split favouring operators.

Platforms like RansomHub (now dismantled) were quickly replaced by other groups, such as Qilin, Akira, Cl0p and Sinobi.

Tactics have also evolved alarmingly, especially those using signed vulnerable drivers. These leverage the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique, as seen via MedusaLocker attacks.

Double and triple extortion – encrypting data while exfiltrating it for leaks to customers, regulators, or competitors – has become standard.

Attackers are bypassing traditional defences by targeting unconventional entry points: IoT devices, smart appliances, and even webcams, as seen with the Akira gang.

The integration of AI, particularly Large Language Models (LLMs), has accelerated this. Groups like FunkSec, emerging in late 2024, use AI-generated code for low-cost, high-volume attacks on government, finance, and education sectors in regions like India and Europe.

Hacktivist groups, such as Head Mare and Twelve, have weaponised ransomware against manufacturing and other targets. In Africa, while prevalence is lower due to limited digitisation, hotspots like South Africa and Nigeria see rising incidents in finance.

Europe, bolstered by regulations like GDPR, has fared better, but disruptions like RansomHub’s hit on Kawasaki’s offices highlight supply chain vulnerabilities.

As we peer into 2026, ransomware isn’t just persisting – it’s poised for a leap, supercharged by AI’s rapid integration into cybercrime.

Agentic AI systems, which can reason autonomously and adapt in real time, will likely automate attack chains, from initial reconnaissance to the final extortion demands, executing them at speeds many times faster than human operators.

AI-fueled Ransomware-as-a-Service platforms may empower even novice hackers to unleash polymorphic malware that mutates on the fly or deploys deepfake videos to blackmail executives.

The victim count of these attacks could explode, as attackers scale high-volume operations against third-party vendors. Extortion tactics may evolve toward insidious data tampering and reputational sabotage, eroding trust in brands overnight.

To stay ahead, Kaspersky advises organisations to invest in threat intelligence and proactive detection, and implement immutable, air-gapped backups. There should be thorough supply chain audits and advanced multi-factor authentication. Targeted training should be rolled out to counter AI-enhanced phishing schemes.

Ransomware’s 2025 rampage – marked by AI boosts, targeted strikes, and ballooning costs – serves as a warning for the business world.

Come 2026, autonomous threats could overwhelm the unprepared, but with due attention to resilient protection models, companies can not only survive, they can thrive.

The choice is clear: evolve faster than the attackers, or risk becoming their next headline casualty.

To effectively counter ransomware, start by enabling dedicated protection across all endpoints. For non-industrial companies, implement anti-APT and EDR tools to enhance threat discovery, detection, investigation, and rapid incident remediation.

Additionally, equip SOC teams with up-to-date threat intelligence and ongoing professional training, all of which can be accessed through comprehensive platforms like Kaspersky Next to build a resilient defence strategy.

For organisations in the industrial sector, adopt a specialised ecosystem such as Kaspersky Industrial CyberSecurity (KICS), which combines OT-grade technologies, expert insights, and a native Extended Detection and Response (XDR) platform tailored for critical infrastructure.

This solution offers robust network traffic analysis, endpoint protection, and response capabilities, bridging traditional IT security with industrial-specific measures to thwart sophisticated threats.

The report revealed that eight African countries were ranked among the top 20 most attacked nations worldwide, with Nigeria placing 13th.

Ethiopia led the African rankings, topping the global list with a Normalised Risk Index of 98.2%, while Uganda, Angola, and Ghana secured the 8th, 9th, and 11th spots, respectively. 

Nigeria followed closely with a Normalised Risk Index of 62.3%. Other African countries on the list included Kenya (17th), Mozambique (18th), and Côte d’Ivoire (20th).

The African continent is being targeted for its growth in digital technology leverage, with cybercriminals using sophisticated tactics like artificial intelligence (AI)-driven ransomware.

One of the major groups in December was FunkSec, a new ransomware-as-a-service (RaaS) group responsible for 14% of all reported ransomware attacks that month. 

FunkSec’s growth has been linked to its AI-powered double-extortion techniques, where stolen data is both encrypted and held for ransom. Although many of FunkSec’s victim reports were questioned for authenticity, the group’s rise poses a huge threat to global cybersecurity.

In addition to FunkSec, other malware families such as FakeUpdates and AgentTesla were also disturbing threats in December. FakeUpdates impacted 5% of organisations globally, while AgentTesla used keylogging and credential theft to target 3% of businesses.

Mobile devices were not spared, with banking Trojans like Anubis and Necro exploiting vulnerabilities to steal credentials and install malicious software.

The growing sophistication of cyberattacks reiterates the need for enhanced cybersecurity measures. Maya Horowitz, vice president of Research at Check Point, emphasised that organisations must stay ahead of these threats by adopting advanced security tools to defend against AI-powered ransomware and other emerging risks.

Cybercriminals are targeting high-value systems and using sophisticated encryption methods to extort businesses. 

Hence, organisations must focus on building stronger defences against ransomware groups, including RansomHub and LeakeData, as mentioned in the global threat index report, strengthening their security strategies to mitigate the risks caused by these evolving threats.