The Asia-Pacific region remained one of the most affected areas for ransomware activity in 2025, as cybercriminal groups increasingly moved from traditional file encryption to data theft and extortion, according to a Kaspersky report.
Kaspersky Security Network data showed ransomware detections affected 7.89 percent of organizations in Asia-Pacific, the second-highest regional share after Latin America, which recorded 8.13 percent. Africa followed at 7.62 percent, the Middle East at 7.27 percent, the Commonwealth of Independent States at 5.91 percent and Europe at 3.82 percent.
Although the overall share of organizations hit by ransomware declined slightly compared with 2024, Kaspersky said the threat remains serious because attackers are using more organized methods, automated intrusion tools and stolen data leaks to pressure victims.
Attackers focus on stolen data
The report said ransomware operators increasingly used “encryption-less” extortion in 2025. In such attacks, criminals steal sensitive information and threaten to publish it, rather than relying only on locking victims out of their systems.
Kaspersky researchers also reported the use of endpoint detection and response “killers,” tools designed to disable security software before malware is launched. The company said these tools have become a regular part of ransomware operations.
Some ransomware families also began adopting post-quantum cryptography standards, a development Kaspersky said it had previously expected.
Access brokers lower the barrier for attacks
The report said Initial Access Brokers are playing a larger role in ransomware campaigns. These intermediaries sell access to already-compromised corporate networks through underground forums and messaging platforms.
Remote access systems, including RDWeb portals, are also being targeted more often as ransomware groups expand access-selling operations. Kaspersky said this model allows more attackers to launch ransomware campaigns without first breaking into networks themselves.
Telegram channels and dark web forums continued to be used for selling compromised data, credentials and network access. Authorities seized the RAMP underground forum in January 2026 and LeakBase in March 2026, both of which were linked to ransomware-related activity or compromised data distribution.
Based on data leak sites, Kaspersky identified Qilin as the most active ransomware-as-a-service operator in 2025, followed by Clop and Akira. The report said new groups are also emerging as some major ransomware operations shut down.
Kaspersky named The Gentlemen as one of the ransomware actors to watch in 2026, citing its rapid growth, structured operations and focus on data-based extortion.
Fabio Assolini, Lead Security Researcher at Kaspersky GReAT, said ransomware has become an organized ecosystem built around monetizing stolen data, disabling defenses and scaling attacks efficiently.
Kaspersky advised organizations to keep software updated, maintain reliable backups, deploy endpoint protection, strengthen staff cyber awareness and provide security teams with threat intelligence and professional training.
