Ransomware in 2026: Data Extortion Is the New Normal

Marcus Chen··6 min read
Security analysts monitoring threat dashboards in an operations center

Ransomware in 2026 looks different from the ransomware most playbooks were written for. The defining shift is not bigger encryption demands, it is the quiet disappearance of encryption altogether. A growing share of groups now skip locking files and go straight to stealing data and threatening to leak it. For CISOs, that changes the math on backups, detection, and where to invest. But one thing has not changed: almost every attack still begins with a person.

The volume tells part of the story. Tracking by multiple threat intelligence teams put February 2026 at roughly 680 victims across about 54 active groups, near the high end of recent months. The composition of those attacks is what security leaders need to understand.

Who Led the Pack: Qilin and a Crowded Field

Qilin (also tracked as Agenda) was the most active ransomware group in early 2026, claiming around 104 victims in February, its second consecutive month at the top. That consistency points to stable, well-resourced infrastructure rather than a one-off spike. A wider field of Ransomware-as-a-Service (RaaS) operations filled out the rest of the leaderboard, with names like INC Ransom, DragonForce, and others trading places month to month.

Sector targeting also sharpened:

  • Manufacturing was the most-targeted sector, prized for low downtime tolerance that pressures fast payment.
  • Healthcare victims surged, more than doubling from January to February, a roughly 133% jump that put hospitals and clinics squarely in the line of fire.

For a deeper monthly breakdown, Securelist's state of ransomware in 2026 tracks these shifts in detail.

The Big Trend: Encryption-Less Extortion

The headline development of 2026 is the rise of extortion without encryption. Instead of deploying a payload that scrambles files, attackers exfiltrate sensitive data and rely entirely on the threat of public disclosure to force payment. Several groups have abandoned encryption outright.

The logic is brutally efficient:

  • It shortens dwell time. Stealing data is faster than encrypting an entire environment, which means a shorter window for defenders to detect and respond.
  • It sidesteps backups. If nothing is encrypted, restoring from backup does not solve the problem, the data is still in the attacker's hands.
  • It lowers operational complexity. No decryptor to build, test, or support.

This sits alongside the continued layering of pressure tactics. Double extortion (encrypt plus leak) has expanded into triple and quadruple extortion, adding distributed denial-of-service attacks and direct harassment of a victim's customers or patients to force payment even when backups exist.

When stealing the data is the entire business model, recovery is no longer about restoring systems, it is about whether the data ever left in the first place. Prevention beats recovery.

The RaaS Economy Behind the Numbers

These trends are not the work of isolated hackers. They are the output of a mature criminal economy. Ransomware-as-a-Service splits the work between core operators, who build and maintain the malware, leak sites, and negotiation infrastructure, and affiliates, who carry out the intrusions in exchange for a cut of the proceeds.

That structure shapes attacker behavior in ways defenders should understand:

  • Competition for affiliates drives features. As payment rates fall, operators must offer affiliates more to stay attractive. Some now bundle distributed denial-of-service capabilities or data-leak tooling as a differentiator.
  • Affiliates favor reliable, low-cost entry. Because affiliates are paid on results, they gravitate to the cheapest dependable way in, phishing and purchased or stolen credentials, rather than expensive zero-day exploits.
  • Specialization lowers the skill bar. Initial-access brokers sell footholds to affiliates, meaning even an unsophisticated actor can buy their way into a network someone else phished into.

The practical takeaway is that the economics push attackers toward the human layer, not away from it. Defenders who make phishing and credential abuse expensive and unreliable strike at the part of the supply chain affiliates depend on most.

The Constant: Ransomware Starts With the Human Layer

Amid all this evolution, the entry point has barely budged. Phishing and stolen or reused credentials remain the most common ways attackers gain their initial foothold. RaaS lowers the technical bar, so affiliates lean on the reliable classics: a convincing email, a credential-harvesting page, a password reused from a prior breach.

That is good news for defenders, because it means the most effective place to break the attack chain is also the earliest and cheapest. If the phish never gets clicked and the stolen password no longer works, the rest of the kill chain never starts. Encryption-less extortion makes this even more important: once data is exfiltrated, there is no "undo." The only reliable win is to stop the intrusion before exfiltration begins.

It is worth being precise about how these intrusions typically unfold. An employee receives a convincing email and either enters credentials on a fake login page or opens an attachment that installs a loader. The attacker uses that access to move laterally, escalate privileges, and locate the most sensitive data. Only then does the extortion, encryption, data theft, or both, take place. Every stage after the first depends on that initial human-enabled foothold succeeding. Deny the foothold and the entire sequence collapses before it can cause harm.

What CISOs Should Do Now

Defending against 2026-era ransomware means investing where attacks begin and assuming that, if data leaves, you cannot get it back. Three priorities stand out:

  1. Harden the human layer. Ongoing security awareness training and realistic phishing simulation measurably reduce click rates over time. The strongest programs pair every simulated failure with a teachable-moment debrief, so a mistake becomes a lesson rather than a statistic. empowsec's phishing simulation and awareness training are built around that loop, and its report-phishing add-ons for Gmail and Google Workspace and for Outlook turn employees into an early-warning network with one-click reporting.
  2. Deploy phishing-resistant MFA. Standard MFA is increasingly defeated by real-time phishing and push fatigue. CISA recommends phishing-resistant MFA, such as FIDO/WebAuthn passkeys and hardware keys, as the gold standard for email, VPNs, and access to critical systems. See the CISA phishing-resistant MFA fact sheet. When a stolen credential cannot complete a login, credential theft loses much of its payoff.
  3. Test your backups and your incident plan. Backups will not undo a data leak, but they remain essential for the encryption attacks that still occur, and they shorten recovery. Maintain tested, offline, immutable backups and rehearse the response. CISA's #StopRansomware Guide is a practical baseline.

None of these are silver bullets on their own. Together they raise the cost of an attack at every stage, starting with the inbox, where most ransomware still begins.

Key Takeaways

  • Qilin led ransomware activity in early 2026 (around 104 victims in February), within a field of roughly 54 active groups and about 680 victims that month.
  • Manufacturing was the most-targeted sector, while healthcare victims jumped roughly 133% from January to February.
  • The defining 2026 trend is encryption-less extortion, pure data theft and leak threats, alongside double, triple, and quadruple extortion.
  • Despite this evolution, phishing and stolen credentials remain the top initial-access vectors, the human layer is still the front line.
  • Prioritize awareness training with teachable-moment debriefs, phishing-resistant MFA, and tested backups, because once data is stolen, there is no undo.
Share: