The Symantec and Carbon Black Threat Hunter Team recently released its Ransomware 2026 report that contains helpful intelligence into the state of ransomware attacks and insight into how they are evolving, despite law enforcement’s success in taking down some of the largest ransomware gangs in 2025.
The very first statement is a sobering reality: “Ransomware activity reached record-high levels in 2025 as criminal actors continued to view extortion as one of the most lucrative forms of attack.”
The report notes that even though RansomHub (the number one ransomware operation) collapsed, there was “only a brief drop in ransomware attacks.” The statistics show that there were 6,182 extortion attacks in 2025, a 23% increase from 2024.
The report outlines the ambitious activities of the various ransomware groups in 2025. It highlights that, although new ransomware groups emerged, they all use similar tactics to achieve a solitary objective: “accessing the victim’s network, obtaining privileges to move laterally across the entire network before exfiltrating data, and delivering an encrypting payload to the maximum number of machines.” The threat actors are able to do this by using legitimate software to evade security measures put in place. “An awareness of the TTPs used by attackers will help organizations prepare their defenses and identify malicious behaviors on their networks.”
The report provides a detailed analysis of the TTPs that should be reviewed by security professionals, and the legitimate software used by threat actors to attack victims.
Finally, the report provides mitigation techniques that organizations can deploy to protect against targeted attacks which are well worth the read.