Ransomware attacks continue to escalate globally, becoming one of the most serious cybersecurity threats to businesses and institutions. According to the latest ESET report, the year 2025 saw more than 6,900 reported victims, about 40% more than in 2024. Sectors such as construction, health and technology were among the most affected, and the financial impact was significant. A relevant example is the incident that affected Jaguar Land Rover, where global production was halted, resulting in an estimated loss of US$2.5 billion.
New actors and emerging tactics
In addition to the increase in the volume of attacks, the ransomware ecosystem has undergone important transformations. RansomHub Group, previously the market leader, was ousted by a competitor, and Qilin became the main player in the ransomware-as-a-service (RaaS) space, followed by Akira. A surprising element is the emergence of the Warlock group – a discreet but highly active and technically advanced actor. Analysis shows that Warlock uses legitimate tools like Velociraptor and Visual Studio Code to create hidden remote connections, making detection much more difficult.
For a detailed analysis, you can consult for free ESET 2026 anti-ransomware guide.
EDR killer tools and bypass methods
Modern attackers no longer depend only on classic vulnerabilities, but develop dedicated tools to neutralize security solutions In 2025, “EDR killer” programs have become more common, being used to disable detection and response mechanisms. The dominant method remains BYOVD (Bring Your Own Vulnerable Driver), which allows running at the kernel level and removing active protections. But a much more discreet method is demonstrated by a tool called “EDR-Freeze”, which allows bypassing security solutions directly from user mode, via Microsoft’s Windows Error Reporting (WER) system. The technique eliminates the need for a vulnerable driver and puts EDR security agents into a hibernation state. According to experts, the trend will continue in 2026: these “EDR killer” programs will remain in the arsenal of cybercriminals, and will certainly be accompanied by new appearances in future campaigns.
As prevention methods, specialists recommend enabling the detection of potentially unwanted programs (PUA) in protection solutions, so that the installation of vulnerable drivers is stopped from the start.
Artificial Intelligence – a new attack vector
Artificial Intelligence is increasingly becoming an ally of cybercriminals, who have always had a high appetite for adopting and using the latest technologies. An illustrative example is the PromptLock ransomware, discovered by ESET in 2025 as the first malware to incorporate a local AI model. PromptLock generates malicious scripts in real time based on a language model (LLM) and automatically analyzes the victim’s files to decide whether to encrypt or exfiltrate them. Although in the case of PromptLock it was a simple proof-of-concept made and freely published by a team of academics from NYU, it demonstrates that Artificial Intelligence can “dramatically facilitate” the execution of sophisticated attacks and can significantly complicate their detection.
These findings also align with the observations of Google experts, for example, who highlight the already existence of experimental malware packages such as PromptFlux and PromptSteal, which use LLM models to generate malicious code on demand and reconfigure their dynamic behavior. Also reported are threats such as QuietVault, a malware that steals credentials (GitHub/NPM tokens) and then uses AI prompts and local tools to automatically search for other secrets on the compromised system and exfiltrate them. Attackers even manage to “fool” AI safety barriers through advanced social engineering, posing as researchers or students to convince AI models to generate malicious code bypassing the protection filters.
That’s why in 2026, we can expect AI-assisted attacks to grow in complexity, becoming increasingly difficult to detect as malware becomes self-adaptive.
ESET provides a detailed report that includes useful recommendations for strengthening organizational security and for effective response in the event that a ransomware attack manages to bypass defense measures. You can access ESET’s complete guide to advanced protection here.
Recommendations for protection in 2026
For this year, experts recommend strengthening basic security measures with a few simple steps:
- Keeping systems and applications up-to-date by installing available security patches and periodically checking for known vulnerabilities.
- Enabling multi-factor authentication (2FA) wherever possible, with particular attention to remote access services (eg RDP, VPN).
- Using robust endpoint security solutions backed by EDR capabilities
- Configure potentially unwanted application (PUA) detection to block potential malicious “EDR killer” tools.
- Backing up your data regularly and storing it offline or in a separate, immutable environment.
- Educate employees through awareness sessions on phishing attacks, vishing and other social engineering methods.
ESET attack prevention solutions
ESET offers state-of-the-art digital security solutions developed to anticipate and prevent cyber attacks before they become real. New functionality Ransomware Remediationintegrated into ESET solutions, is a proprietary technology that helps automatically restore encrypted files if ransomware is detected at a later stage of the attack, after the encryption process has already begun. For organizations that need a higher level of protection, the solutions ESET MDR adds a critical layer of security by combining 24/7 continuous monitoring with the expertise of ESET analysts. By leveraging XDR capabilities, event correlation and active incident response, MDR enables the identification and blocking of advanced attacks in their early stages, including those that evade classical detection. ESET security solutions are always available for free download and testing and can be requested here.
By integrating human expertise with the power of Artificial Intelligence, ESET remains at the forefront of protection against emerging and known cyber threats, ensuring the security of businesses, critical infrastructures and individual users. Regardless of the type of protection required – endpoint, cloud or mobile – cloud-first, AI-powered solutions are both effective and easy to use. In addition to real-time, 24/7 defense, ESET also offers effective localized support (including in Romania), actively engaging in the research of the newest threats through its own R&D centers, including the one in Iasi, and through an extensive global network of partners.
