New ransomware tactics to watch out for in 2026

In 2025, ransomware attacks surged 47% to 7,200 reported incidents, yet payments declined, pushing attackers to evolve tactics. Key trends include bundling DDoS-as-a-Service with Ransomware-as-a-Service to retain affiliates, recruiting corporate insiders through native English speakers, and exploiting gig work platforms for physical office access. The ransomware ecosystem is globalizing, with 2026 projected as the first year where new actors outside Russia outnumber those within it. Defenders must strengthen insider threat programs, implement DDoS mitigation alongside ransomware readiness, enhance physical security for third-party workers, and verify IT help desk requests to counter these multi-pronged pressure tactics.

Ransomware groups made less money in 2025 despite a 47% increase in attacks, driving new tactics: bundled DDoS services, insider recruitment, and gig worker exploitation. Learn the emerging trends defenders must prepare for in 2026.

In 2025, ransomware attacks surged 47% to 7,200 reported incidents, yet payments declined, pushing attackers to evolve tactics. Key trends include bundling DDoS-as-a-Service with Ransomware-as-a-Service to retain affiliates, recruiting corporate insiders through native English speakers, and exploiting gig work platforms for physical office access. The ransomware ecosystem is globalizing, with 2026 projected as the first year where new actors outside Russia outnumber those within it. Defenders must strengthen insider threat programs, implement DDoS mitigation alongside ransomware readiness, enhance physical security for third-party workers, and verify IT help desk requests to counter these multi-pronged pressure tactics. Ransomware groups made less money in 2025 despite a 47% increase in attacks, driving new tactics: bundled DDoS services, insider recruitment, and gig worker exploitation. Learn the emerging trends defenders must prepare for in 2026. Key Takeaways Declining payments, evolving tactics: Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks, pushing them to adopt new approaches to extract payment, namely, DDoS-as-a-Service offerings, insider recruitment, and gig worker exploitation. Insider threats are rising: With stolen credentials, vulnerability exploitation, and phishing still dominating initial access, ransomware operators are increasingly turning to native English speakers to recruit corporate insiders—a trend likely to accelerate if layoffs continue into 2026. Global expansion underway: Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it, reflecting the rapid globalization of the ransomware ecosystem. The ransomware paradox: More attacks, less money By most accounts, ransomware groups made less money in 2025 than in 2024, both in overall payments and average payment size. This occurred despite a significant increase in attack volume: according to Recorded Future Intelligence , publicly reported attacks rose to 7,200 in 2025 compared to 4,900 in 2024, demonstrating a 47% increase. For context, Recorded Future classifies both encryption attacks and data theft attacks with an extortion component under the ransomware umbrella. While exact numbers are difficult to isolate, approximately 50% of all attacks we track fall into the data theft and extortion category. This declining profitability is driving ransomware groups to expand and evolve their tactics. Here are three trends organizations should prepare for heading into 2026. Trend 1: DDoS services return to the RaaS model With affiliates earning less and many ransomware operators abandoning the Ransomware-as-a-Service (RaaS) model to operate independently, remaining RaaS operations must offer more value to attract and retain affiliates. One increasingly common differentiator: bundled DDoS services. The newly formed Chaos ransomware group (distinct from the older group of the same name) exemplifies this trend, providing DDoS capabilities to all affiliates. While this tactic isn't new—for example, REvil previously offered similar services—it fell out of favor for a period. Now, with fewer ransom payments to share, RaaS operators are reintroducing premium services to maintain their affiliate networks. What this means for defenders: Organizations should ensure their DDoS mitigation strategies account for attacks that may accompany ransomware incidents. The pressure tactics are becoming multi-pronged. Trend 2: Insider recruitment attempts are accelerating Stolen credentials, vulnerability exploitation, and phishing remain by far the most common initial access vectors for ransomware groups, with social engineering as a distant but growing fourth method. However, there has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders. The most public example came earlier this year when a ransomware group attempted to recruit a reporter at the BBC . But this represents only the visible tip of a larger trend. Private reporting indicates that insider recruitment attempts increased significantly throughout 2025 and will likely continue growing, especially if workforce reductions at major companies persist into 2026. What this means for defenders: Insider threat programs should be evaluated and strengthened. Employee awareness training should address the possibility of external recruitment attempts, and organizations should monitor for anomalous access patterns that could indicate insider-facilitated attacks. Trend 3: Gig workers as unwitting attack vectors According to a recent FBI advisory , ransomware groups have begun exploiting gig work platforms to carry out attacks when remote methods fail. In one documented case, an attacker successfully executed a social engineering help desk scam but couldn't install their tools remotely due to security controls. Their solution: recruiting...