Ransomware and Extortion Threat to Persist in 2026

Ransomware remains one of the most destructive and costly threats facing organizations today. The financial and operational toll of these attacks continues to escalate, with the average ransom demand reaching US$3.5 million according to Comparitech. Victims are often forced to make high-stakes decisions under extreme pressure, balancing the risk of prolonged downtime, data exposure, and reputational damage against the cost of paying a criminal enterprise.

Google says that for 2026, the combination of ransomware, data theft, and multifaceted extortion will remain the most financially disruptive category of cybercrime globally.

Coalition’s "2025 Cyber Claims Report" underscores the severity of the threat landscape organizations are navigating. While the tactics may evolve, the impact has remained consistently high across industries. Nearly half of targeted organizations ended up paying a ransom, even after negotiations, reflecting the immense leverage attackers hold once systems are encrypted and sensitive data is stolen.

The downstream effects of a ransomware attack extend far beyond the moment of encryption. Organizations can face weeks or months of recovery efforts, disruption to core services, regulatory scrutiny, and lasting damage to brand trust. As we move through 2025, the costs of unpreparedness are clearer than ever.

Ransomware is not just a cybersecurity concern, it’s a persistent operational and financial threat with enterprise-wide consequences.

On the technical side, ransomware groups are becoming increasingly aggressive and have evolved their tactics, techniques and procedures:

• Security Bypass: DragonForce is now using BYOVD to bypass kernel defenses, while others rely on intermittent encryption to slip past EDR.
• Virtual Infrastructure Under Siege: Ransomware crews like Qilin and Medusa are aggressively targeting VMware ESXi with custom payloads built for virtualized environments.
• Living Off the Land Remotely: Threat actors like Sarcoma and others are abusing legitimate RMM tools for stealthy recon and lateral movement, blending in with IT traffic to extend dwell time undetected.
• Smarter Payloads, Smarter Theft: Threat actors like Akira, Qilin, Arcus Media, and DevMan are consolidating tools, harvesting browser-stored credentials, and deploying modular ransomware frameworks purpose-built for speed, stealth, and disruption.

Top 3 Threat Actors in Mexico

Every week (inclusive daily), we observe a threat actor group with verifiable victims who demanded a ransom payment. For example, these are the Top 3 threat groups for the Ransomware-as a-Service (RaaS) ecosystem observed in recent months globally and in Mexico:

Akira: The combination of technical advancement and attack volume has put Akira at the top of the ransomware threat landscape. Emerging in March 2023, Akira has been widely speculated to include former members of the defunct Conti gang, especially given its similarities to leaked Conti code, but no definitive links have been established. After briefly pivoting to pure data extortion, Akira returned to its double-extortion model, encrypting files in addition to exfiltrating sensitive data. The group was among the earlier adopters of interactive extortion portals with built-in chat functionality, now a common feature across many RaaS operations. In some rare instances, Akira has disclosed the initial infection vector to victims who paid the ransom — an atypical tactic among ransomware crews. By April 2024, Akira had extorted around US$42 million from over 250 victims and ramped up its activity with a major spike in November, leaking data from more than 35 victims in a single day. The group remained highly active into 2025, securing a top-tier position among ransomware operators despite a brief slowdown in April. As of 2Q25, Akira ransomware demands continue to vary widely, typically ranging from US$200,000 to over US$5 million, with pricing influenced by the victim’s size, sector, and perceived ability to pay. Akira ransomware continues to evolve its tooling and tradecraft. While the group initially developed a Rust-based encryptor to target VMware ESXi servers, it has since standardized on C++ variants for both Windows and Linux systems. Akira typically gains initial access by exploiting stolen or brute-forced VPN credentials and regularly employs advanced techniques to evade detection and maintain persistence. The ransomware uses PowerShell to delete Windows Shadow Volume Copies, making recovery without a decryptor difficult. Akira targets a wide range of file types but avoids critical system extensions — .exe, .dll, .sys, .msi, and .lnk — to preserve system stability and reduce the chance of early detection. The group uses credential dumping tools like Mimikatz, disables endpoint detection and response (EDR) solutions, and escalates privileges within compromised environments. Akira remains focused on targets in North America, Europe, and Australia, with some activity extending into South America and Asia. It continues to strike sectors like education, finance, manufacturing, healthcare, and increasingly, mid-sized government and municipal organizations. Akira continues to rely on a double extortion strategy, combining file encryption with the exfiltration of sensitive data. Victims face threats of both data loss and public exposure, with the group regularly leaking large volumes of stolen information on its darknet site to pressure organizations into paying.

Lynx: Lynx ransomware has maintained a steady pace of attacks since first emerging in July 2024, with a continued focus on the manufacturing, construction, and industrial sectors. Despite claims that it avoids government, healthcare, and nonprofit targets, the group consistently disrupts high-impact organizations. Lynx primarily targets Windows environments, encrypting files with the .lynx extension and deleting shadow volume copies to hinder recovery. Its initial access methods remain largely undocumented, but available evidence suggests the use of phishing emails, malicious downloads, and potentially compromised RDP credentials to gain entry into victim networks. Lynx has continued its upward trajectory in attack volume, with over 130 confirmed victims listed on its data leak site — up from 96 at the end of 1Q25. The sustained growth underscores the group’s expanding operational footprint and rising impact across targeted sectors. Lynx ransomware’s ransom demands remain largely undocumented, but one confirmed case involved a demand of US$18.1 million following the theft of 30GB of sensitive data. While most ransomware demands across groups average around US$600,000, Lynx appears to tailor its demands to the victim’s size, industry, and the perceived value of the stolen data. Lynx has primarily targeted organizations in the United States, maintaining a strong focus on the manufacturing and construction sectors, while also expanding into engineering, logistics, and industrial services. Lynx continues to use both single and double extortion tactics, encrypting victim files and exfiltrating sensitive data to maximize pressure. Victims who decline to pay are named on the group’s TOR-hosted leak site, where portions of the stolen data are published to coerce payment and amplify reputational damage. Lynx operates a selective RaaS model that offers affiliates up to 80% of ransom payments, supporting them with a full-featured platform for managing attacks and extortion.

Medusa: This operator remains as one of the most aggressive and persistent RaaS operations since its emergence in mid-2021, consistently ranking among the top active threat groups. Medusa has maintained its momentum by exploiting vulnerabilities such as CVE-2023-48788 in Fortinet’s FortiClient EMS and deploying advanced evasion tactics, including rebooting systems into safe mode to bypass endpoint defenses. The group now also targets ESXi environments, expanding its reach into virtualized infrastructure. Medusa continues to sabotage recovery efforts by deleting local backups, disabling startup recovery options, and wiping Volume Shadow Copies (VSS), making data restoration virtually impossible without access to a decryptor. Medusa has maintained steady growth since its 2021 emergence, with a major surge by Q2-2024 that pushed it into the top tier of active ransomware groups. Its activity remained high through Q1 and into 2Q25, confirming its status as a persistent threat. Medusa’s ransom demands continue to vary significantly, typically ranging from US$100,000 to US$15 million, depending on the victim’s size, industry, and the sensitivity of the exfiltrated data. Medusa continues to take a strategic approach in selecting high-value targets, prioritizing sectors like healthcare, pharmaceuticals, and government while also expanding into education, manufacturing, and technology. Medusa continues to operate as a RaaS platform offering affiliates up to 80% of ransom payments, which has fueled its sustained activity across high-value sectors. The group employs double extortion by encrypting files and exfiltrating data and has been observed using triple extortion tactics—demanding additional payments for full decryption or to delay data leaks. Victim data is published on its Tor-hosted leak site, often with added pressure tactics like daily leak countdowns or pay-to-delay options.

Other actors like Play, DragonForce, SafePay or Qilin have been showing a strong performance, impacting several organizations.

The 2,302 victims listed on data leak sites (DLS) in 1Q25 represented the highest single quarter count observed since we began tracking these sites in 2020,  confirming the maturity of the cyber extortion ecosystem, based on the "Google Cybersecurity Forecast 2026" report.

Mexico ranks as the second most affected country by ransomware attacks in Latin America, according to a recent report, titled "Ransomware in LATAM – First Half of 2025," by SCILabs of Scitum Telmex. According to SCILabs telemetry, during the first six months of the year there was an 8.73% increase in attacks in Latin America compared to the previous half of the year. Manufacturing, technology and government have been the most targeted verticals in the region.

Call to Action

Organizations must realize they are in this fight alone and should urgently prioritize both prevention and resilience measures. Organizations must also ensure they are prepared to respond swiftly and effectively when — not if — an attack occurs. Preemptive cyber defenses and specialized anti-ransomware technologies are crucial to anticipate the impact. The stakes have never been higher, and waiting for systemic intervention is no longer an option.