Skip to content
ransomwareCVEVulnerability Research

H1 2026 ransomware: 48% more attacks, 29-minute breakout, and the new commodity floor

3 min read
Share

H1 2026 ransomware: 48% more attacks, 29-minute breakout, and the new commodity floor

Kaspersky's H1 2026 state of ransomware report lands with a clear headline: the elevated attack volume from late 2025 is not a spike, it is the new baseline. 48% more attacks year-over-year, an average breakout time of 29 minutes, AI-assisted tooling in commodity kits, and zero-days exploited before disclosure in 42% of cases. Here is what the numbers mean and what security teams should do with them.

The headline numbers

Ransomware attacks increased 48% year-over-year and have held at this elevated volume for two consecutive half-year periods. The average eCrime breakout time fell to 29 minutes, with the fastest observed case reaching full domain compromise in 27 seconds. Cloud-conscious intrusions targeting cloud workloads and credentials rose 37% overall. Check Point's corroborating data shows LockBit 5.0 claimed 163 victims in Q1 alone, a 106% quarter-over-quarter increase.

Speed is the new scale

A 29-minute average breakout time means that detection in 45 minutes plus investigation plus containment equals a compromised domain. Teams need to think in terms of pre-breakout detection: catching the initial access or lateral movement indicator before the threat actor has established redundant persistence and exfiltrated credentials. The fastest observed case at 27 seconds is an extreme, but the average directional trend is clear.

AI-assisted tooling is now in commodity kits

The Kaspersky report confirms what 2026 malware discoveries including the Avalon kit show: AI-assisted development is no longer a state-actor capability. Commodity ransomware kits show signs of AI-generated code modules, higher code diversity across samples, and faster feature iteration than human-authored malware historically produced. Detection engineering that relies on signature stability needs to account for model-assisted polymorphism.

The zero-day exploitation picture

42% of vulnerabilities exploited by ransomware operators in H1 2026 were weaponized before public disclosure. Patching on CVE publication is no longer sufficient for high-value targets. Organizations in finance, healthcare, critical infrastructure, and government need compensating controls for known high-risk software categories even before a CVE is published, plus network segmentation to limit blast radius when a zero-day is used.

The CIS regional picture

The CIS region, which includes Georgia, Uzbekistan, and neighboring Central Asian and South Caucasus states, shows 5.91% organizational prevalence for ransomware attacks. That is below APAC (7.89%) and LATAM (8.13%) but above Europe (3.82%). For practitioners in the region, the figure means roughly 1 in 17 organizations experienced a confirmed ransomware detection in H1 2026. The actual compromise rate is higher: many organizations lack the telemetry to detect early-stage intrusions before encryption begins.

What security teams should take from this

Three actionable conclusions from the H1 2026 data:

  • Reset your detection thresholds to pre-breakout indicators. With a 29-minute average breakout, the goal is catching lateral movement indicators in the first minutes of intrusion, not post-encryption artifacts.
  • Treat patch timelines as risk windows, not compliance checkboxes. 42% of exploited vulnerabilities were weaponized before disclosure. High-exposure internet-facing systems need compensating controls before a CVE is published.
  • Update detection engineering for AI-assisted malware diversity. Signature-based detection calibrated against historically stable human-authored malware patterns will miss AI-generated variants with higher code diversity across samples.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss your ransomware detection posture.