Europol’s IOCTA 2026 Report: Ransomware, AI, and Hybrid Threats Reshape Cybercrime Landscape Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) 2026 reveals a rapidly evolving cybercrime ecosystem, marked by professionalized ransomware operations, the exploitation of AI, and deepening ties between cybercriminals and hybrid threat actors. The report, covering trends from 2025, highlights a shift in extortion tactics, the rise of ransomware-as-a-service (RaaS), and the growing intersection of cybercrime with broader criminal networks. ### Ransomware Dominates, Tactics Evolve Ransomware remains the EU’s most pervasive cyber threat, with over 120 active brands observed in 2025. Attackers are moving away from traditional data encryption, instead favoring pure data theft and extortion, leveraging psychological pressure tactics such as DDoS attacks, corporate email spamming, and cold-calling victims. The report notes that enterprises are often less prepared for data leaks than encryption, making this shift particularly effective. The RaaS model has lowered the barrier to entry, enabling even low-skilled actors to launch attacks using bundled toolkits. These platforms now offer integrated services, including botnets for payload delivery, data exfiltration infrastructure, machine learning support, and ransom negotiation tools. Operators take a cut of each payment, incentivizing the development of streamlined, all-in-one offerings. Key ransomware groups in 2025 include: - Qilin: A dominant player with ties to the defunct Conti group, offering high affiliate payouts (up to 85%) and automated exploitation of Fortinet SSL VPN vulnerabilities. - Akira: Linked to Conti, expanding attacks to virtualized environments via SonicWall VPN flaws. - DragonForce: A modular, service-driven group using leaked Conti and LockBit code, specializing in tailored extortion for high-value targets. - LockBit: Struggled to recover after its 2024 takedown but released a cross-platform variant with enhanced anti-forensics. - Cl0p & Play: Closed groups operating with strict internal security, targeting critical infrastructure and deploying double extortion. A new alliance between DragonForce, LockBit, and Qilin emerged in late 2025, signaling deeper collaboration in the ransomware ecosystem. Meanwhile, semi-closed and closed groups such as Fog and BlackBasta are adopting tighter control, recruiting only trusted affiliates and developing proprietary tools to evade detection. ### Hybrid Threats and Cybercrime-as-a-Service The IOCTA 2026 report warns of blurring lines between cybercriminals and hybrid threat actors, with state-linked groups increasingly using criminal networks as proxies for disruptive operations. In the cybercrime-as-a-service (CaaS) economy, hybrid actors are simply another customer, complicating attribution and enforcement. A notable development is the Scattered LAPSUS$ Hunters (SLSH) alliance, formed in August 2025 by Scattered Spider, ShinyHunters, and LAPSUS$. These English-speaking groups specialize in SIM swapping, social engineering, insider recruitment, and large-scale data theft, targeting corporations, healthcare, and transport sectors. Their tactics include persistent harassment post-payment, and some members have ties to The Com network, a criminal ecosystem linked to extremism and child exploitation. ### AI, Infostealers, and DDoS as Enablers Cybercriminals are rapidly adopting AI tools to automate attacks, enhance social engineering, and blur the line between legitimate and malicious technology. Infostealers remain a critical enabler, fueling a broad illicit market that supplies ransomware affiliates, fraudsters, and initial access brokers (IABs). DDoS attacks persist as a low-effort, high-impact tool, often used for extortion or ideological disruption. While mitigation measures have improved, the minimal resources required make DDoS a sustainable strategy for destabilization, with targets including governments and critical infrastructure. ### Law Enforcement Challenges and Future Outlook Europol’s Executive Director, Catherine De Bolle, emphasized the urgent need for proactive, collaborative efforts to counter cybercrime’s accelerating pace. The report calls for: - Investment in AI capabilities for law enforcement. - Stronger cross-border cooperation and data retention policies. - Closer private-sector collaboration to access critical data held by online service providers. The IOCTA 2026 report concludes that the cybercrime landscape will continue evolving at speed, driven by advanced tools and complex criminal networks. Law enforcement’s ability to close the "velocity gap" matching the pace of cybercriminal innovation will determine its effectiveness in the coming years.