In Episode 11, Omar Rao breaks down why ransomware in 2026 is no longer just about encryption. It is about leverage. From active groups like Qilin, Akira, Play, Cl0p, Medusa, DragonForce, and LockBit 5.0 to the newer tactics built around identity abuse, SaaS pressure, backup targeting, and AI-assisted tradecraft, this episode explains how modern ransomware crews really operate and what enterprises need to understand before access turns into business disruption.

A lot of people still think ransomware starts when the ransom note appears. That is already too late.

In this episode, I break down how ransomware in 2026 really works. It is no longer just about encrypting files. It is about leverage, identity abuse, stolen access, SaaS pressure, backup targeting, and recovery denial.

I also cover the groups making the most noise right now, including Qilin, Akira, Play, Cl0p, Medusa, DragonForce, and LockBit 5.0, along with the newer tactics shaping modern ransomware operations.

We cover:• How ransomware groups are getting in now• Why identity and SaaS matter more than ever• How AI is speeding up attacker tradecraft• What enterprises should do before access turns into pressure

If you work in security, incident response, IAM, cloud, backup, or executive leadership, this one is worth your time.

Listen, share with like-minded people, and let me know your thoughts.

This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit omarrao.substack.com