If you only followed the payment data, you might conclude that the ransomware problem is getting better. Average ransom payments fell 50% in 2025 [1]. Sixty-four percent of ransomware victims refused to pay in 2024, up from 50% in 2022 [1]. The trend lines all point the same direction: down.
Now look at the volume data. Ransomware attacks surged over 30% in early 2026 compared to the prior nine-month average [4]. H1 2025 leak site counts hit 3,734 victims, up 67% year over year, with 88 active groups at midyear. Thirty-five of those groups didn’t exist a year ago [3]. If the early 2026 pace holds, this year shatters every previous record [4].
The paradox (payments declining while attacks accelerate) isn’t a contradiction. It’s a strategy. And understanding that strategy is essential for any organization calibrating its cybersecurity investments based on what the ransomware economy is actually doing, rather than what the headline numbers suggest.
The ransomware economy found a new business model. It’s working.
The old model targeted large enterprises with eight-figure demands. It worked until payment rates fell and law enforcement dismantled the major syndicates. So the attackers adapted.
The new model is high-volume, low-margin. Instead of spending weeks on reconnaissance against a single large target, ransomware operators launch rapid campaigns against dozens or hundreds of smaller organizations. Lower payouts per victim. Made up on volume. If 26 out of 100 victims pay $400,000 each, that is still $10.4 million with minimal overhead [4][6][7].
The target profile has shifted accordingly. Ransomware is now present in 88% of SMB breaches versus 39% of large enterprise breaches [5]. SMBs offer weaker defenses, less mature recovery capabilities, and more payment urgency. They are the volume play. And they are largely unprepared for it.
Backups won’t save you from this one
Data exfiltration now accompanies 74% of ransomware incidents [4][8]. Sophos found that extortion-only attacks, demands with no encryption at all, doubled year over year [3][10]. The attackers don’t need to encrypt your files anymore. They just need your data. And they already have it.
Data-theft extortion flips the equation. The attacker exfiltrates customer records, financial data, intellectual property, and internal communications, then threatens to publish unless paid. Backups don’t help because the data is already gone. A healthcare organization that recovers from encryption in 48 hours still faces catastrophic consequences if patient records appear on a leak site. A financial services firm with immutable backups is still exposed if client portfolio data surfaces on a dark web marketplace. The leverage is no longer operational disruption. It is reputational damage, regulatory exposure, and legal liability.
The defensive implication is direct. When encryption is the primary weapon, backup resilience is the right countermeasure. When data theft is the primary weapon, the countermeasure shifts entirely. The only approach that holds is one that makes data unreachable before the attack executes, not one that tries to recover it afterward. That means building a defense layer that operates below the attack surface, denies attackers the material they came for, and functions regardless of whether the threat is recognized. Detection is not the foundation of that architecture. Prevention is.
Law enforcement won the battles. The war got harder.
Chainalysis tracked up to 85 active extortion groups by late 2025 [6]. Cyble documented 57 new ransomware groups and 27 new extortion-only groups emerging in 2025, along with over 350 new ransomware strains [7]. The FBI identified at least 67 new variants in the most recent reporting period [2].
This creates a specific problem for detection-dependent defenses. When three or four groups controlled the majority of ransomware operations, threat intelligence teams could track their infrastructure and build detections around their tooling. With 85+ active groups sharing builders, tactics, and affiliates, that model breaks down. The ransomware that hits your organization in H2 2026 may come from a group that did not exist in H1, using brand new tooling.
Several trends have hardened within this fragmented landscape. Groups like LockBit remnants, Qilin, and DragonForce are forming cartels, sharing infrastructure and botnets rather than competing [11]. RaaS platforms now bundle DDoS capabilities to compensate affiliates for declining per-attack earnings [11]. And BYOVD, the technique for disabling endpoint security at the kernel level, has been adopted by at least ten groups as standard commodity tooling [12]. EDR evasion is no longer a sophisticated edge case. It is table stakes.
The sectors getting hit hardest share one thing: they cannot afford the downtime.
The sectors bearing the heaviest burden in H1 2026 share a profile: high-value data, operational sensitivity to downtime, legacy infrastructure they cannot quickly replace, and deep vendor ecosystems they cannot fully control.
Healthcare continues to be disproportionately targeted. Health-ISAC reported a 55% surge in cyber incidents in 2025, with ransomware ranked the top threat by security professionals [13]. The Iran-linked Handala group’s attack on Stryker in March 2026 confirmed that healthcare supply chain attacks now carry geopolitical dimensions alongside criminal ones. Life-critical operations create payment pressure. Legacy systems create attack surface. And over 80% of stolen health records originate not from hospitals, but from their vendors [13].
Manufacturing remains a primary target because OT downtime translates directly to revenue loss. Downed production lines cost measurable dollars per hour, resulting in pressure to resolve the issue quickly, even if that means paying. The convergence of IT and OT environments creates an intersection of highly valuable targets that are also unable to support much modern tooling.
Education faces the volume problem acutely. Limited budgets, large user populations, and legacy infrastructure make K-12 districts and universities soft targets. They hold sensitive data on students and families but lack the security maturity to protect it. Attackers have learned to time strikes during academic periods, when the pressure to restore operations is highest and the willingness to pay is at its peak.
Critical infrastructure faces the highest-consequence scenarios. Ransomware that disrupts energy, water, or transportation operations creates public safety risks that amplify pressure to resolve by any means necessary. Regulatory pressure is tightening, with CISA’s mandatory incident reporting and Australia’s 72-hour payment disclosure requirement among recent mandates. The reporting obligations are improving. The operational vulnerability is not.
Falling payments do not mean falling risk.
The dangerous reading of the payment data is this: payments are declining, so the problem is getting better. It misreads the economics entirely.
Payments are declining because more organizations refuse to pay, more have invested in backup resilience, and law enforcement has reduced the capacity of the largest groups [1][6]. These are positive developments. But the attackers have not responded by giving up. They have responded by attacking more targets, targeting smaller organizations with weaker defenses, shifting to data-theft extortion that bypasses backup resilience entirely, and fragmenting into groups that are harder to track and disrupt.
The total cost continues to rise even as per-victim payments fall. IBM’s 2025 data placed the average ransomware breach cost at $5.08 million, encompassing downtime, recovery, legal exposure, and regulatory penalties [9]. Coalition’s 2026 claims data found initial demands surging 47% year over year [14]. The insurance market is the most honest scorecard available: claim frequency rose, and rejection rates now exceed 40% when organizations cannot demonstrate adequate controls [14].
The ransomware ecosystem is restructuring, not retreating. More organizations face ransomware risk than ever before, even if the average payment is lower. Organizations that read declining payments as declining risk are betting the restructured ecosystem will not reach them. Given that ransomware is now present in 88% of SMB breach incidents [5], that is a poor bet.
The architecture the data actually calls for.
The H1 2026 data makes the architectural requirements clear. The ransomware economy has done the work of validating them.
Backup resilience is necessary but no longer sufficient. When encryption was the primary leverage, robust backups were the primary countermeasure. With data-theft extortion now present in 74% of incidents and growing, organizations need data-centric protection. Obfuscation, tokenization, and cloaking make exfiltrated data worthless to the attacker. The backup strategy recovers operations. The data strategy eliminates extortion leverage.
Detection-only architectures carry unacceptable residual risk. The fragmented ecosystem means the ransomware that hits your organization may use novel tooling from a new group with no known indicators or TTPs. BYOVD commoditization across 10+ groups means EDR evasion is standard practice, not a sophisticated edge case. Preemptive controls, including moving target defense, deception, and data-level protection, provide the architectural backstop that functions when detection-dependent controls are bypassed.
SMBs need enterprise-grade protection delivered differently. The high-volume, low-margin targeting model means organizations with 50 or 500 employees now face the same adversary techniques previously reserved for Fortune 500 targets. Tools that require a dedicated SOC team to operate are irrelevant to the organizations now at highest risk.
The economics of attack will keep evolving. The ransomware ecosystem optimizes continuously. When one revenue model weakens, it pivots to another. When one target population hardens, it shifts to a softer one. Defensive investments calibrated to today’s attack economics will be misaligned with tomorrow’s. The only durable strategy is architectural resilience. Controls that protect data, disrupt attack execution, and limit blast radius regardless of which ransomware variant, group, or extortion model is in play.
Falling payments don’t mean falling risk. They mean the attackers are adjusting their economics. Defenders should be adjusting their architecture.
Brad Potteiger is the Chief Technology Officer at Arms Cyber. He leads the development of the company’s preemptive security platform, with a focus on making critical data invisible to ransomware, AI-driven attacks, and insider threats before they execute. Arms Cyber’s patented Stealth Posture Management platform protects organizations across Windows, Linux, and MacOS.
References
[1] Varonis, “Ransomware Statistics, Data, Trends, and Facts [Updated 2026].” https://www.varonis.com/blog/ransomware-statistics
[2] Programs.com, “The Latest Small Business Ransomware Statistics (Mar 2026).” https://programs.com/resources/small-business-ransomware-stats/
[3] Bright Defense, “500+ Ransomware Statistics for 2026.” https://www.brightdefense.com/resources/ransomware-statistics/
[4] Breached.Company, “Ransomware Attacks Soar 30% in 2026: Inside the Unprecedented Surge.” https://breached.company/ransomware-attacks-soar-30-in-2026-inside-the-unprecedented-surge/
[5] TechTarget, “Ransomware Trends, Statistics and Facts in 2026.” https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts
[6] Chainalysis, “Crypto Ransomware: 2026 Crypto Crime Report.” https://www.chainalysis.com/blog/crypto-ransomware-2026/
[7] Cyble, “10 New Ransomware Groups of 2025 — And What to Expect Next in 2026.” https://cyble.com/knowledge-hub/10-new-ransomware-groups-of-2025-threat-trend-2026/
[8] Panda Security, “45 Ransomware Statistics Vital for Security in 2026.” https://www.pandasecurity.com/en/mediacenter/ransomware-statistics/
[9] DeepStrike, “Ransomware Statistics 2026 Planning Global Threat Data.” https://deepstrike.io/blog/ransomware-statistics-2025
[10] Heimdal Security, “Trends & Predictions from the Latest Ransomware Statistics 2026.” https://heimdalsecurity.com/blog/ransomware-statistics/
[11] Huntress, “8 Ransomware Trends to Watch for in 2026.” https://www.huntress.com/ransomware-guide/ransomware-trends
[12] Recorded Future, “New Ransomware Tactics to Watch Out for in 2026.” https://www.recordedfuture.com/blog/ransomware-tactics-2026
[13] Industrial Cyber, “Health-ISAC Reports 55% Surge in Cyber Incidents in 2025,” February 2026. https://industrialcyber.co/reports/health-isac-reports-55-surge-in-cyber-incidents-in-2025-as-attacks-rise-and-escalation-looms-in-2026/
[14] Picus Security, “BAS for Cyber Insurance: Prove Control Effectiveness and Lower Premiums,” March 2026. https://www.picussecurity.com/resource/blog/bas-for-cyber-insurance-prove-control-effectiveness-and-lower-premiums
In 1989, ransomware arrived by floppy disk. The ransom demand was $189. Today, the average payment exceeds $800,000, attack...
If you’ve spent any time talking to CISOs in the last two years, you’ve heard some version of the same frustration:...
The cybersecurity industry has spent the past 2 weeks in a state of controlled hysteria. Anthropic released Claude Mythos...
It was 2:47 a.m. when the first alert fired. By 4:00 a.m., 94% of the file infrastructure was locked. Their EDR had...
To connect now, contact: [email protected].