Ransomware in 2026 — It Is Not Just Encryption Anymore

The Numbers Tell a Contradictory Story

If you follow only the payment headlines, ransomware appears to be in retreat. Global ransom payments dropped 35 percent year-over-year to USD 813.55 million in 2024, down from a record USD 1.25 billion in 2023, according to Chainalysis. By the fourth quarter of 2024, 75 percent of victims refused to pay — up from 41 percent in 2023 (Coveware). Law enforcement operations disrupted the two largest groups. Public sentiment has shifted against payment.

That narrative is dangerously incomplete.

Look closer, and the picture inverts.

The average ransom payment climbed 33 percent to USD 2 million. NCC Group tracked 5,263 total ransomware attacks in 2024, the highest figure ever recorded. OT and ICS environments saw 1,693 attacks, an 87 percent year-over-year surge (Dragos). Enterprise encryption rates fell to 49 percent — the lowest in five years (Sophos) — not because defences improved, but because attackers found they no longer need to encrypt anything to extort a payout. Data exfiltration now accompanies 96 percent of ransomware incidents (Arctic Wolf).

The paradox resolves itself once you understand the shift. Payments fell because more organisations refuse to pay. Volume and sophistication increased because the economics still work. Fewer payouts at higher amounts, distributed across a broader victim base, sustain the ecosystem. The groups that survive are the ones that adapted — and adaptation, in this context, means moving beyond encryption entirely.

The Multi-Extortion Evolution

The traditional ransomware playbook — encrypt, demand, decrypt — is now the minority case. Attackers have spent the past three years layering additional pressure mechanisms into a tiered extortion model that targets not just systems but organisations, reputations, and stakeholder relationships. Understanding these layers is essential for building defences that match the actual threat.

Double Extortion

Encrypt data and exfiltrate it simultaneously. If the victim restores from backups, threaten public release. This tactic appeared in 96 percent of incidents in 2024, with a 30 percent year-over-year increase in double-extortion operations (Secureworks CTU). It is no longer an advanced technique. It is the baseline. Organisations that invested exclusively in backup infrastructure now find that restoring systems does not prevent the release of sensitive data — customer records, intellectual property, internal communications — on dark web leak sites.

Triple Extortion

Add distributed denial-of-service attacks against victim infrastructure and direct harassment of stakeholders — customers, business partners, media outlets, and board members. Attackers contact these parties directly, informing them that their data has been compromised and naming the victim organisation as the responsible party. Regulatory bodies may be tipped off. Journalists receive curated data samples.

The goal is to create consequences that extend beyond the security team's ability to contain. When a CISO is managing incident response and simultaneously fielding calls from customers who received threatening emails from the attacker, the pressure to pay becomes organisational rather than technical.

Quadruple Extortion

An emerging layer that weaponises AI-generated deepfakes and disinformation campaigns. Threat actors fabricate audio or video of executives making damaging statements, manufacture false regulatory filings suggesting financial distress, or create synthetic media designed to erode customer and investor confidence. Some groups have threatened to release fabricated compromising material alongside legitimate stolen data, making it impossible for victims to credibly deny any individual item. This is still early-stage but accelerating rapidly as generative AI tools become more accessible and more convincing.

Encryption-Less Extortion

Perhaps the most significant shift: 25 new ransomware families in 2024 operate without encrypting anything. They steal data and threaten release, bypassing every encryption-focused defence in the stack. The enterprise encryption rate dropping to 49 percent reflects this trend. Groups like BianLian and RansomHouse have pioneered the model, demonstrating that data theft alone generates sufficient leverage for payment.

This matters strategically because it invalidates the assumption that anti-ransomware defences should focus on detecting and preventing encryption. Data loss prevention, network monitoring, and egress controls become critical when the primary threat is exfiltration, not encryption. Organisations that built their incident response plans around restoring from backups need to account for a scenario where nothing was encrypted but everything was stolen.

OT/ICS Under Fire

The operational technology threat landscape deteriorated dramatically in 2024. Dragos documented a surge that should concern every organisation with industrial control systems.

Three developments stand out.

FrostyGoop. This malware targets Modbus TCP on port 502 — a protocol foundational to industrial automation that was designed in 1979 with no built-in authentication or encryption. In a documented campaign during January 2024, FrostyGoop disrupted heating systems for over 600 buildings in Lviv, Ukraine, during sub-zero temperatures. The malware sent crafted Modbus commands directly to ENCO controllers, causing them to report inaccurate readings and disrupting the heating infrastructure. It demonstrated that attackers can manipulate physical processes through protocol-level exploitation, not just through the IT-OT boundary — and that the consequences extend to public safety.

The PARASITE threat cluster. Tracked by Dragos, this group exploits CVE-2023-48788 (a SQL injection vulnerability in Fortinet FortiClient EMS) to gain initial access to networks containing US ICS and OT systems. Unlike opportunistic ransomware operators who scan broadly and exploit what they find, PARASITE demonstrates sustained, intelligence-driven targeting of specific industrial sectors. The group maintains persistent access to compromised environments over extended periods before executing their objectives.

Insecure remote access. Dragos found that 65 percent of OT environments had insecure remote access configurations — a statistic that has remained stubbornly persistent year after year. Remote access is the primary initial access vector for OT-targeting ransomware, and most organisations have not adequately segmented or monitored these pathways. The problem is partly structural: OT environments were designed for availability and safety, not for the adversarial threat model they now face. Retrofitting security onto decades-old control systems is technically complex and operationally risky, which is why progress has been slow.

The convergence of IT and OT networks means that a ransomware intrusion beginning in a corporate email system can propagate to industrial control systems within hours. Three-quarters of OT ransomware incidents result in at least partial operational shutdown, with direct consequences for physical safety and service continuity.

The regulatory response is building. NIS2 in the EU and CIRCIA in the United States both impose incident reporting obligations on critical infrastructure operators. Organisations running OT environments that fall within scope — energy, water, transport, manufacturing — face not only the operational impact of an attack but also regulatory scrutiny of their preparedness and response. The 87 percent surge in OT attacks is occurring against a backdrop of tightening compliance expectations, compounding the pressure on already under-resourced industrial security teams.

The AI Factor

Artificial intelligence is reshaping the ransomware threat on both sides of the equation, but attackers are currently moving faster.

ESET reported the first confirmed AI-powered ransomware strain discovered in 2024 — malware capable of adapting its behaviour in real time based on the target environment. By the first quarter of 2025, deepfake incidents reached 179 — already surpassing the total for all of 2024. The trend line is steep and shows no sign of flattening.

The convergence of AI and ransomware is occurring across three dimensions: social engineering, operational automation, and evasion.

Social engineering at scale. The real-world impact is already substantial. Engineering firm Arup lost USD 25.6 million after an employee was deceived by a deepfake video conference call that impersonated multiple senior executives simultaneously. The employee saw what appeared to be familiar faces and voices on a live video call — all synthetic. Ferrari and WPP were both targeted with AI-generated voice-clone attacks impersonating their CEOs. Both organisations detected and stopped the attempts, but the sophistication was notable: the Ferrari attack used a cloned voice that replicated speech patterns, accent, and conversational style with high fidelity.

Operational automation. AI is compressing the timeline from initial access to impact. Automated reconnaissance tools map network topologies, identify high-value data stores, and select exfiltration pathways without human intervention. This reduces dwell time — the window in which defenders can detect and contain an intrusion before damage occurs.

According to CrowdStrike, 87 percent of security professionals report that AI has made phishing attacks more convincing and harder to detect. Forty-eight percent cite AI-automated attack chains — from initial reconnaissance through lateral movement to data exfiltration — as their greatest emerging threat.

Nation-state actors are accelerating this trend. North Korean, Iranian, and PRC-affiliated groups are using generative AI for phishing content generation, command-and-control infrastructure development, and automated data exfiltration tooling. The democratisation of these capabilities means that techniques previously reserved for state-sponsored operations are filtering into the broader criminal ecosystem.

The defensive implication is that traditional phishing awareness training — built around identifying poor grammar, suspicious sender addresses, and generic templates — is losing effectiveness. AI-generated phishing is contextually appropriate, grammatically perfect, and increasingly personalised. Detection must shift toward technical controls: email authentication (DMARC, DKIM, SPF), URL sandboxing, and behavioural analysis of user actions post-click.

The RaaS Ecosystem Fragmentation

The ransomware-as-a-service ecosystem underwent a structural transformation in 2024, driven by two concurrent forces: effective law enforcement operations and internal trust collapse among criminal operators. The result is not the decline that many headlines suggest but a fragmentation that creates different — and in some ways more challenging — defensive problems.

Operation Cronos disrupted LockBit in February 2024. The operation, coordinated by the UK National Crime Agency and international partners, seized 34 servers, closed 14,000 accounts, and recovered over 1,000 decryption keys. The NCA also deployed a psychological operation: using LockBit's own leak site to publish countdown timers revealing the identity of the group's administrator. LockBit returned within five days — but the damage was real. The group's market share dropped to approximately 10 percent, and affiliate trust never fully recovered.

BlackCat/ALPHV imploded from within. After collecting a USD 22 million ransom from Change Healthcare — an attack that disrupted pharmacy operations across the United States for weeks — the operators executed an exit scam. They disappeared with the payment and left affiliates unpaid. The incident sent shockwaves through the RaaS ecosystem, demonstrating that even the most prominent operators cannot be trusted by their own partners.

The result is fragmentation, not reduction. NCC Group documented 56 new ransomware leak sites in 2024 — each representing a group or operation seeking to attract displaced affiliates. The most successful successors include RansomHub, Play, Akira, and Qilin. These groups operate with lower profiles, smaller target sets, and faster operational tempos. Several have adopted novel affiliate models: higher revenue shares, fewer operational restrictions, and faster payout cycles designed to attract talent away from the collapsing incumbents.

This fragmentation makes the threat harder to track and harder to disrupt. Instead of a few dominant groups with known infrastructure and TTPs, defenders now face a dispersed ecosystem of operators with varying capabilities, motivations, and targeting criteria.

For threat intelligence teams, the operational consequence is significant. Indicator-of-compromise-based detection — watching for known LockBit or BlackCat infrastructure — covers a shrinking portion of the threat landscape. Behavioural detection of ransomware TTPs (credential harvesting, lateral movement patterns, staging behaviours) becomes more valuable than signature-based approaches as the operator population diversifies.

SMBs: The Primary Targets

The ransomware threat is disproportionately concentrated on small and mid-sized businesses. Eighty-five percent of ransomware targets are SMBs, with 55 percent of attacks targeting organisations with fewer than 100 employees.

The financial impact is severe relative to organisational capacity. The median ransom demand in Q4 2024 was USD 110,000 — a figure calibrated to be payable for small businesses. But ransom is the smallest component of the total cost.

According to Sophos, the average recovery cost — excluding any ransom payment — reached USD 1.53 million. This includes forensic investigation, system rebuilding, legal fees, regulatory notification costs, and business interruption losses. For a company with 50 employees, that figure can represent an existential threat. Sixty percent of SMBs that suffer a ransomware attack close within six months.

One tactic illustrates the sophistication of current targeting. The Interlock group has been observed stealing cyber insurance policies from victim networks before issuing ransom demands. They benchmark their demands against the victim's coverage limits, ensuring the requested amount falls within what insurance will cover — removing the financial argument against payment.

SMBs face a structural disadvantage. They lack dedicated security operations centres, have limited backup infrastructure, and often depend on a small number of IT staff who manage security alongside every other technology function. The RaaS model was specifically designed to exploit this gap — low-skill affiliates using turnkey tools can compromise organisations with minimal security maturity at scale.

The insurance dynamic adds another layer of complexity. As insurers tighten underwriting requirements — mandating MFA, EDR, and backup verification as preconditions for coverage — SMBs without these controls face both higher premiums and reduced coverage. Some are denied coverage entirely. This creates a compounding vulnerability: the organisations least able to absorb an attack are also the least likely to have the insurance safety net that could help them survive one. The Interlock tactic of stealing insurance policies further weaponises this dynamic, turning a victim's own risk transfer mechanism into an intelligence source for the attacker.

The Payment Paradox

Paying the ransom does not resolve the problem. It frequently makes it worse.

According to CrowdStrike, 83 percent of organisations that paid a ransom were subsequently attacked again — often by the same group or its affiliates. The payment signals both willingness and ability to pay, marking the victim for future targeting. Ninety-three percent of organisations that paid still lost data — either because decryption tools were incomplete, data was corrupted, or exfiltrated copies were retained by the attackers regardless.

Recovery timelines remain punishing regardless of the payment decision. Fewer than 25 percent of organisations restore operations within 24 hours of a ransomware event. The median recovery time stretches into weeks, during which the organisation suffers revenue loss, reputational damage, and regulatory exposure. Payment does not meaningfully accelerate this timeline — decryption tools provided by attackers are frequently slow, incomplete, or corrupt data during the recovery process.

The regulatory environment is hardening around payment on both sides of the Atlantic. The FBI and CISA do not recommend ransom payment. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires critical infrastructure operators to report ransom payments to CISA within 24 hours of making them. The Office of Foreign Assets Control (OFAC) has made clear that payments with a nexus to sanctioned entities — including state-sponsored ransomware groups — carry strict civil liability risk regardless of intent.

In Europe, NIS2 imposes incident reporting obligations on essential and important entities, and national implementations are increasingly scrutinising whether organisations had adequate preventive measures in place. The direction of travel is clear: regulators are moving toward a framework where paying a ransom is not only discouraged but may carry direct legal and financial consequences.

The calculus is shifting. Paying is expensive, unreliable, legally risky, and marks you for re-targeting. Organisations that invest in resilience — the ability to recover without paying — are measurably better positioned than those that treat ransom payment as a viable business continuity option. The data is unambiguous: payment does not guarantee data recovery, does not prevent future attacks, and increasingly carries legal and regulatory risk.

The only sustainable strategy is one that makes payment unnecessary.

What Actually Works

The threat landscape described above is complex, multi-vector, and accelerating. But the defensive measures with the strongest evidence base are well-established. The problem is not a lack of available solutions. It is inconsistent implementation, under-investment in foundational controls, and a persistent gap between knowing what works and actually deploying it at scale.

Multi-factor authentication. Microsoft's data shows that MFA prevents 99.9 percent of account-based compromise attacks. Given that compromised credentials remain a primary initial access vector for ransomware, MFA is the single highest-impact control most organisations can deploy. It must cover all remote access pathways, privileged accounts, and cloud services — not just email. Phishing-resistant MFA (FIDO2 hardware keys or passkeys) is strongly preferred over SMS or app-based codes, which are vulnerable to SIM-swapping and real-time phishing proxies.

Immutable backups. The 3-2-1-1 rule — three copies, two media types, one offsite, one immutable — eliminates the backup-targeting tactic that makes ransomware effective. Write-Once, Read-Many (WORM) storage ensures that backup integrity is maintained even if attackers achieve administrative access. Organisations with verified immutable backups reduce their recovery decision from "pay or lose everything" to "restore and investigate." Critically, backup restoration must be tested regularly. An untested backup is an assumption, not a control.

Endpoint detection and response. Real-time behavioural analysis catches ransomware activity during the dwell time before encryption or exfiltration begins. Modern EDR platforms detect the lateral movement, privilege escalation, and staging behaviours that precede the final payload, providing a window for containment. With encryption-less extortion on the rise, EDR's ability to detect data staging and anomalous egress traffic becomes even more valuable than its encryption-detection capabilities.

Network segmentation. Flat networks allow ransomware to propagate from a single compromised endpoint to every reachable system within minutes. Segmentation limits lateral movement and is essential for protecting OT environments from IT-originated intrusions. Microsegmentation of critical assets creates containment boundaries that buy time for detection and response. For organisations with OT environments, the IT-OT boundary must be treated as a hard segmentation point with monitored, controlled crossing points — not a logical distinction on a shared network.

Incident response planning and testing. A plan that has never been tested is not a plan. Tabletop exercises that simulate multi-extortion scenarios — data theft, DDoS, stakeholder harassment — reveal gaps that are invisible on paper. Organisations should test recovery procedures quarterly, validate backup restoration times, and ensure that legal, communications, and executive teams understand their roles before an incident occurs.

Combined implementation. No single control is sufficient against a multi-vector threat. Organisations that deploy MFA, immutable backups, EDR, network segmentation, and tested incident response plans together recover from ransomware incidents in days rather than weeks. The layered approach addresses each phase of the attack chain:

The gap is not knowledge. It is implementation. The controls are well-documented, widely available, and proven effective. The challenge is prioritising their deployment before an incident forces the decision.

Ransomware in 2026 is not a single threat. It is an ecosystem of financially motivated operators using encryption, exfiltration, harassment, AI-generated deception, and physical disruption in combination. Defending against it requires the same breadth — technical controls, operational resilience, incident preparedness, and organisational commitment deployed together and tested regularly. The organisations that treat ransomware as a narrow technical problem will continue to find themselves unprepared for what it has become.

Ransomware is no longer primarily about encryption. It is about leverage.

Every defensive investment should be evaluated against that reality. The question is not whether your organisation can prevent encryption. It is whether your organisation can withstand a coordinated campaign of data theft, operational disruption, stakeholder harassment, and reputational damage — and recover without paying.

Methodology Note

The data cited in this article is drawn from publicly available threat intelligence reports published between January 2024 and February 2026.

Where reports cover different time periods or use different methodologies, we have noted the source to allow independent verification.

Attack volume figures may vary between sources due to differences in collection methodology, scope, and reporting criteria. NCC Group figures are based on leak site monitoring and do not capture attacks where data was not publicly listed.

Payment figures from Chainalysis track on-chain cryptocurrency flows and may not capture all ransom payments, particularly those made through non-cryptocurrency channels or private negotiations.

Sources

Primary Threat Intelligence Reports

• Chainalysis — 2025 Crypto Crime Report (ransomware payment data)
• CrowdStrike — 2025 Global Threat Report (AI threats, re-targeting statistics)
• Dragos — 2024 and 2025 OT Cybersecurity Year in Review (OT/ICS attack data, FrostyGoop, PARASITE)
• Sophos — State of Ransomware 2025 (encryption rates, recovery costs)
• Verizon — Data Breach Investigations Report (attack vector analysis)
• NCC Group — Annual Threat Monitor 2024 (total attack volume, leak sites)
• Mandiant — M-Trends 2025 (dwell time, attacker behaviour)
• IBM — X-Force Threat Intelligence Index (initial access vectors)
• Arctic Wolf — 2025 Threat Report (data exfiltration prevalence)
• Secureworks CTU — Annual Threat Report (double extortion trends)

Law Enforcement and Government

• Europol — Internet Organised Crime Threat Assessment 2024 (RaaS ecosystem)
• FBI IC3 — Internet Crime Report (payment guidance)
• CISA — StopRansomware advisories (defensive guidance, CIRCIA reporting)
• UK National Crime Agency — Operation Cronos (LockBit disruption)

AI and Deepfake Intelligence

• ESET — AI-powered ransomware discovery
• CrowdStrike — Ransomware survey (AI perception data)

Payment and Recovery Data

• Coveware (now Veeam) — Quarterly Ransomware Reports (payment refusal rates, median demands)
• Chainalysis — Blockchain analysis (payment volumes and trends)

Defensive Controls

• Microsoft — Digital Defense Report (MFA effectiveness)
• Veeam — Data Protection Trends Report (backup strategies)
• Vectra AI — Network detection and response research