Ransomware Statistics, Payment Trends, and Attack Data

Ransomware remains the single most disruptive category of cyberattack for most organisations, not because it is the most technically sophisticated threat, but because it directly halts operations. According to Verizon’s 2026 Data Breach Investigations Report, ransomware was involved in 48 percent of all confirmed breaches analysed this year, up from 44 percent the year before and the highest figure in the eighteen-year history of the report.

This page tracks how ransomware actually works, how the economics of attacks are shifting, and what the current data shows about which sectors are targeted most and how organisations are responding.

Double Extortion Is the Dominant Ransomware Model

Double extortion is now the standard ransomware playbook. Rather than simply encrypting files and demanding payment for a decryption key, attackers first exfiltrate sensitive data, then encrypt the victim’s systems. The ransom demand covers two separate threats: pay to get a decryption key, and pay again to prevent the stolen data from being published on a dedicated leak site.

This shift matters because it defeats the most common ransomware defence: reliable backups. A victim with clean, tested backups can restore encrypted systems without paying, but that does nothing to stop the attacker from leaking data they already stole before encrypting anything. Some groups have progressed to triple extortion, adding a third pressure point such as a DDoS attack or direct outreach to the victim’s customers.

What the 2026 data shows: Verizon’s 2026 DBIR reports a median ransom payment of $139,875, continuing a downward trend from roughly $150,000 the year prior. Sophos, surveying only organisations that experienced an attack, found a mean payment of $1 million in 2025, down 50% from $2 million in 2024. 69% of victims did not pay, up from 65% the year before.

Source: Verizon 2026 Data Breach Investigations Report; Sophos State of Ransomware 2025; IBM Cost of a Data Breach Report 2025.

How Ransomware Gets In and How to Respond

Ransomware-as-a-service (RaaS) is the operating model behind most of today’s attack volume. Ransomware developers build and maintain the encryption toolkit, then lease it to affiliates who handle the actual intrusion in exchange for a cut of any ransom collected. This division of labour is a major reason attack volume has scaled well beyond what any single group could execute directly.

If your organisation is hit, the immediate priorities are: isolate affected systems to stop lateral encryption spread; engage incident response support and notify cyber insurance carriers; determine whether data exfiltration occurred alongside encryption; restore from clean, verified backups where recovery time objectives allow; and report the incident. Most authorities, including the FBI, advise against paying, since payment does not guarantee full data recovery and can mark an organisation as a repeat target.

Ransomware and the SaaS supply chain increasingly intersect: several 2025-2026 SaaS breaches documented on our SaaS Risk research page led directly to ransomware deployment once attackers established access through a compromised integration.

Ransomware is malicious software that encrypts a victim's files or systems, then demands payment for a decryption key. Modern ransomware typically also steals data before encrypting it (double extortion), so the attacker can threaten to publish stolen information even if the victim restores from backup rather than paying.

Double extortion is a technique where attackers exfiltrate sensitive data before encrypting a victim's systems, then threaten to publish the stolen data separately from the ransom demand for a decryption key. It defeats backup-only defences since restoring encrypted files does not prevent a data leak.

Verizon's 2026 DBIR reports a median payment of $139,875. Sophos, surveying organisations that experienced attacks, found a mean payment of $1 million in 2025, down 50% from $2 million in 2024. Average total incident cost including downtime and recovery is $5.08 million per IBM's research.

Manufacturing is the most targeted sector by volume. Healthcare, education, and government are consistently named among the most frequently targeted sectors, and healthcare carries the highest average breach cost of any sector.

Most authorities, including the FBI, advise against paying. Payment does not guarantee full data recovery — prior research found roughly 84% of organisations that paid still failed to recover all their data. Verizon's 2026 data shows a growing share of victims (69%) are choosing not to pay.