Ransomware Statistics 2026
Last updated: April 12, 2026
Ransomware is now present in 44% of all data breaches — and 2025 was the worst year on record for attack volume. Over 7,500 organizations appeared on dark web leak sites, a 58% jump from 2024, while the total financial damage from ransomware globally reached an estimated $57 billion annually. If you need current data to build a security business case, brief leadership, or understand what the threat landscape actually looks like in 2026, this page aggregates and contextualizes the most authoritative figures available.
Sources used: FBI IC3 2024 Annual Report, Verizon 2025 Data Breach Investigations Report (DBIR), IBM Cost of a Data Breach Report 2025, Sophos State of Ransomware 2025, Chainalysis Crypto Crime Report 2025, Check Point Research Q3 2025, GuidePoint Security, Cybersecurity Ventures, and Comparitech Healthcare Ransomware Roundup 2025.
Quick-Reference: Key Ransomware Numbers for 2026
| Metric | Figure | Source |
|---|---|---|
| Share of breaches involving ransomware | 44% | Verizon DBIR 2025 |
| Increase in claimed victims, 2024→2025 | +58% | GuidePoint Security |
| Unique organizations on leak sites (2025) | 7,500+ | GuidePoint Security |
| Average total breach cost (ransomware) | $5.08M | IBM 2025 |
| Average recovery cost (excl. ransom) | $1.53M | Sophos 2025 |
| Median ransom demand | $1.32M | Sophos 2025 |
| Organizations refusing to pay | 64% | Verizon DBIR 2025 |
| Crypto ransom payments tracked (2024) | $813M | Chainalysis |
| Annual global ransomware damage cost | $57B | Cybersecurity Ventures 2025 |
| Active ransomware groups (2025) | 124 | GuidePoint Security |
| Time from intrusion to deployment | ~5 days (median) | Sophos 2025 |
Ransomware Attack Volume: How Bad Was 2025?
The simplest way to describe 2025: attackers got faster, louder, and more fragmented. GuidePoint Security tracked more than 7,500 unique victim organizations listed on dark web leak sites in 2025, up from roughly 4,750 in 2024 — a 58% increase year-over-year. Monthly victim volumes averaged approximately 535 per month in Q2 and Q3 2025, compared to around 420 per month in the same period of 2024, according to Check Point Research.
That climb is not purely organic. Law enforcement dismantled several major ransomware-as-a-service (RaaS) operations in 2024 — LockBit, ALPHV/BlackCat — and rather than reducing overall attack volume, the disruptions caused the ecosystem to splinter. GuidePoint counted 124 active ransomware groups in 2025, a 46% increase from the prior year. Most of the new entrants are smaller affiliates from disbanded groups, now operating independently or under new brands.
The FBI‘s Internet Crime Complaint Center (IC3) reported 3,156 ransomware complaints in 2024, a 9% increase over 2023’s 2,825 — and that figure significantly undercounts reality, as the FBI itself acknowledges that many victims never report to IC3, and some report directly to field offices. According to a Homeland Security Threat Assessment, over 5,600 ransomware attacks were publicly disclosed worldwide in 2024, with more than 2,600 US-based victims.
For the broader cybercrime context, the FBI’s 2024 Internet Crime Report recorded $16.6 billion in total cybercrime losses — a 33% increase over 2023 — across 859,532 complaints. Ransomware was called “the most pervasive threat to critical infrastructure” despite fraud generating the larger raw dollar figures.
The Real Cost of a Ransomware Attack
The ransom payment itself is usually the smallest part of the bill.
IBM’s 2025 Cost of a Data Breach Report put the average total cost of a ransomware breach at $5.08 million per incident — making it the single most expensive initial attack vector tracked. That figure includes remediation, downtime, legal exposure, regulatory fines, and business interruption, but excludes the ransom payment itself in many calculations.
Sophos’s State of Ransomware 2025 report gives a more granular breakdown:
- Average recovery cost (excluding ransom): $1.53 million globally — down 44% from the $2.73 million average in 2024, suggesting that backup and recovery strategies are improving
- Median ransom demand: $1.32 million
- Average ransom payment: approximately $1 million — a 50% decline from the $2 million average in 2024
That decline in payment amounts is real, but it needs context. Victims are negotiating more aggressively — actual payments run roughly 8.7% of initial demands, according to data from Coveware. The median payment in practice is around $110,000–$115,000 (Verizon DBIR 2025, Coveware Q4 2024). But for those who face large, targeted attacks — typically enterprises — demands regularly exceed $10 million.
The largest single ransomware payment on record: $75 million, paid to the Dark Angels group in 2024, documented by Mandiant M-Trends.
What happens if you pay? The outcomes are poor regardless. Halcyon reported that 84% of paying victims in Q4 2024 failed to fully recover their data after paying. That number alone should anchor any board conversation about payment versus resilience investment.
The broader global damage picture is staggering. Cybersecurity Ventures estimates global ransomware damage costs at $57 billion annually in 2025, translating to $156 million per day, $6.5 million per hour, and approximately $2,400 per second. The firm projects costs will reach $275 billion annually by 2031.
Ransom Payment Trends: The Refusal Rate Is Rising
The most significant behavioral shift in the ransomware economy over the past two years is that more organizations are refusing to pay.
Verizon’s 2025 DBIR found that 64% of ransomware victims refused to pay, up from 59% the prior year. Chainalysis tracked $813 million in total blockchain-traced ransom payments in 2024 — a 35% decline from 2023, despite attack volumes being higher. The payment rate is estimated at around 28% of victims in 2025, a record low.
The FBI has contributed to this shift. Since 2022, the agency provided thousands of decryption keys to ransomware victims through IC3 and partner programs, helping organizations avoid over $800 million in ransom payments. Operation Level Up in 2024 specifically targeted cryptocurrency infrastructure used by ransomware groups.
The attackers’ response to falling payment rates has been predictable: increase volume. With fewer victims paying, groups are running more campaigns against a wider pool of targets — particularly mid-sized organizations that have not invested heavily in endpoint detection or offline backups. This is the primary driver behind the 58% victim increase in 2025.
One important caveat: 75% of victims who do pay send the funds within 48 hours of the attack (Halcyon), suggesting that the decision is still being driven by panic and operational pressure rather than careful cost-benefit analysis. Organizations without a tested incident response plan are far more likely to pay — and still not recover their data.
How Ransomware Attacks Start: The Initial Access Data
Understanding how attackers get in is the most actionable part of any ransomware statistics analysis. Sophos State of Ransomware 2025 gives the cleanest breakdown by initial access vector:
- Exploited vulnerabilities: 32% of incidents — the most common technical entry point, up from prior years
- Compromised credentials: 23% of incidents, down from 29% in 2024
- Phishing: 18% of incidents, up from 11% in 2024
The shift in phishing numbers reflects a real change in capability. A 2025 study cited by security researchers found that 80% of ransomware attacks now leverage AI tools in some form — from AI-generated phishing emails to deepfake voice scams used in business email compromise chains that precede ransomware deployment. KnowBe4 data shows 82.6% of phishing emails in 2025 contained AI-generated content, making them significantly harder to detect through standard training.
Attack speed has also increased sharply. The median time from initial intrusion to ransomware execution dropped to approximately 5 days in recent reporting — down from 9 days previously, and a far cry from the 70+ day average dwell times observed between 2022 and 2024. Attackers are compressing the window because faster deployment means less chance of detection before payload execution.
For defenders, this compression matters enormously. Detection-first strategies that relied on catching lateral movement during a multi-week dwell period are increasingly inadequate.
Who’s Attacking: The Most Active Ransomware Groups in 2025–2026
The ransomware group landscape reshuffled dramatically after Operation Cronos took down LockBit’s infrastructure in February 2024 and ALPHV/BlackCat disbanded following the Change Healthcare attack in early 2024.
FBI IC3 top 5 ransomware variants by reported complaints (2024): Akira, LockBit, RansomHub, FOG, and PLAY. The FBI also identified 67 new ransomware variants in 2024, with the most notable new entrants including FOG, Lynx, Cicada 3301, DragonForce, and Frag.
The 2025 ecosystem shift:
Qilin became the most prolific group in 2025, expanding its victim count by 578% year-over-year to 1,044 victims on its leak site — more attacks in 2025 than LockBit conducted at its absolute peak. Qilin disproportionately targets healthcare and absorbs affiliates from disrupted groups, making it the primary threat to watch in 2026.
RansomHub dominated through early 2025 before its infrastructure went offline in April — apparently in a hostile takeover by DragonForce. At its peak, RansomHub was behind 24% of disclosed attacks and around 11% of undisclosed attacks, having recruited heavily from former LockBit and ALPHV affiliates.
DragonForce tripled its monthly victim count after RansomHub’s collapse and appears to be operating a franchise-style RaaS model where affiliates can launch their own branded ransomware under the DragonForce Cartel umbrella.
LockBit, despite Operation Cronos and a May 2025 infrastructure breach, released LockBit 4.0 and then LockBit 5.0 in September 2025. The group’s core administrator (LockBitSupp) was never apprehended. LockBit added 106 new victims to its leak site in December 2025 alone and remains a significant threat in 2026.
Sinobi, a newer group that emerged mid-2025, added 149 victims in Q4 2025 — a pace consistent with an established RaaS operation rather than a new actor, suggesting it may be a rebrand of a known group.
The broader trend: law enforcement takedowns reduce specific group volume temporarily but do not reduce total attack volume. They fragment the ecosystem, create new brands, and accelerate affiliate recruitment at surviving platforms.
Which Industries Are Hit Hardest
No sector is immune, but attack targeting is not random. Groups select victims based on perceived ability to pay, sensitivity of data, and operational dependency on uptime.
Healthcare is the most expensive sector for breaches, averaging $7.42 million per breach in 2025 (IBM), down from $9.77 million in 2024. It is also persistently targeted by volume. Comparitech documented 445 ransomware attacks on healthcare providers in 2025 — essentially flat versus 437 in 2024 — while attacks on healthcare businesses (pharmaceutical manufacturers, medical billing companies, health tech) increased 25% to 191 incidents. Qilin claimed more healthcare victims than any other group.
Manufacturing consistently ranks first or second across attack volume datasets. Manufacturing topped North American attack counts with 386 attacks in one Group-IB tracking period. The sector’s reliance on operational technology (OT) and just-in-time production creates maximum pressure to pay quickly.
Government and public sector saw a 65% increase in ransomware incidents in the first half of 2025 year-over-year, with 208 attacks on government bodies. Between 2018 and 2024, 525 ransomware campaigns targeted US government bodies, resulting in more than $1 billion in downtime losses alone.
Education remains a high-value, low-defense target. 66% of K-12 districts have no specialist cybersecurity personnel. The education sector’s average breach cost reached $3.80 million in 2025 (IBM).
Small and mid-sized businesses are not a secondary concern — they’re a primary target. Verizon’s 2025 DBIR found that ransomware was involved in 88% of breaches at small and mid-sized businesses, compared to 39% at large enterprises. Mastercard’s global SMB cybersecurity study found that nearly one in five SMBs that suffered a cyberattack filed for bankruptcy or closed permanently.
The Ransomware-as-a-Service Economy
Understanding RaaS is essential for understanding why ransomware statistics keep climbing despite law enforcement pressure.
In a RaaS model, a core developer creates and maintains the ransomware payload, then licenses it to affiliates who conduct actual attacks. Affiliates handle targeting, initial access, negotiation, and victim management. The developer takes a percentage cut — typically 20-30%. This specialization massively lowers the barrier to entry. An affiliate doesn’t need coding skills; they just need to purchase network access from an Initial Access Broker (IAB) and deploy an existing payload.
Chainalysis tracked approximately $14 million in payments to IABs in 2025 — hackers who specialize in compromising networks and selling that access to ransomware affiliates. It’s an industrialized supply chain for network intrusions.
This model’s resilience to law enforcement is structural. Taking down a RaaS developer — even a major one like LockBit — doesn’t eliminate the affiliates, the IABs, or the criminal skills. Those participants simply migrate to competing platforms. GuidePoint’s count of 124 active ransomware groups in 2025, up 46% from the prior year, is the direct consequence of Operation Cronos disrupting LockBit and pushing affiliates outward.
Notable Ransomware Attacks: 2024–2025
Stats gain context from real incidents. These attacks illustrate what the numbers above actually look like in practice:
Change Healthcare (2024) — ALPHV/BlackCat attack on UnitedHealth Group’s subsidiary. Approximately 100 million individuals affected — one of the largest healthcare data breaches in US history. UnitedHealth paid a $22 million ransom. Total recovery costs have been estimated at around $3 billion.
PowerSchool (late 2024/2025) — A ransomware attack on the K-12 education software provider exposed data on more than 62 million students and 9.5 million teachers across North America.
Yale New Haven Health (March 2025) — Ransomware attack compromised data for approximately 5.6 million patients. The organization settled a class-action lawsuit for $18 million in October 2025.
DaVita (April 2025) — One of the largest US kidney care providers suffered an attack exposing personal and health information of 2.7 million individuals.
Dark Angels $75M payment (2024) — The largest single ransom payment ever recorded, documented by Mandiant M-Trends. The victim organization has not been publicly named.
These aren’t outliers. They’re what routine ransomware operations look like at enterprise scale.
2026 Ransomware Trends to Watch
Based on current data and trajectory, the following trends are most likely to shape the next 12 months:
AI-accelerated attack development. Ransomware groups are using generative AI to write more convincing phishing campaigns, personalize social engineering at scale, and adapt payloads faster than traditional signature-based detection can respond. This is not speculative — 80% of 2025 ransomware attacks leveraged AI tools in some form.
Data-only extortion (no encryption). Some groups, particularly those targeting victims with strong backup infrastructure, have shifted to pure exfiltration: stealing data without encrypting systems, then threatening to publish. This bypasses the backup-as-defense approach entirely. Clop’s 2025 campaigns frequently used this model.
Supply chain targeting. Ransomware groups increasingly target IT service providers, managed service providers (MSPs), and software vendors to reach their downstream clients at scale. A single MSP compromise can open hundreds of smaller businesses simultaneously.
Continued ecosystem fragmentation, then consolidation. The current period of high fragmentation (124 active groups) will likely give way to consolidation around a few dominant platforms as smaller operators fail to maintain affiliate trust. Qilin, DragonForce, and LockBit 5.0 are the current candidates for dominant platform status in 2026.
Regulatory pressure on payments. The percentage of states enacting laws regulating ransomware payments, fines, and negotiations is projected to reach 30% by the end of 2025. This regulatory shift, combined with federal guidance, may further suppress payment rates — which in turn drives attackers toward higher-volume, lower-demand campaigns.
How to Use These Statistics in Practice
Raw ransomware statistics matter most when they drive decisions. Here’s how security and business leaders should apply them:
Building a security budget case: The $5.08 million average breach cost (IBM 2025) versus the typical annual cost of endpoint detection, backup infrastructure, and incident response planning makes the ROI calculation straightforward for most organizations.
Assessing payment risk: With 84% of paying victims failing to fully recover data (Halcyon), and with law enforcement providing free decryption keys to reported victims in increasing cases, paying ransom is neither reliable nor increasingly necessary. Reporting to FBI IC3 immediately after an attack significantly improves recovery options.
Prioritizing defenses: The 32% of attacks starting with unpatched vulnerabilities and 23% starting with compromised credentials point to a clear priority stack — patch management and credential hygiene are not glamorous, but they block the two most common entry points. Multi-factor authentication (MFA) on all remote access eliminates a large share of credential-based initial access.
Testing your backup strategy: Offline, immutable backups that are tested quarterly are the single most effective recovery tool. If you haven’t run a real recovery drill from backup in the past six months, your backup strategy exists on paper, not in practice.
The CISA ransomware guidance portal provides free assessments, alert feeds, and decryption resources through the StopRansomware.gov initiative — a resource worth bookmarking regardless of organizational size.
For practical protection tools that defend against the credential theft and malware delivery methods underlying most ransomware attacks, see our guides to best antivirus software and best password managers — two of the most direct controls against initial access vectors.
Frequently Asked Questions
How many ransomware attacks happen per day in 2026?
Ransomware attacks now average approximately 535 confirmed victims per month on tracked dark web leak sites (Check Point Research, Q2-Q3 2025), representing disclosed extortion cases only. Actual attack volume — including incidents that never result in extortion or public disclosure — is substantially higher. Cybersecurity Ventures projects one ransomware attack every 2 seconds by 2031.
What is the average cost of a ransomware attack in 2026?
The average total breach cost for a ransomware incident is $5.08 million (IBM Cost of a Data Breach 2025). The average recovery cost excluding the ransom payment is $1.53 million (Sophos 2025). For the healthcare sector specifically, the average breach cost is $7.42 million per incident.
What percentage of ransomware victims pay the ransom?
Approximately 36% of victims paid ransom in 2025, down from 41% in 2024. The refusal rate has been increasing consistently year over year as organizations improve backup capabilities and engage law enforcement earlier. Among those who pay, the median actual payment is around $110,000–$115,000, well below the median demand of $1.32 million.
Which ransomware groups are most active in 2026?
Qilin is currently the most prolific group by victim count, having expanded 578% in 2025. LockBit 5.0 re-emerged in September 2025 and remains active. DragonForce absorbed former RansomHub affiliates and operates a franchise-style RaaS model. Sinobi is a notable newer entrant with an unusually fast ramp-up pace. The FBI’s top-reported groups for 2024 were Akira, LockBit, RansomHub, FOG, and PLAY.
What industries are most targeted by ransomware?
Manufacturing, healthcare, professional services, technology, and government are consistently the most targeted sectors. Healthcare is the most expensive, with a $7.42 million average breach cost. At the SMB level, ransomware was involved in 88% of all breaches, making it a universal threat regardless of organization size.
How do most ransomware attacks start?
According to Sophos’s 2025 research: 32% start with exploited software vulnerabilities, 23% start with compromised credentials, and 18% start with phishing. Unpatched systems and reused or stolen passwords remain the two most common initial access vectors.
Should organizations pay ransomware demands?
The data argues strongly against it. 84% of organizations that paid in Q4 2024 failed to fully recover their data (Halcyon). Paying also funds future attacks and may create legal exposure under OFAC sanctions guidance if the group is sanctioned. The better path is immediate reporting to the FBI (which can provide decryption keys in some cases), engagement of a professional incident response team, and recovery from tested offline backups.
What is Ransomware-as-a-Service (RaaS)?
RaaS is a business model where ransomware developers license their malware to affiliates who conduct attacks in exchange for a revenue split. The model lowered the skill barrier for launching ransomware attacks and is responsible for the rapid proliferation of attack volume. Most major groups — LockBit, RansomHub, Qilin, DragonForce — operate on this model.
What is the projected cost of ransomware by 2031?
Cybersecurity Ventures projects global ransomware damage costs will reach $275 billion annually by 2031, up from $57 billion in 2025. That projection assumes a continued escalation in attack frequency and sophistication, including AI-enabled operations.
Cybersecurity analyst covering VPN, antivirus, privacy, and online threats. 8+ years in enterprise security operations. Tests every product he reviews.