In early 2026, a regional hospital network was hit by ransomware that encrypted medical records, laboratory systems, and critical patient monitoring infrastructure. The attackers — operating through a Ransomware-as-a-Service platform that provided them with professional-grade malware, technical support, and even negotiation assistance — demanded payment in cryptocurrency and simultaneously threatened to release patient records publicly if payment was not received within 72 hours. Because backups were incomplete and patient care depended directly on the encrypted systems, the hospital was forced into a position that no organisation wants to occupy: negotiate with criminals while attempting to maintain care for patients whose medical histories were inaccessible. The attack illustrates exactly why ransomware remains the most consequential and most consistently underestimated threat in the cybersecurity landscape of 2026.
Ransomware is not a new problem. The first recognised ransomware attack occurred in 1989, when a biologist distributed floppy disks containing malware that encrypted file names and demanded $189 sent to a PO Box in Panama. The concept has not changed. What has changed — dramatically, continuously, and in ways that make the current threat unrecognisable from its origins — is the sophistication of the attacks, the professionalism of the criminal ecosystem delivering them, the range of extortion tactics being deployed, and the scale of the financial and operational damage being inflicted.
Ransomware was present in 44 percent of all data breaches in 2025, according to Verizon’s Data Breach Investigations Report — a 37 percent increase compared to the previous year’s report. For small and midsize businesses, ransomware was involved in 88 percent of breaches. US ransomware attacks increased by 50 percent in the first ten months of 2025, with 5,010 reported incidents compared to 3,335 in 2024. Total ransomware incidents globally could exceed 12,000 in 2026 if early-year momentum continues. The average cost of recovering from a ransomware attack is $1.53 million. The average breach cost overall reached $4.88 million — an all-time high. And 80 percent of ransomware attacks now leverage AI tools in some capacity, according to MIT Technology Review, dramatically increasing the sophistication, personalisation, and speed of every stage of the attack cycle.
This guide explains how ransomware actually works in 2026 — not the simplified version from awareness training, but the real attack chain from initial access to ransom demand — and provides the specific, practical defences that genuinely reduce risk rather than the generic advice that sounds thorough but leaves the most important gaps unaddressed.
What Ransomware Is — and What It Has Become
The original ransomware concept is simple: malicious software encrypts the victim’s files, making them inaccessible, and demands payment in exchange for the decryption key. The files remain on the victim’s system; they are simply unreadable without the key that only the attacker possesses. Pay the ransom, receive the key, decrypt the files, resume operations. Do not pay, and the files remain encrypted indefinitely.
This model worked well for attackers as long as victims had no alternative — as long as backups were inadequate, the encrypted data was irreplaceable, and the ransom was small enough that paying was economically rational. As organisations improved their backup practices and became more willing to restore from backup rather than pay, the simple encryption model became less reliable as an extortion lever. Attackers adapted.
Double extortion is now standard operating procedure, present in 87.6 percent of ransomware claims according to Travelers Insurance. In the double extortion model, attackers do not merely encrypt files — they first exfiltrate copies of the most sensitive data to their own infrastructure. Then they encrypt the victim’s systems and issue two threats simultaneously: pay or lose access to your systems, and pay or we publish your stolen data. The second threat survives the first mitigation: even a victim who restores perfectly from backups and never regains their encrypted files still faces exposure of the stolen data if they do not pay. Backups protect against the encryption. They do nothing to protect against the leak.
Triple extortion extends this further. In the triple extortion model, attackers add a third pressure: contacting the victim’s customers, patients, regulators, or business partners directly, informing them that their data has been stolen and pressuring the primary victim through secondary channel coercion. The Black Cat / ALPHV attack on MeridianLink in 2023 demonstrated this when the ransomware group filed a formal complaint with the US Securities and Exchange Commission alleging that MeridianLink — the attack victim — had failed to disclose the breach as required. This use of regulatory enforcement mechanisms as an extortion tool represents a genuinely novel form of leverage that no backup strategy addresses.
The most recent evolution — what Recorded Future terms data-only extortion and Splunk calls extortionware — skips encryption entirely. Attackers who have exfiltrated valuable data simply threaten to publish it. No encryption, no system disruption, no visible indicator that an attack has occurred until the ransom demand arrives. Approximately 50 percent of all attacks tracked by Recorded Future in late 2025 and early 2026 fall into this data theft and extortion category. This approach is quieter, faster, more difficult to detect, and makes backups entirely irrelevant as a defensive measure. The implication is significant: ransomware in 2026 is fundamentally an extortion business built on data theft, not merely a malware problem built on encryption.
The Ransomware-as-a-Service Ecosystem: Crime as a Business
The most important structural development in the ransomware landscape of the past three years is the complete industrialisation of the criminal ecosystem through Ransomware-as-a-Service. RaaS has transformed ransomware from a capability requiring significant technical expertise into a commodity service accessible to anyone with the motivation and a cryptocurrency wallet.
In the RaaS model, a core developer or criminal group creates and maintains the ransomware codebase, the infrastructure for managing victims and collecting payments, the data leak site for publishing stolen data, and often the negotiation service that handles the back-and-forth with victim organisations. They then license this infrastructure to affiliates — operators who identify targets, conduct the initial compromise, deploy the ransomware, and manage the attack — in exchange for a revenue share, typically 70 to 80 percent of ransom proceeds to the affiliate and 20 to 30 percent to the RaaS operator.
The scale and sophistication of this ecosystem is staggering. 55 new RaaS families emerged in 2024 alone — a 67 percent increase year-over-year according to Travelers Insurance. 95 active ransomware gangs were tracked as of late 2025, up 40 percent from the previous year. Some RaaS operations offer round-the-clock support, regular software updates, negotiation services, and DDoS capabilities bundled as premium features for affiliates. The Chaos ransomware group, for example, differentiates its RaaS offering in 2026 by providing DDoS attack capabilities to all affiliates — an additional pressure mechanism that can be deployed simultaneously with or independently of the ransomware itself.
RaaS has lowered the barrier to entry for cybercrime to effectively zero. An affiliate does not need to understand cryptography, network penetration techniques, or malware development. They need to be able to follow instructions, conduct basic Social Engineering, and deploy a pre-built tool kit against a target. The technical sophistication of the attack is provided by the RaaS platform; the affiliate provides the access. This combination of professional-grade tooling and low-skill deployment is why ransomware attacks increased by 50 percent in a single year and why over 5,000 incidents were recorded in the US alone in the first ten months of 2025.
How a Ransomware Attack Actually Unfolds: The Full Attack Chain
Understanding ransomware defence requires understanding the attack chain — the specific sequence of steps that an attacker follows from initial access to ransom demand. The public perception of ransomware as a sudden, indiscriminate event is inaccurate. Most ransomware attacks follow a deliberate, multi-stage process that typically unfolds over days or weeks, with the encryption or data exfiltration event occurring only at the final stage of a longer intrusion.
Initial access is the attacker’s first foothold in the victim’s environment. 63 percent of attackers go undetected for up to six months before deploying ransomware, according to Fortinet — meaning the initial access event typically predates the ransomware event by weeks to months. The most common initial access vectors are phishing emails (malicious attachments or links that install credential-stealing malware or remote access tools when opened), exploitation of unpatched vulnerabilities (particularly in internet-facing systems like VPNs, remote desktop services, and web applications), and credential theft through prior data breaches (using username and password combinations from previous breaches to authenticate into accounts that reuse the same credentials). Notably, 79 percent of initial access attacks are now malware-free according to CrowdStrike’s 2025 data — meaning attackers are increasingly using stolen credentials and legitimate tools rather than malware to establish initial access, specifically to evade the signature-based detection that antivirus software relies on.
Reconnaissance and lateral movement follow initial access. Once inside the environment, the attacker spends time mapping the network — identifying the most valuable systems, the locations of sensitive data, the structure of the Active Directory that governs access permissions, and the state of backups. Tools like Mimikatz are used to extract credential hashes from memory, enabling the attacker to authenticate as higher-privilege users and move laterally through the network. The goal of this phase is to reach the positions in the network — domain controllers, file servers, backup systems — that maximise the impact of the eventual ransomware deployment. Ransomware groups are increasingly investing in targeted reconnaissance, researching victims to understand their operations, financial position, cyber insurance coverage, and regulatory exposure before crafting the ransom demand.
Data exfiltration precedes encryption in most modern double-extortion attacks. Before triggering the ransomware payload, the attacker copies the most sensitive and leverage-generating data to their own infrastructure. This typically takes hours to days depending on data volume and network bandwidth. It is the phase at which early detection has the most value: catching the exfiltration in progress prevents the second lever of double extortion from ever materialising. The data most commonly targeted is customer records (for GDPR / privacy regulatory exposure), financial data (for competitive or regulatory leverage), intellectual property (for direct economic value), and executive communications (for reputational damage threat).
Ransomware deployment is typically a scripted, rapid action — propagating the encryption payload across as many systems as possible as quickly as possible, triggered after hours or over a weekend when monitoring is minimal and response time is maximised. Living-off-the-land techniques — using legitimate Windows tools like PowerShell, Windows Management Instrumentation (WMI), and PsExec rather than custom malware — make the deployment difficult to distinguish from legitimate administrative activity. Modern ransomware attacks are designed to reach the encryption stage before any alert is generated and responded to, specifically because the first alert many organisations receive is the ransom note itself.
The ransom demand arrives after encryption is complete. Modern ransomware operations provide victims with a portal — increasingly a professional-looking web interface accessible via a dark web link — where they can communicate with attackers, receive proof that decryption is possible, and negotiate the payment terms. LockBit 5.0, as of 2026, uses private negotiation portals with individualised credentials for each affiliate interface, reflecting the professionalisation of even the customer-facing dimensions of ransomware operations. The median ransom demand in 2025 was $1.32 million according to Sophos, with the largest single payment — $75 million to the Dark Angels group in 2024 — representing the scale of ransom possible for the most valuable targets.
The AI Amplification: How Artificial Intelligence Is Making Ransomware Worse
The convergence of AI tools with the ransomware ecosystem has produced attacks that are faster, more convincing, and harder to detect than anything that preceded them. 80 percent of ransomware attacks now leverage AI tools in some capacity, a figure that reflects not a single AI application but the integration of AI throughout the attack chain.
At the initial access stage, AI-generated phishing is eliminating the linguistic signals that email security training has historically relied on to identify suspicious messages. AI-generated phishing emails achieve a 54 percent click-through rate according to Microsoft’s 2025 Digital Defense Report, compared to 12 percent for traditional phishing — making AI-generated campaigns roughly four and a half times more effective than their predecessors. The emails reference real projects, mimic the writing style of known colleagues, and include plausible pretexts drawn from publicly available information on LinkedIn and corporate websites. The grammatical errors, generic greetings, and implausible requests that characterised early phishing are absent from AI-generated campaigns.
At the reconnaissance stage, AI enables faster and more comprehensive target profiling — analysing public data sources, financial filings, job postings, and social media to build detailed pictures of target organisations, their key personnel, their technology stack, and their likely cyber insurance coverage. A ransomware group that knows a target’s cyber insurer, their policy limits, and their historical willingness to pay enters the negotiation with a significant informational advantage.
At the persistence and lateral movement stages, polymorphic malware — code that mutates to evade signature-based detection — is increasingly AI-generated, creating variants that bypass the specific signatures that existing security tools are looking for. The combination of malware-free initial access (using legitimate credentials) and AI-polymorphic payloads (evading signature detection) creates an attack profile that traditional antivirus and endpoint protection struggle to detect.
Who Gets Hit and Why: The Target Profile
The common misperception that ransomware targets primarily large enterprises with deep pockets is contradicted by the data. For small and midsize businesses, ransomware was involved in 88 percent of breaches according to Verizon’s 2025 DBIR — a proportion that reflects both the higher frequency of attack targeting and the relative inadequacy of SMB defences compared to large enterprise security programmes. Ransomware groups specifically prefer targets with valuable data, limited security resources, operational dependencies on their systems that make downtime costly, and either cyber insurance (providing certainty about payment capacity) or regulated data obligations (providing leverage through threatened regulatory disclosure).
Healthcare remains the most financially consequential target category, with the average healthcare breach cost reaching $9.77 million between 2022 and 2024 — more than twice the cross-industry average. The combination of directly life-affecting operational disruption (patient care genuinely cannot continue when records are inaccessible), highly sensitive regulated data (HIPAA exposure), and historically inadequate cybersecurity investment makes healthcare organisations particularly attractive and particularly vulnerable.
Critical infrastructure — energy, water, transportation, government services — has emerged as a priority target category, both for financially motivated criminal groups and for nation-state actors using ransomware-like tactics for geopolitical leverage. A ransomware attack on a major water treatment facility, power grid operator, or transport network creates public pressure for rapid payment that purely commercial targets do not generate. Several critical infrastructure attacks in 2025 demonstrated the operational consequences of successful attacks on systems with no tolerance for downtime.
Supply chain attacks represent an evolution in attack targeting logic: rather than attacking individual organisations directly, ransomware groups increasingly target managed service providers (MSPs), software distributors, and technology vendors whose compromise provides simultaneous access to hundreds or thousands of downstream customers. The Ingram Micro incident in July 2025 — in which the ransomware group SafePay infiltrated the global technology distributor, disrupting its supply chain operations for nearly a week — demonstrates the multiplier effect that supply chain targeting achieves. If an MSP manages network and endpoint security for a hundred client organisations, compromising the MSP potentially compromises all hundred.
The Insider Threat Dimension: A Growing and Underappreciated Risk
Ransomware groups in 2026 are increasingly supplementing their remote access capabilities by recruiting corporate insiders — employees of target organisations who can provide internal access that external attack methods cannot achieve. Recorded Future reports that insider recruitment attempts increased significantly throughout 2025 and are expected to continue growing, particularly as workforce reductions at major technology and financial companies persist into 2026, creating pools of disgruntled or financially motivated employees susceptible to approach.
The FBI has issued advisories documenting ransomware groups using gig work platforms and professional networks to contact potential insiders. In documented cases, attackers have used Social Engineering targeting help desk staff — impersonating employees to manipulate IT support into resetting credentials or disabling security controls. The Black Cat ransomware group’s attempt to recruit a BBC reporter as an intermediary represents the visible tip of a much larger trend of external entity targeting that extends the attack surface beyond technical infrastructure into human behaviour.
The implication for organisations is that insider threat programme evaluation is no longer a theoretical exercise for large enterprises — it is a practical defence requirement at any scale. Employees should receive explicit awareness training about the possibility of external recruitment attempts, organisations should monitor for anomalous access patterns that could indicate insider-facilitated attacks, and the principle of least privilege should be enforced with the specific threat model of a malicious insider in mind.
How to Protect Against Ransomware: What Actually Works
The most important thing to understand about ransomware defence in 2026 is that the threat has evolved beyond what any single defensive measure can address. Backups alone do not protect against double extortion. Antivirus alone does not detect credential-based malware-free attacks. Firewalls alone do not prevent lateral movement by an attacker who has already authenticated with legitimate credentials. Effective defence requires a layered approach that addresses each stage of the attack chain rather than a single perimeter control that an increasingly sophisticated attacker is specifically designed to bypass.
Multi-factor authentication (MFA) is the single highest-impact control for reducing ransomware risk. MFA blocks 99.9 percent of automated credential attacks according to Microsoft — the category of attack that now accounts for 79 percent of initial access. An attacker who has stolen a username and password combination from a data breach cannot use it to access MFA-protected accounts without also compromising the second factor. Implementing MFA across all internet-facing services — VPN, remote desktop, email, cloud applications, identity providers — eliminates the most common single initial access vector in a way that no other single control matches for cost-effectiveness. Organisations that have not yet deployed MFA universally should treat this as the highest-priority security action, above all others.
Patch management — applied with genuine urgency — eliminates the second major initial access vector. The majority of ransomware attacks that exploit vulnerabilities do so against vulnerabilities for which patches have been available for months or years. An attacker does not need a zero-day exploit when a widely used VPN product has a known critical vulnerability that thousands of organisations have not yet patched. Automated patch scanning, prioritisation of internet-facing systems, and a firm policy of applying critical security patches within 24 to 72 hours of release — rather than the monthly patch cycles that many organisations use — dramatically reduces the vulnerability window.
Network segmentation and the principle of least privilege limit lateral movement after initial access has occurred. If an attacker compromises a single workstation but that workstation has no network access to file servers, databases, or backup systems, the blast radius of the attack is limited to that one workstation. Micro-segmentation — dividing networks into small, isolated zones with strictly controlled traffic flows between them — prevents the lateral movement phase that transforms a single compromised machine into an organisation-wide ransomware incident. Similarly, administrative accounts should have access only to the systems they actually need to administer; an attacker who steals the credentials of an account with domain-wide administrative access has access to everything. An account with limited scope of access constrains what the attacker can reach.
Backup integrity and isolation are essential — but must address the full threat model. The 3-2-1 backup rule — three copies of data, on two different media types, with one copy offsite — remains the foundation of ransomware resilience for the encryption dimension of attacks. But backups must be tested regularly (a backup that has never been tested is not a backup in any meaningful operational sense), must be isolated from the production network (an attacker with administrative access to the network can encrypt or delete backups that are connected to it), and must be immutable where possible (preventing modification or deletion even by accounts with administrative privileges). Critically, given the rise of data-only extortion, backups address the operational continuity problem but do not address the data exposure problem — for that, data loss prevention tools and early exfiltration detection are required.
Endpoint Detection and Response (EDR) and 24/7 monitoring close the detection gap that signature-based antivirus leaves. EDR tools monitor system behaviour rather than file signatures — detecting anomalous activity like credential dumping, lateral movement patterns, bulk file encryption attempts, and large-volume data transfers regardless of whether the specific tools being used have known malicious signatures. The challenge is that effective EDR monitoring requires 24/7 coverage, because ransomware attacks are deliberately timed for evenings, weekends, and holidays when internal monitoring staff are not present. Organisations without the resources for internal 24/7 security operations should evaluate managed detection and response (MDR) services that provide this coverage externally.
Employee security awareness training must keep pace with AI-enhanced social engineering. A training programme built around examples of grammatically poor phishing emails from generic senders no longer addresses the threat that employees actually face. In 2026, AI-generated phishing is indistinguishable from legitimate corporate communications in its linguistic quality. Training must focus on behaviour rather than appearance: verifying unexpected requests through out-of-band channels (calling the person via a known phone number, not replying to the email), applying suspicion to urgency (legitimate requests rarely require bypassing normal processes), and understanding the specific scenarios — help desk impersonation, vendor payment request changes, executive wire transfers — that ransomware groups use most frequently as social engineering pretexts.
Should You Pay the Ransom?
The question of whether to pay the ransom is one that every organisation affected by ransomware faces under significant time pressure, and the answer is more nuanced than either “never pay” or “pay to recover faster.” The data shows that payment behaviour is changing: 64 percent of ransomware victims refused to pay in 2024, up from 54 percent the year before, and the median ransom payment has declined. But the decision calculus is specific to each organisation’s situation in ways that make general guidance insufficient.
The arguments against paying are well-established: payment funds criminal infrastructure, encouraging more attacks; payment provides no guarantee that the decryption key will work or that stolen data will not be published anyway; and payment may violate sanctions regulations if the receiving criminal group is on a government sanctions list, creating legal exposure for the paying organisation. Many jurisdictions are moving toward mandatory disclosure of ransom payments and, in some cases, restrictions on payment to sanctioned entities.
The argument for payment, when it occurs, typically comes down to operational necessity and data exposure: when systems are genuinely inaccessible and their inaccessibility is causing direct harm (as in the hospital scenario at the opening of this guide), and when the stolen data exposure creates regulatory or reputational consequences that materially exceed the ransom amount. These calculations are best made in advance — before an attack occurs — with the guidance of legal counsel, a cyber insurance broker, and an incident response plan that specifies the decision authority and the criteria under which payment would be considered.
The most important insight from the decline in payment rates is that organisations with effective backups, tested incident response plans, and cyber insurance are making the payment decision from a position of greater strength than those who lack these resources. Building the resilience to say no to a ransom demand requires significant advance preparation — but that preparation is both achievable and vastly cheaper than the alternative.
Building Ransomware Resilience: The Organisational Posture
ISACA’s 2026 Tech Trends and Priorities Pulse Poll found that 54 percent of respondents say ransomware is their organisation’s top security concern. The gap between concern and preparation remains significant: understanding the threat at a high level is widespread; translating that understanding into the specific technical and organisational controls that reduce actual risk is where most organisations fall short.
The organisations that recover from ransomware attacks quickly and without paying are the ones that treated the preparation as a genuine operational priority rather than a compliance exercise. They tested their backups. They ran tabletop exercises simulating the decisions that would need to be made under the pressure of an actual attack — who has authority to take the network offline, who communicates with staff and customers, who engages law enforcement, who makes the payment decision. They had incident response retainers with specialist firms so that expert help was available within hours of an incident rather than days into a search for a vendor during active crisis. And they had made the investments in MFA, network segmentation, and monitoring that mean the most common attack chains do not successfully complete.
Ransomware will not diminish in 2026. The criminal ecosystem is too well-funded, too organised, and too incentivised for that to happen in the short term. What has changed and will continue to change is the quality of defensive tools, the maturity of the cyber insurance market’s risk assessment and claims management capabilities, and the accumulation of experience within organisations that have been through attacks and built the resilience that the experience demanded. The organisations that are hardest to hit are not the ones with the most sophisticated technology — they are the ones that made the boring, systematic work of closing the most common attack vectors a genuine operational priority. That work is available to any organisation. The cost of not doing it is measured in millions.
0 Comments
No comments yet. Be the first to share your thoughts!