The numbers that define ransomware in 2026 do not move in the direction you would expect. Attacks went up. Payments went down. Both happened at the same time, and the gap between them is the whole story. The criminal business model that ran the last decade — break in, encrypt everything, sell the victim back their own files — is being quietly retired, not because law enforcement killed it, but because it stopped paying. What replaced it is leaner, colder, and harder to recover from.
This is a trend analysis, not a panic piece. The facts below are drawn from public 2025 and early-2026 reporting, and where a figure is contested or still settling, we say so. The point is to understand the economics, because the economics dictate the defense.
The Payment Collapse Nobody Predicted
Start with the single most important statistic. According to Chainalysis, only 28% of identified ransomware victims paid in 2025, down from roughly 62.8% in 2024 and 78.9% back in 2022. That is a four-year freefall. Coveware's incident-response data tells the same story from a different angle: the payment rate fell to around 23% in Q3 2025 and roughly 20% in Q4, which Coveware described as an all-time low.
Total on-chain ransomware payments tracked by Chainalysis came in around 820 million dollars for 2025, down about 8% from the 892 million estimated for 2024. Chainalysis cautions that the 2025 figure will likely climb toward 900 million as more transactions are attributed — these numbers always revise upward — but the trajectory is clear: the ecosystem made less money in 2025 than in 2024, on both total payments and average payment size.
And yet attacks surged. Publicly reported incidents rose to roughly 7,200 in 2025 from about 4,900 in 2024. So volume is up sharply while revenue is down. That is not a contradiction. It is a business under margin pressure, and businesses under margin pressure change tactics.
What "Extortion-Only" Actually Means
The most visible adaptation is the move away from encryption. For years, the encryptor was the whole product — the leverage was your inability to access your own data. That leverage has decayed. Backups got better, incident-response playbooks matured, and a lot of organizations learned the hard way that paying for a decryptor is slow, unreliable, and no guarantee of recovery. So attackers stopped bothering with the part that gets them caught.
In data-extortion-only attacks, there is no encryptor. The crew breaks in, exfiltrates sensitive data, and threatens to publish it. That is the entire play. Reporting through late 2025 indicated data exfiltration appeared in the overwhelming majority of incidents — one widely cited figure put it at 94% of Q4 2025 cases — and that data-theft-only extortion increased roughly elevenfold between November 2024 and November 2025. Treat the elevenfold figure as the headline it was meant to be: directionally enormous, precise to a single reporting methodology.
The strategic logic is brutal and clean. Skipping encryption shortens dwell time, shrinks the detection window, and sidesteps the noisy, signature-heavy behavior that EDR is tuned to catch. Critically, it also renders your backups irrelevant. You can restore every system to a clean state and the attacker still holds your customers' records. There is nothing to decrypt and nothing to restore your way out of. The leverage moved from availability to confidentiality, and confidentiality has no backup.
This is why "ransomware recovery" is becoming a misnomer for a growing share of incidents. You cannot recover from a disclosure that has already happened. The cleanup is legal, regulatory, and reputational — not technical.
The Other Paradox: Fewer Payers, Bigger Asks
If only one in five victims pays, how does the model survive? By concentrating. Reporting on 2025 showed the median ransom actually paid jumping sharply year over year — one figure had it rising from roughly 12,700 dollars to nearly 60,000 dollars, a 368% increase. Take the exact percentage with appropriate caution, since median figures swing with sample composition, but the direction is consistent across sources: fewer victims pay, so the ones who do are pushed to pay much more.
This is a deliberate sorting. Affiliates increasingly triage targets by ability to pay, walking away from small fish and pressing hard on organizations with regulatory exposure, sensitive data, and the cash to settle quietly. Healthcare sits squarely in the crosshairs for exactly this reason. It is not always the highest sector by raw attack volume — manufacturing tends to lead there — but healthcare remains among the most expensive to breach, with average costs reported in the multi-million-dollar range, and federal incident counts in the hundreds for 2025. A hospital cannot tolerate downtime, sits on the most regulated data class there is, and faces enormous pressure to make the problem disappear. From an extortionist's spreadsheet, that is a near-ideal customer.
The RaaS Shakeout
The supply side is reorganizing too. The Ransomware-as-a-Service model — developers leasing tooling to affiliates who run the actual intrusions — lowered the barrier to entry to essentially zero, and it remains the engine of the ecosystem. But the roster of engines changed.
The takedowns of recent years did not reduce attack volume. The LockBit disruption by international law enforcement in early 2024 seized infrastructure and arrested affiliates, yet LockBit-linked activity persisted and the brand kept appearing near the top of FBI counts. RansomHub, which had absorbed a wave of affiliates after the ALPHV/BlackCat collapse, abruptly went dark in 2025 amid exit-scam allegations. In both cases the affiliates did not retire. They migrated.
The result through early 2026, per Check Point and industrial-sector reporting, is reconsolidation: after a long stretch of fragmentation, the market is clustering around a smaller set of dominant operators. Names like Qilin, Akira, LockBit, and The Gentlemen were reported to account for a large share of observed victims — roughly 41% by one Q1 2026 tally. Qilin in particular ramped affiliate recruitment as RansomHub's people went looking for a new home.
For defenders, the lesson is uncomfortable. Decapitating a brand scatters its operators across surviving platforms; it rarely shrinks the threat. The affiliate is the durable unit, not the logo on the leak site. And those affiliates now get paid for data theft and access resale alongside any encryption cut, so they have less reason than ever to fire an encryptor that only raises their risk.
What This Means for Defense
If the leverage is data exfiltration, then prevention has to move left of the breach. Backups remain essential, but they are an availability control in a world where the attackers stopped competing on availability. The questions that matter now are: how did they get in, what data could they reach, and how fast did you see the exfiltration. For most organizations the honest answer to the first question is some combination of an unpatched edge device, a stolen credential or token, and an over-trusted third party — which puts identity hygiene, attack-surface reduction, and supply-chain risk at the center of the ransomware conversation, even when the word "ransomware" never appears in the initial alert.
How Safeguard Helps
Safeguard treats ransomware as a supply-chain and access problem, because in 2026 that is overwhelmingly how it starts. Our AIBOM and SBOM analysis, vendor scorecards, and TPRM workflows surface the third-party and dependency exposure that extortion crews use as their front door, while policy gates and provenance attestation keep compromised or unverified components out of your pipeline before they ship. The platform is model-agnostic — bring your own model, with engines like Anthropic Mythos or OpenAI Daybreak plugging in as components — and the reliability lives in our Multi-Agent TAOR Deep Think verification layer above the model, where multi-agent cross-checking cuts false positives so your team spends its time on findings that are real. If you want to map where a data-extortion crew would actually get in, reach out.