Ransomware appeared in 48% of all confirmed breaches in 2026, according to the Verizon 2026 Data Breach Investigations Report, making it the single most prevalent threat in breach data today. The median ransom payment in that same dataset stood at $139,875, while IBM’s research put the average total cost of a ransomware or extortion incident at $5.08 million. Those two numbers tell very different stories, and the gap between them is where most businesses get blindsided.

I’ve spent over 20 years watching business leaders underestimate this threat. Not because they’re careless. Because the numbers keep changing, the attackers keep adapting, and the advice they get is either too technical or too vague to act on. This post cuts through all of that. You’ll get the real ransomware statistics for 2026, organized by what they actually mean for your business, your industry, and your next decision.

Key Ransomware Statistics for 2026: Numbers at a Glance

Ransomware statistics for 2026 reveal a threat that is simultaneously getting more common and, in specific ways, more nuanced in how it extracts money from victims.

The headline figure is stark. Ransomware now appears in nearly half of all confirmed breaches. That’s up from 44% in the Verizon 2025 DBIR. Four percentage points might sound small. But it represents a measurable, consistent climb across back-to-back years of verified breach data.

The financial picture is more complicated. The median ransom payment fell to $139,875 in 2026. That sounds like progress. But median figures hide what’s happening at the top of the range, where large enterprises face demands in the tens of millions. And the total cost of an incident, including downtime, recovery, legal fees, and reputational damage, averaged $5.08 million according to IBM’s cost of a data breach research. Paying the ransom is often the smallest line item.

Here are the core ransomware statistics every business leader needs to know entering 2026:

• Ransomware present in 48% of confirmed breaches in 2026 (Verizon DBIR)
• Median ransom payment: $139,875 in the 2026 DBIR dataset
• Average total incident cost: $5.08 million (IBM, 2025)
• Total on-chain ransomware payments: approximately $820 million in 2025, down ~8% year-over-year (Chainalysis)
• FBI IC3 received 3,611 ransomware complaints in 2025, with losses exceeding $32 million
• SMBs experienced ransomware in 88% of their breach cases in 2025
• Vulnerability exploitation now accounts for 31% of all breaches, overtaking credential abuse as the top initial access vector

Each of these numbers deserves context. We’ll work through them throughout this post.

Global Ransomware Trends: What the 2026 Data Actually Shows

Global ransomware trends in 2026 show an attack that is becoming more selective, more professional, and harder to reverse once it lands inside your network.

The drop in total on-chain payments is worth examining carefully. Chainalysis reported that total on-chain ransomware payments fell roughly 8% to approximately $820 million in 2025. That sounds like good news. And in one respect, it is. More victims are refusing to pay, law enforcement pressure is disrupting some criminal infrastructure, and improved backup practices mean some organizations can recover without negotiating.

But the drop in payment volume doesn’t mean the attacks stopped. It means the economics are shifting. Attackers are targeting higher-value victims more precisely to compensate. The median on-chain ransom payment surged 368% year-over-year to approximately $59,556 in 2025, according to The Record’s reporting on Chainalysis data. Fewer payments, but dramatically larger individual amounts. Attackers are doing more damage to fewer, better-chosen targets.

One more data point that changes how you should think about your risk: fewer than 49% of ransomware attacks on enterprise organizations resulted in successful data encryption in 2025, per Sophos research on enterprise ransomware. That’s the lowest rate in five years. Better endpoint detection, faster response times, and improved network segmentation are having an effect. But “better than it was” is not the same as “safe.”

The True Cost of a Ransomware Attack: Beyond the Ransom Demand

The average cost of a ransomware incident reached $5.08 million in 2025, a figure that includes far more than the ransom itself, according to IBM’s annual data breach cost research.

Most business leaders fixate on the ransom number. That’s the wrong instinct. The ransom is often the cheapest part of the total bill. What actually destroys businesses is the downtime. Systems offline for days or weeks. Staff unable to work. Customers calling with no answers. Contracts delayed or cancelled. Legal and regulatory notifications that trigger their own costs.

The FBI’s IC3 logged 3,611 ransomware complaints in 2025, with reported losses exceeding $32 million. That figure, from the FBI IC3 2025 Annual Report, is almost certainly an undercount. The FBI consistently notes that ransomware incidents are underreported, particularly by SMBs that fear reputational damage or don’t realize reporting is an option.

There’s also the recovery cost problem. Paying the ransom doesn’t guarantee you get your data back clean. Decryption keys fail. Some data is corrupted. Attackers retain copies and return later. Organizations that pay often still spend weeks rebuilding systems. The ransom becomes a sunk cost on top of a full recovery effort.

Backup your data. Test those backups regularly. That single habit removes the leverage attackers count on more reliably than any other single control.

Ransomware Statistics by Industry: Who Gets Hit Hardest

Small and medium-sized businesses across all sectors faced ransomware in 88% of their breach cases in 2025, according to analysis of the Verizon DBIR by Halcyon, making SMBs the most consistently targeted group regardless of industry vertical.

That number should stop every SMB owner cold. This is not primarily a large-enterprise problem. Attackers love smaller organizations precisely because defenses tend to be thinner and the likelihood of payment is often higher. A mid-sized accounting firm or regional law practice has valuable data, limited security staff, and real pressure to restore operations fast. That combination is attractive to ransomware operators.

Healthcare Ransomware: The Highest-Stakes Target

Healthcare ransomware attacks carry consequences that go beyond financial loss. When hospital systems go offline, patient care is directly disrupted. Appointment systems fail. Electronic records become inaccessible. In some documented cases, patients have been diverted to other facilities during active incidents.

Healthcare organizations hold irreplaceable data: patient records, billing information, insurance details, and research data. That combination of sensitivity and operational dependency makes them highly attractive targets. Attackers know that a hospital cannot simply wait out a ransomware infection the way a retailer might absorb a few days of website downtime.

If you’re in healthcare, your incident response plan needs to account for patient safety protocols running parallel to your technical recovery. These aren’t the same plan.

Education and Government: High Volume, Lower Defenses

Education and government entities face a specific vulnerability: large attack surfaces with constrained budgets. Universities manage thousands of endpoints, many of them personally owned student devices connecting to institutional networks. Government agencies often run aging infrastructure that takes years to patch or replace.

Both sectors have been consistent ransomware targets. Their combination of sensitive data, public accountability, and budget limitations creates exactly the conditions attackers exploit. And unlike private companies, a ransomware attack on a school district or municipal government tends to go public immediately, adding reputational and political pressure on top of the operational crisis.

Manufacturing and Financial Services

Manufacturing targets are attractive because operational technology (OT) downtime is extraordinarily expensive. A factory floor that cannot run for 48 hours loses money every hour. Financial services firms carry a different risk: the sensitivity of client data and the regulatory obligations around protecting it create both financial and legal exposure from a single attack.

The pattern across industries is consistent. Attackers target wherever data is sensitive, where downtime is costly, or where organizations face regulatory pressure to restore operations fast. If your business fits any of those descriptions, you are in the target zone.

Attack Vectors: How Ransomware Gets In

Vulnerability exploitation overtook credential abuse as the leading initial access vector for ransomware attacks in 2026 for the first time, accounting for 31% of all breaches, according to TechRepublic’s reporting on the Verizon 2026 DBIR.

That’s a significant shift. For years, compromised credentials held the top spot. Phishing emails tricked employees into handing over usernames and passwords. Credential-stuffing attacks used leaked password databases. Multi-factor authentication was the primary defense recommendation. It still matters. But unpatched vulnerabilities have now surpassed those routes as the most common way attackers get their initial foothold.

What does that mean practically? Your patch management program is now your front line. Unpatched systems sitting on internet-facing infrastructure, VPN appliances with known vulnerabilities, perimeter devices that haven’t been updated in months. These are the open doors attackers are walking through most often.

Phishing remains the second major vector and still drives a large share of ransomware attacks. It doesn’t require technical sophistication on the attacker’s side. A convincing email, a spoofed login page, one employee click. That’s enough. Train your people. Phishing simulations aren’t optional extras anymore. They’re baseline hygiene.

Compromised credentials through exposed remote desktop protocol (RDP), third-party access, and supply chain weaknesses round out the primary attack paths. Attackers are opportunists. They go where the door is unlocked.

Patch fast. Enforce multi-factor authentication everywhere. Simulate phishing attacks at least quarterly. These three actions address the majority of successful ransomware entry points.

Notable Ransomware Attacks and Breaches of 2025 and 2026

The ransomware attacks of 2025 and 2026 include incidents affecting healthcare payment infrastructure, major retailers, and supply chain providers, demonstrating that no sector or scale of organization is exempt from significant disruption.

The Change Healthcare attack remained one of the most consequential ransomware incidents in recent memory, affecting healthcare payment processing across thousands of providers in the United States. The operational ripple effects stretched for months, with providers unable to process claims and patients facing delays in care authorization. It is a clear illustration of why ransomware attacks on critical infrastructure carry consequences far beyond the directly targeted organization.

Marks and Spencer, one of the UK’s best-known retailers, disclosed a ransomware-related incident that disrupted online operations significantly. The attack drew public attention partly because of its visibility in a well-known consumer brand, and partly because the recovery timeline extended long enough to affect trading results in a materially reported way.

Ingram Micro, one of the world’s largest technology distribution companies, faced a ransomware attack that disrupted supply chain operations. When a major technology distributor goes down, the downstream effects reach a large number of businesses that depend on its logistics and services. It’s a reminder that your supply chain exposure is part of your own risk profile.

Other notable incidents in this period included attacks attributed to groups including Qilin, Medusa, and DragonForce, as well as continued activity from LockBit affiliates operating despite law enforcement action against the group’s infrastructure. The Ransomware-as-a-Service model means that even disrupted groups rebuild or splinter into new operations relatively quickly. Infrastructure takedowns slow them. They don’t stop them permanently.

Ransomware-as-a-Service: Why RaaS Makes This Problem Harder to Solve

Ransomware-as-a-Service (RaaS) platforms have industrialized ransomware attacks by separating the development of malware from its deployment, allowing criminals with limited technical skills to carry out attacks using ready-built tools for a share of the ransom revenue.

This is the part of ransomware statistics that the numbers alone don’t capture. When you read that ransomware appeared in 48% of confirmed breaches, a significant share of those attacks were not carried out by sophisticated nation-state hackers. They were executed by affiliates who signed up to a RaaS platform, received a toolkit, selected their targets, and launched the attack. The barrier to entry is genuinely low.

RaaS platforms operate with customer support, documentation, and affiliate management dashboards. Some have published “press releases” after high-profile attacks. They’re structured like businesses because they operate like businesses, with revenue splits typically running 70/30 or 80/20 in favor of the affiliate. The RaaS operator takes their cut, provides infrastructure and technical support, and the affiliate handles targeting and execution.

What this means for defenders is that the threat actor pool is much larger than it would be if ransomware required genuine technical expertise. You’re not just defending against specialists. You’re defending against a large number of motivated opportunists using professional-grade tools.

Double extortion tactics, where attackers both encrypt data and threaten to publish it unless paid, have become standard in the RaaS model. Paying to recover your data no longer makes the problem go away if your data is already exfiltrated. That’s why data encryption rates and payment rates are declining together: neither option solves the fundamental problem once exfiltration has occurred.

Your incident response plan needs to account for RaaS affiliates specifically. They move fast, they follow playbooks, and they have support infrastructure. Your response needs to match that pace.

AI and Ransomware: What’s Actually Changing in the Threat

AI-assisted ransomware attacks are increasing the scale and effectiveness of phishing campaigns, social engineering, and malware customization, lowering the effort required to execute a convincing, targeted attack.

The most immediate impact of AI on ransomware is in initial access. Phishing emails generated or refined by AI are harder to detect. Grammar errors, the traditional tell of a phishing attempt, are largely gone. Personalization that previously required hours of research on a target can be automated. AI tools can draft convincing executive impersonation emails, generate fake invoice documents, or build spoofed login pages at scale.

AI-assisted lateral movement is the next concern. Once inside a network, attackers historically needed time and skill to move from an initial foothold toward high-value assets. AI tools that assist with network reconnaissance, privilege escalation, and target identification can compress that timeline significantly. The window between initial access and data encryption is shrinking.

On the defensive side, AI is also improving detection. Behavioral anomaly detection, automated threat hunting, and AI-powered endpoint security tools are all improving the speed of identification and containment. The technology cuts both ways.

The practical implication for SMBs is that the old assumption, that only enterprises attract targeted attacks, no longer holds. AI-assisted tools make targeting smaller organizations economically viable in ways that manual research-based attacks never were. The sophistication floor for attackers has dropped. Your defenses need to reflect that.

Cryptocurrency Payments and Ransomware: What the Blockchain Data Tells Us

Total on-chain ransomware payments fell approximately 8% to around $820 million in 2025, according to Chainalysis blockchain analysis, but the median payment per incident surged 368% year-over-year, reflecting a shift toward fewer, higher-value targets.

Bitcoin remains the dominant payment mechanism, though some threat actors have moved toward Monero and other privacy-focused cryptocurrencies to complicate tracing. Chainalysis and FinCEN have both improved their ability to track ransomware payment flows, contributing to some successful law enforcement actions where seized cryptocurrency has been recovered after payments.

The practical effect of improved blockchain tracking on victim decision-making is limited. When your systems are down and your data is at risk, the fact that the FBI might eventually trace the payment provides little comfort. What it does mean is that paying a ransom increasingly carries its own legal and regulatory risk, particularly for organizations in regulated industries where payments to sanctioned entities may create liability.

Get advice from a cybersecurity attorney before paying any ransom. That’s not overcaution. That’s managing a second risk that most organizations don’t think about until it’s too late.

SMB and Small Business Ransomware Vulnerability: The Numbers Are Alarming

Small and medium businesses faced ransomware in 88% of their breach cases in 2025, a figure that reflects both higher targeting rates and lower defensive capability compared to enterprise organizations.

Most SMBs I talk to assume they’re too small to bother with. That’s the misconception that leaves them exposed. Attackers aren’t evaluating prestige. They’re evaluating ease of access and willingness to pay. An SMB with 50 employees, decent revenue, minimal IT staff, and no tested incident response plan is an ideal target. The attack is fast. The recovery options are limited. The pressure to pay is high.

The preparedness gap is real. SMBs rarely have a dedicated security team. They often rely on a single IT generalist or a managed service provider without specific security expertise. Cyber insurance coverage varies widely, and many policies include exclusions that owners don’t discover until after an incident. Some SMBs have no functioning backup at all, or backups that have never been tested and fail at the moment they’re most needed.

Three things every SMB should do before anything else: implement multi-factor authentication on all remote access and email, establish an automated offsite backup with a documented restore test, and identify a cybersecurity incident response contact before you need one. Not after. Before.

If you want a structured starting point for evaluating your business’s exposure, a cyber risk assessment is the most practical first step toward understanding where your gaps actually sit.

Data Recovery After a Ransomware Attack: What Victims Actually Experience

Data encryption in enterprise organizations reached its lowest reported rate in five years in 2025, with fewer than 49% of attacks resulting in successful encryption, according to Sophos research on enterprise ransomware. But recovery outcomes remain deeply mixed even when encryption is avoided.

Preventing encryption doesn’t mean preventing damage. Exfiltration often occurs before encryption begins. Attackers spend time in networks collecting data, understanding the environment, and identifying the highest-value assets to threaten. By the time ransomware deploys, the data may already be gone.

Among organizations that do pay, recovery is not guaranteed. Decryption tools provided by attackers are sometimes incomplete, corrupted, or deliberately limited. Some organizations report paying and still spending weeks rebuilding systems from scratch because the decryption process was too slow or unreliable to be operationally useful. Paying is not a shortcut to recovery.

The organizations that recover fastest have one thing in common. They have tested, clean, offsite backups that they can restore without negotiating with the attacker. Not backups that exist on paper. Backups that have been restored in a test environment at least quarterly, with documented recovery time objectives. That’s the difference between a ransomware attack being a crisis and a ransomware attack ending the business.

Backups matter more than any other single technical control. That’s not a hot take. It’s two decades of watching what actually works.

Ransomware Prevention: The Actions That Actually Reduce Your Risk

Ransomware prevention in 2026 requires a layered approach that addresses the three dominant attack vectors: unpatched vulnerabilities, phishing, and compromised credentials, which together account for the overwhelming majority of successful ransomware attacks.

The most important shift in the 2026 ransomware statistics is the rise of vulnerability exploitation to the top of the attack vector list. Your patch management process is no longer a routine IT task. It’s a frontline security control. Known vulnerabilities in internet-facing systems, VPN appliances, and remote access tools are being exploited at scale. If a patch is available and you haven’t applied it, you have an open door.

Here is where to start:

• Patch within 48 hours for any critical vulnerability in internet-facing systems. No exceptions.
• Enforce MFA on all remote access, email, and administrative accounts. Credential theft loses most of its value when a second factor is required.
• Run quarterly phishing simulations with real consequences for failure, including mandatory follow-up training. One click is enough for an attacker.
• Test your backups every quarter by actually restoring from them in an isolated environment. An untested backup is not a backup.
• Have an incident response plan that names specific contacts, decision-makers, and external resources before you need them.

If you’re an SMB wondering whether your current controls are enough, the honest answer is that most aren’t. The threat has outpaced the standard “install antivirus and hope” posture by years. Understanding your specific cyber security risks as a small business is a more useful starting point than buying another tool.

The ransomware statistics for 2026 are clear: the attack is more common, the costs are higher, and the methods are more accessible to more criminals than at any previous point. But organizations that take targeted action on the three primary attack vectors, combined with tested backups and a real incident response plan, are meaningfully better positioned than those that don’t. That’s not reassurance. That’s a practical gap you can close.

Start with the controls above. If you need help identifying which gaps are most urgent in your specific environment, that’s exactly what a managed security service is designed to address. Get the assessment done. Know your exposure. Then act on it.