Ransomware Bullish 7

Ransomware Payment Rates Hit Record Low of 28% Amid Surge in Attacks

· 3 min read · Verified by 2 sources ·
Share

Key Takeaways

  • The percentage of ransomware victims opting to pay ransoms has plummeted to an all-time low of 28%, even as the total volume of attacks continues to climb.
  • This trend signals a major shift in corporate resilience and a growing refusal to fund the cybercriminal ecosystem.

Mentioned

BleepingComputer company FBI organization OFAC organization

Key Intelligence

Key Facts

  1. 1Ransomware payment rates dropped to a record low of 28% in the last year.
  2. 2The volume of claimed ransomware attacks has seen a significant year-over-year increase.
  3. 3Payment rates have plummeted from over 80% in 2019 to current levels.
  4. 4Improved backup strategies and incident response are cited as primary reasons for non-payment.
  5. 5Threat actors are increasingly shifting toward data exfiltration and pure extortion tactics.
Defender Resilience Outlook

Analysis

The ransomware landscape is currently defined by a striking paradox: while the frequency and scale of attacks are reaching new heights, the financial success rate for threat actors is hitting historic lows. According to recent industry data, only 28% of ransomware victims now choose to pay their attackers, a sharp decline from the 80% plus rates observed just a few years ago. This shift marks a critical turning point in the global fight against digital extortion, suggesting that the 'business model' of ransomware is facing its most significant challenge to date.

Several factors contribute to this decline in payment rates. Foremost is the maturation of organizational resilience. Companies have moved beyond basic perimeter defense to focus on robust, immutable backup solutions and comprehensive incident response plans. When an organization can reliably restore its systems from backups, the incentive to pay for a decryption key—which often fails to work correctly anyway—evaporates. Furthermore, the increasing involvement of law enforcement agencies like the FBI and international task forces has created a climate where paying a ransom is not only discouraged but potentially legally hazardous due to OFAC sanctions and evolving regulatory frameworks.

According to recent industry data, only 28% of ransomware victims now choose to pay their attackers, a sharp decline from the 80% plus rates observed just a few years ago.

However, the drop in payment rates has not led to a decrease in aggression. Instead, threat actors are pivoting their tactics to maintain profitability. We are seeing a massive surge in 'extortion-only' attacks, where the primary goal is not to encrypt systems but to steal sensitive data and threaten its public release. This shift from availability-based attacks to confidentiality-based attacks allows criminals to bypass the technical hurdles of encryption and target the reputational and legal vulnerabilities of their victims. The surge in claimed attacks suggests that ransomware groups are attempting to compensate for lower conversion rates by increasing their target volume, essentially moving toward a high-volume, lower-margin operational model.

What to Watch

For cybersecurity leaders, this trend underscores the necessity of a data-centric security posture. While backups remain essential for business continuity, they do little to mitigate the risk of data exfiltration. Organizations must now prioritize data loss prevention (DLP), encryption of data at rest and in transit, and strict access controls to prevent the mass harvesting of sensitive information. The market impact is also being felt in the cyber insurance sector, where premiums are stabilizing as insurers demand higher security standards from policyholders, effectively forcing a baseline level of protection across the industry.

Looking ahead, the industry should expect ransomware groups to become even more targeted and sophisticated in their extortion methods. As the 'easy' targets become more resilient, attackers will likely focus on critical infrastructure and supply chain vulnerabilities where the pressure to pay remains highest. The record-low payment rate is a victory for the security community, but it signals the beginning of a more complex and volatile phase of the extortion threat landscape.

Timeline

Timeline

  1. Peak Payment Rates

  2. Colonial Pipeline Aftermath

  3. Resilience Milestone

  4. Record Low Reached

Sources

Sources

Based on 2 source articles

Cite This Page

"Ransomware Payment Rates Hit Record Low of 28% Amid Surge in Attacks." Cyber Intelligence Brief, February 26, 2026. https://getcyberbrief.com/story/ransomware-payment-rate-record-low-2026

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.