Ransomware trends that continue in 2026

Realizing that specific techniques yield better results, attackers have focused on those approaches. Here are some of the key ransomware trends that have developed in recent years:

• Supply chain attacks. Instead of attacking a single victim, supply chain attacks extend the blast radius. For example, an exploit in the Moveit Transfer product from Progress Software led to large-scale ransomware attacks by the Clop ransomware gang in 2023. Other incidents include the 2021 Kaseya attack, which affected at least 1,500 of its MSP customers, and the 2020 SolarWinds hack.
• Triple extortion. In the past, ransomware involved attackers encrypting data on a system and then demanding a ransom in exchange for a decryption key. With double extortion, attackers also exfiltrate the data to a separate location. With triple extortion ransomware, attackers threaten further attacks unless paid. Multiple threat actors have used triple extortion, including the Vice Society ransomware group, which attacked the San Francisco Bay Area Rapid Transit system in 2023. The sophistication of extortion approaches continues to evolve, with attackers employing increasingly targeted negotiation strategies. Rather than public data-leak sites, leading groups such as LockBit 5.0 use private negotiation portals to interact with their victims, with individualized credentials for each affiliate interface.
• Ransomware as a service. Gone are the days when every attacker wrote their own ransomware code and ran a unique set of activities. RaaS is pay-for-use malware that provides attackers the necessary code and operational infrastructure to launch and maintain a ransomware campaign.
• Attacking unpatched systems. Plenty of ransomware attacks make use of novel zero-day vulnerabilities, but most continue to abuse known vulnerabilities on unpatched systems.
• Phishing. While ransomware attacks strike organizations in different ways, the root cause is often a phishing email.
• Generative AI-powered ransomware operations. Attackers use GenAI tools to improve phishing lures, draft convincing emails and support faster reconnaissance.

Ransomware statistics

The following statistics provide insight into the breadth and growing scale of ransomware threats:

• Verizon's "2025 Data Breach Investigations Report" found ransomware was present in 44% of breaches, a 37% increase compared to its 2024 report. In larger organizations, ransomware was a component of 39% of breaches, while for small and midsize businesses, ransomware was involved in 88% of breaches.
• Total Assure reported that the number of ransomware attacks increased by 34% during the first three quarters of 2025 over the same period in 2024.
• Cyble found that U.S. ransomware attacks increased by 50% in the first 10 months of 2025, with 5,010 reported incidents compared to 3,335 in 2024.
• BlackFog reported a 36% year-over-year increase in ransomware attacks in the third quarter 2025. It also estimated that 85% of ransomware attacks are not reported.

Ransomware statistics by industry

Ransomware can hit any individual or industry, and all verticals are at risk. That said, ransomware attacks affect certain industries more than others. The following are the top ransomware targets by industry:

• Education.
• Construction and property.
• Central and federal government.
• Media, entertainment and leisure.
• Local and state government.
• Retail.
• Energy and utilities infrastructure.
• Distribution and transport.
• Financial services.
• Business, professional and legal services.
• Healthcare.
• Manufacturing and production.
• IT, technology and telecoms.

Costs of ransomware attacks and payment trends

The costs attributed to ransomware incidents vary significantly, depending on the reporting source. While not every victim pays a ransom or incurs a cost, some do.

• Palo Alto Networks' "Global Incident Response Report 2025" found the median ransom payment is $267,500.
• Sophos' "The State of Ransomware 2025" report found the average ransom payment in 2025 was $1 million -- a decrease of 50% from the $2 million average in 2024.
• The average ransomware insurance claim decreased by 7% to $292,000, according to the "2025 Cyber Claims Report" from insurance provider Coalition.

Recent ransomware attacks

In recent years, ransomware attacks have affected many organizations and their customers. The following are some notable incidents.

PowerSchool. One of the most impactful ransomware attacks in 2025 began in late December 2024 when K-12 education software provider PowerSchool was attacked. The incident exposed the data of more than 62 million students and 9.5 million teachers across North America.

Yale New Haven Health. In March 2025, Yale New Haven Health suffered a major ransomware attack, compromising the data of approximately 5.6 million patients. In October, the organization reached a settlement agreement for a class-action lawsuit for $18 million.

NASCAR. In April 2025, stock car racing sports league NASCAR was attacked by the Medusa ransomware gang, resulting in the theft of more than 1 terabyte of sensitive data and a $4 million ransom demand.

DaVita. One of the largest U.S. kidney care providers was impacted by a ransomware attack in April 2025 that exposed the personal and health information of 2.7 million individuals. The Interlock ransomware group claimed responsibility for the attack.

Marks & Spencer. London-based retailer Marks & Spencer was affected by an attack from the Pay2Key ransomware group in May 2025 that disrupted operations. The company disclosed that its pre-tax profit fell 90% in a six-month period.

Ingram Micro. Tech value-added reseller Ingram Micro was attacked by the SafePay ransomware group in July 2025, resulting in service disruptions and revenue losses.

Change Healthcare. One of the most significant ransomware attacks of 2024 was the Change Healthcare breach. Initially, the company reported the incident affected more than 100 million individuals; by mid-2025, the number of breach victims increased to nearly 193 million.

LoanDepot. In 2024, the California-based mortgage lender experienced a ransomware attack that resulted in disruptions to its loan services, affecting 16.6 million customers.

MGM Resorts and Caesars Entertainment. In 2023, two Las Vegas hotel and casino operators were struck by ransomware attacks that significantly affected their operations.

Ransomware predictions

Ransomware didn't start recently, won't end anytime soon and will continue to evolve. The following are predictions on the direction ransomware will take in the years ahead:

• Increased speed and automation. Trend Micro warned that ransomware attacks will become faster and more automated, powered by AI capabilities. Attacks could also be more persistent and harder to stop once initiated.
• Voice-based attacks will rise. Zscaler's ThreatLabz research team predicted that voice-based vishing attacks will increase as a social engineering attack vector to enable ransomware.
• Ransomware without encryption. SentinelOne predicted that more ransomware groups will skip encryption entirely and only extort victims by threatening to release stolen data. This approach makes attacks quieter and diminishes the value of backups.
• GenAI makes phishing a major problem. AI-enhanced methods will lead to more advanced phishing campaigns and ransomware exploitation.

How to protect against ransomware attacks

Organizations and individuals can take steps to prevent and protect against ransomware. A multilayered approach that enhances overall IT security is crucial. Consider the following best practices:

• Review and reinforce endpoint security capabilities.
• Use ransomware prevention tools and data loss prevention tools.
• Review patching and configuration management processes.
• Adopt email and collaboration security tools.
• Follow identity security best practices.
• Consider storage options, including immutable storage and backup strategies.
• Create ransomware playbooks and conduct ransomware tabletop exercises.
• Develop a ransomware incident response plan.
• Know ransomware containment and eradication processes.
• Conduct ransomware security awareness training.
• Evaluate cyber insurance.

Editor's note: This article was updated in 2025 to include new research and to improve the reader experience.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.