Ransomware is growing, but fewer companies are paying

The 2026 Data Breach Investigations Report found that ransomware appeared in 48% of all breaches, up from 44% the previous year. At the same time, however, the percentage of organizations paying ransoms continues to decline. According to the report, 69% of ransomware victims refused to pay, while the median ransom payment dropped from $150,000 to $139,875.

Even as ransomware attacks are increasing, organizations are becoming more resilient, creating a complex, but hopeful, path forward.

Ransomware is still one of the most effective attack methods

Despite increased pressure from law enforcement on major ransomware operations, cybercriminal groups persist in generating substantial profits through extortion campaigns. At the same time, modern ransomware attacks are evolving to become more sophisticated, quicker, and easily scalable. The DBIR notes that threat actors are increasingly leveraging generative AI to “help at different stages of attack, including targeting, initial access, and development of malware and other tools.” At the same time, attackers are exploiting organizations through multiple entry points, including:

• Vulnerability exploitation
• Credential abuse
• Phishing
• Pretexting
• Third-party access
• Cloud misconfigurations

The report revealed that exploiting vulnerabilities has become the most common method of initial access, overtaking credential abuse for the first time. This indicates that ransomware groups are shifting away from relying solely on phishing emails to gain entry; instead, they are increasingly focusing on unpatched systems, exposed cloud services, and vulnerable third-party vendors as targets.

Why fewer organizations are paying

Despite the growth in ransomware activity, the decline in ransom payments shows that many organizations are becoming more resilient. Several factors are likely contributing to this trend:

Better backup and recovery strategies

Organizations are increasing their investments in offline backups, immutable storage solutions, disaster recovery planning, business continuity testing, and incident response preparedness. This growing focus on resilience is changing how companies respond to ransomware incidents.

As the DBIR notes, ransomware attacks remain widespread, but “organizations may be improving resilience” as fewer victims choose to pay extortion demands.

When backups are properly segmented, isolated, and regularly tested, organizations are less likely to be pressured to pay attackers to recover encrypted data. Rather than relying on cybercriminals for decryption keys, businesses can restore their systems internally and quickly resume operations. While this doesn't completely eliminate the disruption caused by ransomware attacks, it significantly reduces downtime, financial losses, and recovery expenses.

Related: How to develop a backup and recovery plan

Cyber insurance requirements are driving better security practices

Over the past several years, cyber insurers have become significantly more strict. As a result, organizations looking to obtain cyber insurance coverage are typically required to implement:

• Multifactor authentication (MFA)
• Endpoint detection and response (EDR)
• Backup validation
• Privileged access management
• Security awareness training

These requirements are indirectly improving organizational resilience against ransomware attacks.

The report frequently notes that a significant number of breaches are still caused by failures in basic security measures rather than advanced attack methods. It states that consistently applying "security fundamentals that have been understood and proven effective for decades" across all environments.

Even when attacks succeed, businesses with stronger controls are often better positioned to contain damage, isolate infected systems, and recover more quickly.

Organizations are more cautious about potential attackers.

Paying a ransom does not guarantee recovery, and many organizations now recognize that following payment, attackers may still:

• Refuse to provide working decryption keys
• Leak stolen data anyway
• Demand additional payments
• Target the victim again later

As a result, some organizations are choosing recovery and containment over negotiation.

Third-party risk is expanding the ransomware attack surface

Businesses rely on vendors, cloud providers, SaaS platforms, contractors, authentication providers, customer support tools, and managed service providers to maintain daily operations. However, every external connection also introduces additional exposure. According to the report, third-party involvement in breaches increased by 60% and now accounts for 48% of all breaches. The DBIR notes that “many of the year’s most high-profile and well-publicized breaches involved multiple third parties,” demonstrating how interconnected modern organizations have become.

The report states that “it is third parties all the way down,” indicating that rather than targeting a single organization directly, ransomware groups may compromise a software vendor, cloud platform, or IT provider first, then leverage that access to reach downstream customers. A single compromised vendor can potentially expose hundreds or even thousands of organizations at once, making these attacks especially dangerous.

Read also: Third-party risk management (TPRM) as the next HIPAA compliance frontier

How Paubox can help prevent ransomware attacks

Ransomware attacks usually begin with a malicious email. Attackers use phishing messages, spoofed domains, fake login pages, and infected attachments to steal credentials or gain initial access to an organization’s systems.

Paubox Inbound Email Security can help reduce this risk by strengthening inbound email security before threats reach employees’ inboxes. The platform helps detect and block phishing emails, malware and malicious attachments, business email compromise (BEC), domain spoofing, suspicious links, and social engineering attempts. By stopping malicious emails before users interact with them, Paubox can help organizations reduce exposure to ransomware, protect sensitive data, and strengthen a layered cybersecurity strategy.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is ransomware?

Ransomware is a type of malware that encrypts an organization’s files or systems and demands payment in exchange for restoring access. Many ransomware groups also steal sensitive data before encryption and threaten to leak it publicly.

What is third-party ransomware risk?

Third-party ransomware risk occurs when attackers compromise a vendor, cloud provider, SaaS platform, or managed service provider to gain access to customer environments.