Global ransomware statistics 2026: The data behind the rising threat

Ransomware attacks continue to escalate across the global cyber threat environment. From ransomware as a service operations and double extortion tactics to large scale data theft campaigns targeting critical infrastructure organisations, ransomware threats are now affecting organisations of every size.

If you’re reading this because you think you have experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

The latest ransomware statistics show that ransomware incidents are increasing globally even after major law enforcement actions against some of the world’s largest ransomware gangs.

At the same time, ransomware attackers are evolving faster than many organisations can defend against them.

Threat actors are now:

• Stealing sensitive data before encryption
• Exploiting compromised credentials and exploited vulnerabilities
• Using phishing emails and malicious attachments to gain initial access
• Targeting cloud infrastructure and cloud storage environments
• Demanding multi million dollar ransom payments
• Operating through ransomware as a service affiliate models

According to ransomware.live, publicly listed ransomware victims increased from 5,384 in 2023 to 7,919 in 2025.

That represents a 47% increase in global ransomware activity in just two years.

This article breaks down the latest ransomware statistics globally using data from:

• Unit 42
• Chainalysis
• Verizon DBIR
• Mandiant
• Microsoft
• Sophos
• FBI IC3
• NCSC
• CTIIC
• Europol
• TRM Labs

The goal is simple.

To provide a clear statistical picture of how ransomware attacks are evolving in 2026.

Key ransomware statistics for 2026

Statistic	Value
Publicly listed ransomware victims in 2025	7,919
Increase in ransomware victims between 2023 and 2025	47%
Active ransomware groups in 2025	129
New ransomware groups appearing in 2025	68
Percentage of breaches involving ransomware attacks	44%
SMB breaches involving ransomware	88%
Median ransomware payment	$1 million
Median ransom demand for organisations over $1B revenue	$5 million
Organisations experiencing data theft during ransomware incidents	77%
Average ransomware dwell time	4 days
Fastest observed breakout time in eCrime attacks	27 seconds
Estimated ransomware payments in 2024	$892 million
Victim payment rate in 2025	28%
Increase in nationally significant UK cyber incidents	129%
Most targeted industry globally	Commercial services

Global ransomware incidents continue to rise

One of the clearest trends across every major ransomware dataset is the continued increase in ransomware attacks globally.

According to ransomware.live:

• 2023 saw 5,384 publicly listed ransomware victims
• 2024 saw 6,034 victims
• 2025 saw 7,919 victims

That represents:

• 12.1% growth from 2023 to 2024
• 31.2% growth from 2024 to 2025

Government intelligence reporting supports the same trend.

The U.S. Office of the Director of National Intelligence recorded:

• 4,591 worldwide ransomware incidents in 2023
• 5,289 worldwide ransomware incidents in 2024

That is a 15% year on year increase.

While methodologies differ across datasets, the overall trend is clear.

Ransomware continues to grow globally.

How many active ransomware groups exist?

The ransomware ecosystem is becoming increasingly fragmented.

Rather than a small number of ransomware gangs dominating the market, dozens of active ransomware groups are continuously emerging.

ransomware.live tracked:

Year	Active ransomware groups
2023	77
2024	110
2025	129

In addition:

• 51 new ransomware strains emerged in 2024
• 68 new ransomware strains emerged in 2025

TRM Labs estimates there were:

• 161 active ransomware variants by the end of 2025
• 93 new variants appearing during 2025 alone

This makes ransomware threats significantly harder to disrupt.

Even after major law enforcement actions against LockBit and ALPHV, many ransomware attacks simply shifted toward newer ransomware actors.

How ransomware as a service changed cyber crime

Ransomware as a service has fundamentally changed the cyber security landscape.

Instead of building their own malicious software, ransomware attackers can now lease ransomware platforms from established operators.

This allows:

• Initial access brokers to sell network access
• Affiliates to launch ransomware campaigns
• Threat actors to specialise in credential theft and phishing attempts
• Criminal groups to scale attacks globally

This affiliate based ransomware ecosystem is one reason why ransomware activity continues to rise despite disruption operations by law enforcement agencies.

Recorded Future found that RansomHub attracted affiliates partly through offering a 90% commission structure.

This makes ransomware as a service one of the most profitable cyber threats globally.

Which industries experience the most ransomware attacks?

Ransomware groups continue targeting industries where operational downtime creates immediate pressure.

According to CTIIC global attack data, the most targeted sectors in 2024 were:

Industry	Recorded attacks
Commercial services	2,167
Manufacturing	735
Technology and communications	506
Healthcare and emergency services	432
Government and defence	412

Manufacturing remains one of the most attractive targets because:

• Operational disruption impacts revenue immediately
• Legacy systems often contain exploited vulnerabilities
• Downtime creates pressure to pay ransom demands

Healthcare organisations also remain heavily targeted because attacks can affect:

• Critical data
• Sensitive data
• Patient care
• Business operations
• Public trust

Critical infrastructure sectors continue to face elevated ransomware threats globally.

Which countries experience the most ransomware activity?

The United States remains the most heavily targeted country globally.

According to Unit 42:

• 47.6% of ransomware victims in 2023 were U.S. based
• The UK accounted for 6.5% of victims

In Q1 2025 alone:

Country	Victims
United States	822
Canada	88
United Kingdom	58

Microsoft’s Digital Defense Report also identifies both the U.S. and UK as major centres of ransomware intrusions and cyber incidents.

This reinforces an important point.

Ransomware is now a global operational resilience problem.

Small businesses are increasingly targeted

Ransomware attacks are no longer focused only on large enterprises.

According to Verizon’s 2025 DBIR:

• Ransomware was present in 44% of all data breaches
• 88% of SMB breaches involved ransomware
• Only 39% of larger organisation breaches involved ransomware

Many ransomware actors increasingly target smaller organisations because:

• Cyber security maturity is often lower
• Data security controls are weaker
• Incident response capabilities are limited
• Cyber insurance requirements are inconsistent
• Recovery expenses can still be profitable for attackers

Many ransomware attacks now focus on volume rather than only high value enterprise targets.

What percentage of cyber attacks involve ransomware?

Verizon’s 2025 DBIR found ransomware attacks were present in 44% of all security breaches analysed.

This makes ransomware one of the most common forms of cyber crime affecting organisations globally.

How much do ransomware victims pay?

Sophos found the median ransomware payment in 2025 was $1 million.

For organisations generating more than $1 billion in revenue, the median ransom demand rose to $5 million.

Metric	Value
Median ransomware payment	$1 million
Median enterprise ransom demand	$5 million
Payments above $1 million	52%
Demands above $1 million	57%

The largest ransomware payout figures often attract headlines, but the wider financial impact extends beyond ransom payments.

Additional recovery expenses commonly include:

• Incident response services
• Legal costs
• Business interruption
• Operational downtime
• Data restoration
• Regulatory reporting
• Cyber insurance increases

Are fewer organisations paying ransoms?

Despite rising ransomware incidents, fewer organisations appear to be paying.

Chainalysis estimates ransomware payments totalled:

Year	Estimated payments
2023	$1.25 billion
2024	$892 million
2025	$820M+

Chainalysis also estimates only 28% of ransomware victims paid in 2025.

Possible reasons include:

• Improved backups
• Better incident response preparation
• Greater awareness of double extortion tactics
• Increased law enforcement pressure
• Stricter cyber insurance controls

However, ransomware payments still represent one of the largest forms of financially motivated cyber crime globally.

Double extortion tactics are now standard

Modern ransomware attacks are no longer focused purely on encryption.

Today, many ransomware campaigns involve stolen data before encryption begins.

This allows ransomware attackers to:

• Leak sensitive data publicly
• Threaten data breaches
• Pressure organisations through reputational damage
• Continue extortion even if decryption keys are not needed

The statistics show how rapidly this tactic evolved.

Year / source	Data theft observed
Mid 2021 (Unit 42)	~40%
Late 2022 (Unit 42)	~70%
2025 (Mandiant)	77%
Microsoft telemetry	82%

This means valuable data is often more important to ransomware gangs than encryption itself.

The most common ransomware attack vectors

Across major threat intelligence datasets, the same attack vectors repeatedly appear.

Phishing emails and malicious attachments

Phishing attempts remain one of the most common methods used to gain initial access.

Attackers frequently use:

• Malicious attachments
• Credential harvesting pages
• Malware infections
• Social engineering

Exploited vulnerabilities

Mandiant found exploits caused 33% of investigations in 2024.

VPNs, firewalls and internet facing services remain common entry points.

Verizon also reported vulnerability exploitation accounted for 20% of breaches.

Compromised credentials

Compromised credentials and credential theft remain central to ransomware intrusions.

Microsoft estimates modern MFA reduces identity compromise risk by more than 99%.

However, Sophos found MFA was unavailable in 63% of breached organisations.

Initial access brokers

Initial access brokers continue selling network access to ransomware actors.

This division of labour allows ransomware campaigns to scale faster and target more organisations simultaneously.

Cloud infrastructure is becoming a larger target

Cloud infrastructure and cloud storage environments are increasingly involved in ransomware incidents.

As organisations migrate critical data into cloud platforms, threat actors are adapting their attack techniques accordingly.

This creates additional risks involving:

• Security breaches
• Sensitive data exposure
• Data theft
• Misconfigured cloud storage
• Malware breaches

Modern data security strategies must now protect both traditional infrastructure and cloud environments.

Ransomware attacks are becoming faster

One of the most concerning ransomware trends is attack speed.

Sophos incident response data found:

Metric	Time
Median dwell time	4 days
Time from compromise to exfiltration	72.98 hours
Time from exfiltration to detection	2.7 hours

Meanwhile, CrowdStrike reported:

• Average breakout time: 29 minutes
• Fastest observed breakout: 27 seconds

This shrinking response window creates major challenges for cyber security teams.

Traditional prevention focused approaches are struggling against rapidly evolving threats.

Why ransomware statistics remain difficult to measure

Ransomware statistics are inherently imperfect.

Different datasets measure different forms of ransomware activity.

Leak site tracking may:

• Miss private settlements
• Include duplicate victims
• Include fabricated listings

Official complaint data also remains heavily underreported.

For example:

• FBI IC3 recorded more than 3,600 ransomware cases in 2025
• Reported financial fraud losses excluded downtime and many recovery expenses

Similarly, the UK NCSC notes many cyber incidents are never formally reported.

This means no single source captures the full scale of global ransomware incidents.

However, when multiple independent datasets align, the wider trends become difficult to ignore.

Final thoughts

The global ransomware landscape is not shrinking.

It is evolving rapidly.

The latest ransomware statistics show:

• Ransomware victims continue to rise
• More ransomware groups are appearing each year
• Data theft is becoming the dominant tactic
• Organisations are paying less frequently
• Threat actors are operating faster than ever
• Critical infrastructure organisations remain high risk targets

At the same time, ransomware attackers continue adapting their techniques through ransomware as a service operations, phishing campaigns and credential based intrusions.

For organisations, ransomware is now far more than a technical issue.

It is a business operations and resilience challenge.

The organisations most likely to recover successfully are those investing in:

• Threat intelligence
• Incident response readiness
• Identity protection
• Data security controls
• Cloud infrastructure visibility
• Backup resilience
• Vulnerability management

Because in 2026, the question is rarely whether ransomware activity exists.

The question is how quickly organisations can detect, contain and recover from it.

Sources

This article uses research and statistics from:

• ransomware.live
• Palo Alto Unit 42
• Verizon DBIR 2025
• Chainalysis
• Sophos
• Microsoft Digital Defense Report
• Google Cloud Mandiant
• FBI IC3
• UK NCSC
• CTIIC
• TRM Labs
• Recorded Future
• Europol