Premium

Ransomware Attacks Hit a Record High, but the Crooks Have a Problem

AP Photo/Mark Schiefelbein, File

Every 63 minutes during the first half of 2026, another organization somewhere in the world landed on a ransomware tracker. Hospitals, manufacturers, retailers, schools, and government offices kept discovering stolen files, locked systems, or demands for cryptocurrency.

Researchers logged 4,217 attacks in six months, an average of 23 a day, and the highest rate in the tracker's history. From ZeroFox:

  • ZeroFox observed at least 1,885 separate ransomware and digital extortion (R&DE) incidents in Q2 2026, a decrease of approximately 8.5 percent from Q1 2026. However, Q2 2026 marked an overall increase of R&DE incidents year-over-year from Q2 2025 and Q2 2024.
  • The global R&DE threat environment is almost certainly undergoing a geographic shift. Although historically the largest volume of incidents has occurred in North America, the region’s proportional share is declining. Europe experienced significant year-over-year increases in R&DE incidents the first half of 2026, while the Asia-Pacific region has experienced uninterrupted quarter-over-quarter share growth since Q1 2024—and both are gradually absorbing larger shares.
  • Qilin concluded Q2 2026 as the most active ransomware collective globally (at least 295 separate incidents), signaling both its dominance in the first half of 2026 and an unbroken 12-month period as the leading ransomware threat actor that began in Q2 2025.

The increase didn't arrive after a quiet year. Full-year 2025 tracking found more than 7,400 attacks, up roughly 32% from 2024. Criminal groups posted thousands of victims on dark web leak sites, with American organizations leading the list.

Root cause of attacks: Exploited vulnerabilities and critical operational gaps drive ransomware incidents

Enterprises identified exploited vulnerabilities as the most common technical root cause of attacks, used in 29% of incidents. Phishing and compromised credentials followed behind, each cited in 21% of incidents.

Multiple operational factors contribute to enterprises falling victim to ransomware, with no single issue standing out as the dominant cause. An unknown security gap was cited by 40% of victims, closely followed by a lack of people/capacity and a lack of expertise, both contributing to 39% of attacks.

Interestingly, SMBs (sub 250 employee organizations) also identified a lack of people/capacity as a common factor, with 42% citing it as a key reason for falling victim to an attack, highlighting that resource constraints remain a widespread challenge regardless of organization size.

Manufacturing absorbed 822 attacks during the first half of 2026, while healthcare providers and related businesses suffered 410.

Ransomware has become easier to launch because criminals no longer need to build every tool themselves. Ransomware-as-a-Service groups create the malware, manage payment sites, and recruit affiliates to break into networks.

Initial access brokers steal passwords or exploit vulnerable systems, then sell entry to another criminal. One crew finds the unlocked door, while another walks through it carrying the ransomware.

Federal investigators found the Medusa group recruiting access brokers through criminal marketplaces and offering affiliates payments ranging from $100 to $1 million.

Phishing, stolen credentials, and unpatched software remain common entry points. The structure lets experienced operators expand while giving less-skilled criminals powerful tools.

The bad guys have run into a costly problem: more victims are refusing to pay.

Ransomware appeared in 48% of analyzed data breaches in the latest annual dataset, up from 44% a year earlier. Still, 69% of victims declined to hand over money. Among those who paid, the median payment fell from $150,000 to $139,875. From comparitech.com:

Of these 4,217 attacks, 484 were confirmed by the targeted organizations. The rest were claimed by ransomware groups on their data leak sites but have not been publicly acknowledged by the targets.

Attacks on governments and businesses rose by 12 percent, while the healthcare sector saw a four percent increase. Attacks on education dropped by 13 percent.

Within the business sector, the manufacturing industry remains the most targeted, accounting for just over 22 percent of attacks across all businesses (822 in total). Here, attacks increased by 10 percent when compared to H2 of 2025 (750).

This increase wasn’t the largest, though. Transportation companies saw the biggest uptick in attacks (up 52%). Healthcare businesses–those operating within the sector but not providing direct care, e.g. pharmaceutical companies and billing providers–also saw a large increase in attacks (up 35%), as did retailers (up 28%) and tech companies (up 23%).

Also of note in H1 2026 was a decline in the number of attacks carried out in the US. Here, attacks dropped by eight percent when compared to H2 2025. This is likely due to the large number of claims made by The Gentlemen. Unlike many of its counterparts, The Gentlemen’s attacks aren’t heavily concentrated in the US. Just over 17 percent of its attacks were carried out on US organizations, compared to 47 percent of Qilin’s attacks.

Cryptocurrency tracking found ransomware groups received about $820 million during 2025, an 8% decline even as claimed attacks rose 50%. Only about 28% of victims paid, the lowest share recorded.

Criminals are attacking more organizations because each individual target has become less likely to produce money.

Defenses are also stopping more attacks before files can be encrypted. Among large organizations surveyed in 2025, encryption occurred in 49% of attacks, down from 66% a year earlier. The share stopped before encryption rose from 22% in 2023 to 47% in 2025.

Lower payment rates don't make ransomware harmless. Stolen records can still be leaked or sold. Operations may stop for days or weeks. Patients can lose access to care, factories can miss orders, and small businesses can face recovery costs far beyond the ransom demand.

The basic defenses remain unglamorous: patch software, require multifactor authentication, limit account privileges, train employees, and maintain tested backups that criminals can't reach from the main network.

Federal cybersecurity officials warn that attackers often search for connected backups and delete or encrypt them before making a demand.

Ransomware gangs are breaking attack records because their industry has learned to operate at scale. Their shrinking payment rate proves resistance works.

Better preparation won't stop every intrusion, but it can turn a criminal's payday into a failed investment.

Recommended

Trending on PJ Media Videos

Advertisement
Advertisement