The Q1 2026 ransomware payment data is now in from several incident response firms, blockchain analytics providers, and the cyber insurance industry. The headline pattern is one of mixed signals that don’t reduce easily to a single trend story.

Aggregate dollars paid in ransom continued the decline that started in late 2023. The number of victims reported as having paid has declined meaningfully from peak years. The ratio of victims who refuse payment has continued to improve.

Counterbalancing this, the average payment when paid has stayed high or grown in some segments, suggesting that the threat actors who are still successful are increasingly focused on larger, better-resourced victims who can absorb significant ransom amounts. The volume has dropped, the per-incident severity has not.

The defender side of the picture is genuinely better. Backup and recovery capabilities have improved. The percentage of victims who can recover without paying has gone up. The frameworks for understanding payment as a business decision (rather than a panic decision) have become more widely understood.

The cyber insurance market has continued its slow rebalancing. Underwriting requirements have tightened. Coverage exclusions for ransom payments have crept into more policies. Insurance has stopped being a primary driver of ransom payment in the way it briefly was around 2020-2021.

The threat actor ecosystem has continued its fragmentation following the disruption operations against several of the larger groups in 2024 and 2025. The current landscape is more decentralised, which has made attribution harder but has also reduced the strategic threat from any single group.

International cooperation on ransomware response has continued to improve incrementally. The US-led Counter Ransomware Initiative has produced more concrete coordination than its first version. Australian engagement through this body has been substantive, though the practical impact at incident-by-incident level is modest.

The Q1 sectoral picture shows continued targeting of healthcare, education, and local government, which tracks with multi-year trends. The shift away from the most public-facing manufacturers and retailers toward healthcare and government targets reflects threat actor calculations about likelihood of payment and operational pressure.

For organisations updating their ransomware planning in 2026, the practical priorities haven’t changed dramatically. Tested recovery capability. Decision frameworks for payment that don’t get made up at 2am during an incident. Incident response retainers with capable firms. Communication plans that include the regulatory reporting requirements. The boring discipline still beats any single technology investment.