Ransomware Payment Trends Mid-2026: The Numbers Are Shifting


The ransomware ecosystem is in the middle of a structural shift, and the most interesting data points aren’t the headline breach announcements. They’re in the payment statistics. Coveware’s Q1 2026 report, published in mid-April, showed the proportion of incidents resulting in ransom payment dropped to 27%, the lowest level since they started tracking in 2019. Chainalysis’s tracking shows total ransom payments to known criminal wallets fell roughly 35% year-over-year through Q1. At the same time, average ransom demands continued to rise — Mandiant’s tracking puts the median ransom demand for enterprise victims at $4.7 million in Q1 2026, up from $3.1 million in the same period last year.

Those two trends — fewer payments, higher demands — are not contradictory. They reflect a market in which threat actors are increasingly targeting victims they believe will pay large amounts, while a growing share of organisations are choosing not to pay. Whether that equilibrium holds, and what it means for defensive strategy, is worth thinking through carefully.

Why payment rates are dropping

Three reinforcing factors are driving down payment rates.

Backup and recovery capability has genuinely improved across the enterprise sector. The investments in immutable backup, isolated recovery environments, and tested restoration runbooks made over the past three years are paying off. Organisations that can demonstrate recovery within a defined RTO without paying the ransom are choosing not to. CrowdStrike’s 2026 Global Threat Report cited that median time-to-recovery for organisations with mature backup architectures has compressed to 14 days, down from 24 days in 2023.

Regulatory and insurance pressure has shifted. The expanded sanctions designations from OFAC and equivalent EU and UK frameworks have made payment legally riskier in cases where attribution to sanctioned groups is plausible. Cyber insurance policies have meaningfully tightened on ransom payment coverage, with several major insurers now requiring documented recovery attempts before coverage triggers. The combined effect is that even when payment is operationally tempting, the legal and insurance cost analysis has shifted against it.

Public communications about non-payment have become normalised. Five years ago, an organisation that admitted to a ransomware incident and refused to pay was unusual enough to make headlines. Now it’s common. The reputational logic of payment has weakened — paying doesn’t reliably keep an incident quiet, and not paying doesn’t reliably damage the brand if the recovery is handled competently.

Why demands keep climbing

The threat actor adaptation has been to move up-market. Initial access brokers, the affiliates that deploy ransomware payloads, have shifted targeting toward larger organisations with more revenue at risk. The economics make sense from their perspective — if 27% of victims pay, you want each victim to be as valuable as possible.

The double-extortion and pure-extortion (data exfiltration without encryption) variants have grown as a share of total incidents. These models depend less on the victim’s lack of backup capability and more on the victim’s exposure to data disclosure. The pricing on data-exfiltration extortion is generally higher because the threat to the victim is harder to mitigate through technical recovery.

Krebs on Security tracked a particularly aggressive cluster of activity in March associated with what appears to be a successor crew to the dispersed Lockbit affiliate base, demanding ransoms in the $8–15 million range from mid-market manufacturing victims. The targeting analytics behind those demands appear to be drawing on financial filings, sales pipeline data, and customer contract values pulled during the reconnaissance phase.

The Australian picture

The ASD Cyber Threat Report for FY25 (released January 2026) identified ransomware as the most consistently impactful threat category for Australian organisations, with reported incidents up roughly 22% year-on-year. The undercount in this data is significant — ASD’s reporting depends on victim disclosure and many incidents go unreported.

The Critical Infrastructure SOCI Act amendments and the mandatory reporting obligations have improved data quality on incidents affecting nationally significant assets. Healthcare, education, and professional services remain the most-targeted sectors. Mid-tier law firms have been a particularly active target through 2025–26 — the combination of valuable client data, often-immature security controls, and regulatory disclosure pressure makes them attractive marks. The Guardian Australia covered three significant incidents in this segment between January and April.

Operational implications for defenders

The strategic picture for defenders is clearer than it’s been in years. Backup and recovery capability is the highest-impact investment most organisations can make. The data is consistent across vendor reports: organisations that can credibly recover without paying do not pay, even when threatened with data disclosure. Building the capability — not just having backups, but having tested, documented, isolated recovery infrastructure — is the practical priority.

Identity and access management remains the highest-impact preventive control. The initial access vector breakdown across recent ransomware incidents continues to show compromised credentials, MFA bypass, and exposed remote access services as the dominant patterns. The investment case for stronger IAM, including phishing-resistant MFA and conditional access controls, is straightforward.

Detection capability for the early stages of ransomware deployment — credential dumping, lateral movement, privilege escalation — has improved with EDR and XDR platforms. The dwell time data shows defenders are catching attacks earlier than they used to. Mandiant’s 2026 M-Trends report puts global median dwell time for ransomware-class incidents at 8 days, down from 21 days in 2021.

The data exfiltration detection problem remains harder. Pure-extortion variants depend on attackers staging and exfiltrating data before announcing themselves, and many organisations still have limited visibility on outbound data flows at the volumes that would trigger alerts. DLP investment has been chronically underfunded relative to the risk.

The threat actor side — what’s changing

Law enforcement disruption has been more effective than skeptics predicted three years ago. The takedowns of LockBit infrastructure in 2024, the FBI’s Operation Cronos extensions through 2025, and the various international operations against payment infrastructure have all imposed real costs on the threat actor ecosystem. The fragmentation of affiliate bases following these operations has created shorter-lived, less brand-recognised crews — which has its own implications for victim decision-making, since the negotiate-or-not analysis depends on credible threat actor reputation.

The geopolitical context matters. Russia-affiliated criminal groups remain dominant in the high-end ransomware ecosystem, and the political environment continues to provide them effective sanctuary. Some shifting toward Iran-affiliated and North Korean state-linked groups is evident in the 2025–26 incident attribution data, though the volumes remain smaller.

Cryptocurrency tracking and freezing has improved meaningfully. Chainalysis and TRM Labs have published increasingly detailed analyses of payment flows, and the ability of law enforcement to trace and recover criminal wallets has become a real factor in threat actor risk calculation. The payment infrastructure has shifted toward more complex laundering chains, including increasing use of cross-chain bridges and privacy-focused tokens, but the cat-and-mouse game has clearly tilted toward defenders compared with three years ago.

What I’d watch through Q3 2026

The next Coveware quarterly report will tell us whether the payment rate decline is continuing or has stabilised around the new lower baseline. If it continues falling toward 20% or below, expect further threat actor adaptation — probably in the form of more aggressive data disclosure tactics and pricing shifts.

The intersection of AI capabilities with ransomware operations is worth watching. There’s been some discussion of LLM-assisted negotiation, automated victim profiling, and AI-generated extortion communications. The actual operational impact has been modest so far, but this is a space where capability could shift quickly.

The bottom line: the ransomware economics are restructuring, mostly in defenders’ favour, but in ways that are concentrating risk on fewer, larger victims. The strategic response — invest in recovery capability, harden identity, improve exfiltration detection — is well-understood. Execution is the variable that matters.