Ransomware keeps growing, but fewer companies are paying, report says

The 2026 Data Breach Investigations Report found that ransomware appeared in 48% of all breaches, up from 44% the previous year. At the same time, the percentage of organizations paying ransoms continues to decline. According to the report, 69% of ransomware victims refused to pay, while the median ransom payment dropped from $150,000 to $139,875.

The question then becomes: If ransomware attacks are increasing, why are fewer organizations paying?

Ransomware is still one of the most effective attack methods

Cybercriminal groups continue to generate enormous profits from extortion campaigns, even as law enforcement agencies increase pressure on major ransomware operations. Modern ransomware attacks are also becoming more sophisticated, faster, and more scalable.

The DBIR notes that threat actors are increasingly leveraging generative AI to “help at different stages of attack, including targeting, initial access, and development of malware and other tools.” At the same time, attackers are exploiting organizations through multiple entry points, including:

• Vulnerability exploitation
• Credential abuse
• Phishing
• Pretexting
• Third-party access
• Cloud misconfigurations

The report also found that exploitation of vulnerabilities is now the most common initial access vector, surpassing credential abuse for the first time. This suggests that ransomware groups are no longer relying solely on phishing emails to gain access; however, they are increasingly targeting unpatched systems, exposed cloud services, and vulnerable third-party vendors.

Why fewer organizations are paying

Despite the growth in ransomware activity, the decline in ransom payments suggests that many organizations are becoming more resilient. Several factors are likely contributing to this trend:

Better backup and recovery strategies

Organizations are investing more heavily in offline backups, immutable storage, disaster recovery planning, business continuity testing, and incident response preparedness. This growing focus on resilience is changing how companies respond to ransomware incidents.

As the DBIR notes, ransomware attacks remain widespread, but “organizations may be improving resilience” as fewer victims choose to pay extortion demands.

When backups are properly segmented, isolated, and regularly tested, organizations are less likely to be pressured to pay attackers to recover encrypted data. Instead of relying on cybercriminals for decryption keys, businesses can restore systems internally and resume operations more quickly. This does not eliminate the disruption caused by ransomware, but it can significantly reduce downtime, financial losses, and recovery costs.

Related: How to develop a backup and recovery plan

Cyber insurance requirements are driving better security practices

Cyber insurers have become far more demanding over the last several years. Organizations seeking coverage are often required to implement the following:

• Multifactor authentication (MFA)
• Endpoint detection and response (EDR)
• Backup validation
• Privileged access management
• Security awareness training

These requirements are indirectly improving organizational resilience against ransomware attacks.

The DBIR repeatedly notes that many breaches still stem from failures in basic security controls rather than highly sophisticated attack techniques. The report states that “security fundamentals that have been understood and [have] had measurable success for decades now” should still be consistently applied across environments.

Even when attacks succeed, businesses with stronger controls are often better positioned to contain damage, isolate infected systems, and recover more quickly.

Organizations are becoming more skeptical of attackers

Paying a ransom does not guarantee recovery, and many organizations now recognize that attackers may:

• Fail to provide working decryption keys
• Leak stolen data anyway
• Demand additional payments
• Target the victim again later

As a result, some organizations are choosing recovery and containment over negotiation. In many cases, organizations are realizing that simply paying attackers does not fully resolve the broader security and reputational consequences of a breach.

Third-party risk is expanding the ransomware attack surface

Businesses rely on vendors, cloud providers, SaaS platforms, contractors, authentication providers, customer support tools, and managed service providers to maintain daily operations. However, every external connection also introduces additional exposure. According to the report, third-party involvement in breaches increased by 60% and now appears in 48% of all breaches. The DBIR notes that “many of the year’s most high-profile and well-publicized breaches involved multiple third parties,” demonstrating how interconnected modern organizations have become.

Rather than targeting a single organization directly, ransomware groups may compromise a software vendor, cloud platform, or IT provider first, then leverage that access to reach downstream customers. As the report explains, “it is third parties all the way down,” reflecting the layered complexity of modern digital ecosystems. A single compromised vendor can potentially expose hundreds or even thousands of organizations at once, making these attacks especially dangerous.

Read also: Third-party risk management (TPRM) as the next HIPAA compliance frontier

How Paubox can help prevent ransomware attacks

Many ransomware attacks still begin with a malicious email. Attackers use phishing messages, spoofed domains, fake login pages, and infected attachments to steal credentials or gain initial access to an organization’s systems. Paubox Inbound Email Security helps reduce this risk by strengthening inbound email security before threats reach employees’ inboxes.

The platform helps detect and block phishing emails, malware and malicious attachments, business email compromise (BEC), domain spoofing, suspicious links, and social engineering attempts.

This is especially important as ransomware groups increasingly rely on credential theft and human error to infiltrate organizations. The 2026 DBIR found that the human element was involved in 62% of breaches. By stopping malicious emails before users interact with them, Paubox can help organizations reduce exposure to ransomware, protect sensitive data, and strengthen a layered cybersecurity strategy.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is ransomware?

Ransomware is a type of malware that encrypts an organization’s files or systems and demands payment in exchange for restoring access. Many ransomware groups also steal sensitive data before encryption and threaten to leak it publicly.

What is third-party ransomware risk?

Third-party ransomware risk occurs when attackers compromise a vendor, cloud provider, SaaS platform, or managed service provider to gain access to customer environments.