Report: Why 69% of ransomware victims didn't pay last year

According to the Verizon 2026 Data Breach Investigations Report, "the percentage of organizations that are not willing to pay the ransomware actors increased last year, from 65% in 2024 to 69% in 2025." A figure that shows a shift in how organizations respond to threats in cybersecurity. So what's driving this decline, and why does it matter?

The old reasoning behind payments

The reasoning behind paying a ransom was that paying was cheaper and faster than the alternative. Restoring from backups, if they existed, took days or weeks. Downtime cost more than the ransom, cyber insurance often covered the payment and many organizations quietly settled, reasoning that discretion was better than disclosure.

However, backup and recovery technology has improved. Organizations now invest in offsite cloud-based recovery systems specifically designed to survive a ransomware attack. When you can restore systems in hours rather than weeks, the urgency to pay isn't there. A UK study of 41 ransomware incidents found that effective backups, a clear incident response strategy, and full network visibility were the most consistent factors behind a decision not to pay.

At the same time, some organizations that pay a ransom still fail to recover all their data. Some victims pay and still spend weeks rebuilding systems manually. This is reinforced by a 2020 advisory from the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC), which warned that paying a ransom "does not guarantee that the victim will regain access to its stolen data."

The Verizon 2026 DBIR states that this resistance to payment is extending beyond data exfiltration cases, "the increase in 'Not Paid' outcomes also occurred in cases involving encryption, rather than in data exfiltration events only." This means organizations are holding firm even when their systems are locked and operations are disrupted.

Why some organizations still pay

Understanding why non-payment is rising also requires understanding why payment still happens. The UK study of 41 ransomware incidents found that victims who paid were rarely doing so carelessly. In many cases, businesses with no viable backups, critical systems locked, and operations frozen had few alternatives. In several instances, the data at stake was irreplaceable and the cost of losing it outweighed the ransom demand.

The study also identified fear of regulatory consequences as another reason. When attackers stole rather than encrypting data, some victims paid not to recover their files but to prevent the breach from becoming public. Criminals were found to explicitly leverage GDPR exposure as a pressure tactic, threatening to report breaches to regulators if victims refused to pay. In these cases, the ransom functioned less as a recovery mechanism and more as a cover-up fee.

Other "soft" factors also included poor advice from authorities, lack of knowledge about negotiation options, and time pressure from attackers left some victims making decisions without considering their alternatives. One case in the study saw an organization later regret not exploring payment options after a recovery stretched on for over a year.

The Canvas Breach: A case study in payment dilemmas

After the hacking group ShinyHunters allegedly stole data belonging to an estimated 275 million students and staff across 9,000 institutions, including more than two dozen Australian universities and schools, Instructure announced it had "reached an agreement with the unauthorised actor." Cybersecurity experts interpreted that careful language as a sign that a ransom had been paid, though the company has not confirmed this. The data had reportedly disappeared from ShinyHunters' leak site shortly after negotiations began.

Darren Hopkins, Head of Cyber at forensic accounting firm McGrathNicol, described Instructure's statement in The Guardian as language that "doesn't necessarily admit anything but also does demonstrate that they've got an agreement." Luke Irwin of Aegis Cybersecurity, also quoted in the same article, estimated that a payment of up to the reported US$10 million demand was possible, though likely negotiated down.

ShinyHunters, as Hopkins explained, have a business incentive to honor agreements and future victims need to believe that paying delivers results. But as he put it in boardrooms across Australia, "how honest is that criminal?" Even with shred logs and digital confirmation of data destruction provided to Instructure, Hopkins noted that victims can never truly verify what's been done with stolen data, criminals "will show you what you need to see so you'll make your payment, and you've got no access to validate any of these things."

The Canvas incident also shows a shift in why organizations pay. As Hopkins observed, businesses are less focused on unlocking encrypted systems and more focused on trying to prevent the public release of sensitive personal data. That shift from "pay to recover" to "pay to suppress" shows that the leverage criminals hold is not a locked system, but a threatened disclosure.

Insurers have changed their policies

Insurers have restructured their policies. Coverage for ransom payments is now conditional, capped, or excluded. Premiums have surged, and underwriters now require organizations to demonstrate robust security controls before extending coverage. Many policies now incentivize non-payment, covering recovery costs, legal fees, and business interruption losses instead.

Law enforcement is more active

Another factor is that high-profile operations have disrupted major ransomware gangs, seized infrastructure, and clawed back ransom payments. The takedown of LockBit, the disruption of ALPHV/BlackCat, and the recovery of millions in Bitcoin following the Colonial Pipeline attack sent a message that ransom payments are not untouchable.

The 2020 OFAC advisory states that companies that facilitate ransomware payments "may risk violating OFAC regulations," and liability is based on "strict liability,” meaning an organization "may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws." Furthermore, OFAC has stated that license applications involving ransomware payments are reviewed with a "presumption of denial." With the U.S. Treasury's OFAC and equivalent bodies in other jurisdictions adding ransomware operators to sanctions lists.

Regulations are changing

In "International Legal Responses to Ransomware: Toward a Ban on Payments?," Fabian Teichmann maps the shift across major jurisdictions.

In Australia, the Cyber Security Act 2024, which came into effect in May 2025, now requires any organization with annual turnover above AUD $3 million to report a ransomware payment to the Australian Signals Directorate within 72 hours, with civil penalties for non-compliance. The law doesn't ban payment outright. Reporting by Josh Taylor at The Guardian adds that as of January 2026, 75 Australian businesses had already reported ransom payments under these new mandatory obligations, with the average payment in Australia sitting at $711,000, down from $1.35 million the year before, according to a McGrathNicol survey of 800 executives.

In the United Kingdom, Teichmann documents a three-pillar approach currently moving toward legislation. It includes an outright ban on ransom payments by public sector bodies and critical national infrastructure operators; a mandatory pre-payment notification regime for private companies, requiring them to seek government approval before paying; and a ransomware incident reporting obligation across all sectors. As UK Home Office Minister Dan Jarvis framed it, the aim is to "hit these criminal networks in their wallets," cutting off what policymakers describe as the financial pipeline sustaining the ransomware system.

In the United States, while no federal ban yet exists, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require covered organizations to report significant cyber incidents within 72 hours and any ransomware payment within 24 hours to CISA. Several states, including North Carolina and Florida, have already banned ransom payments by government agencies. At the EU level, the NIS2 Directive mandates reporting of significant cyber incidents across a range of essential and important entities, increasing regulatory visibility into ransomware events even without an explicit payment prohibition.

Teichmann argues that "money drives ransomware," and that legal frameworks which cut off payment flows are therefore attacking the business model. The approach is not without risk, he identifies concerns around small and medium enterprises that may lack the resilience to survive an attack without paying, and around the possibility that banning payments could push victims to pay covertly rather than reducing incidents. His proposed roadmap advocates for harmonized bans to be coupled with victim support mechanisms, decryption-sharing programs, and strengthened cross-border enforcement, so that the burden of the policy doesn't fall disproportionately on those least able to bear it.

Paying funds the next attack

The cybersecurity community has said that ransom payments fuel the ransomware system, that every payment validates the criminal business model and finances the next attack, potentially against another organization or even the same victim again. OFAC made this point in its 2020 advisory, warning that ransomware payments "may embolden cyber actors to engage in future attacks."

The UK study of 41 ransomware incidents found this concern was internalized by victims themselves. Several organizations cited a firm moral conviction that paying criminals was wrong. Others were deterred by the risk of being placed on what investigators described as a "sucker list," making them a repeat target. As one Detective Constable told researchers, "If you pay, criminals might not give you a decryption key... you are on a 'sucker list'."

Paying a ransom is no longer seen as an uncomfortable business decision. It now carries reputational risk, potential regulatory scrutiny, and the knowledge that it contributes to another attack.

The figures

The Verizon 2026 DBIR reports that "the median amount of ransom paid also continues a downward trend: $139,875 in this year's reporting dataset from $150,000 in the previous year." Criminals are not only getting paid less often, they're getting paid less when they do succeed.

The DBIR states, "Our dataset reveals a market in decline, albeit a slow decline, where there is rampant commoditization and the numerous actors involved are desperately trying to scale to cover their margin compression." Crucially, it notes that "the margin compression does not only arise from threat actor competition, but by improved defensive adaptations and increased resilience of the victims."

Teichmann's analysis adds that the record $1.25 billion in ransomware payments recorded in 2023 dropped to around $814 million in 2024, a 35% decline, driven in part by more victims refusing to pay and by law enforcement disrupting major gangs.

Preparedness has become a differentiator

An encouraging factor behind the 69% figure is that more organizations are simply better prepared. Incident response planning, network segmentation, endpoint detection and response tools, and employee security awareness training have all improved.

The UK study of 41 ransomware incidents reinforced that organizations that lacked backups, had no incident response strategy, or had poor visibility of their own networks were likely to end up cornered into payment. Preparedness, the study concluded, is not merely a technical consideration, it is the single most important factor in whether an organization retains any meaningful choice when an attack occurs.

FAQs

How do ransomware attackers get into an organization's systems?

The most common entry points are phishing emails, unpatched software vulnerabilities, and compromised remote desktop protocols.

Does the size of the organization affect the ransomware risk?

While large organizations attract bigger ransom demands, smaller businesses are frequently targeted precisely because they tend to have weaker defences and fewer recovery resources.

How long does recovery from a ransomware attack take?

Recovery timelines vary, from a few days for well-prepared organizations to several months or even years for those without adequate backups or incident response plans.