Layer:
Modes:
Phase:
Analysis:
RU Gov:
Case Studies:
Confidence:
Search:
Link copied to clipboard
Ransomware Threat Landscape
Leadership briefing · Current intelligence · May 2026
Threat Level: Elevated
~3,900
Victims YTD 2026
↑ 22% vs same period 2025
28%
Victim Payment Rate
↓ from 76% in 2019 — defences are working
97
Active Ransomware Groups
Record high · 91 active leak sites
54%
Victims Pre-Warned
Credentials in criminal markets before the attack
How a ransomware attack unfolds
Step 1
Get In
Stolen credentials, unpatched systems, or phishing email
Step 2
Move Around
2–4 weeks of silent access — finding data, destroying backups
Step 3
Steal & Lock
Data exfiltrated, then systems encrypted in under an hour
Step 4
Demand Payment
Ransom demand plus threat to publish stolen data publicly
Step 5
Cash Out
Crypto laundered through mixers, brokers, and mule networks
Key developments · last 90 days
What this means for your decisions
1
Not paying is increasingly viable. Professional negotiation support pushes non-payment rates above 70%. Without support, victims pay at 2× the rate.
2
54% of victims had advance warning they didn't act on. Credential monitoring in dark web markets provides weeks of lead time before an attack is detected internally.
3
The 2–4 week dwell period is your detection window. Attackers are silent but active before encryption. Endpoint detection that catches lateral movement stops the attack entirely.
4
Brand takedowns don't stop the people. When a group is disrupted, affiliates migrate to a new brand within 60–90 days. The skills, relationships, and protection persist.