The Ransomware Revolution: How Attack Economics Are Reshaping the Threat Landscape Entering 2026
Executive Summary
As we close out 2025 and look toward 2026, the ransomware ecosystem has undergone a dramatic transformation that fundamentally changes how organizations must approach cyber defense. With attacks surging 34% year-over-year while ransom payments plummet to historic lows, threat actors are evolving their business models in ways that make traditional defensive strategies obsolete. November 2025 alone demonstrated the relentless pace of breaches across financial services, healthcare, retail, and critical infrastructure, signaling that the volume-versus-value equation in cybercrime has reached an inflection point.
Breached Company
The New Attack Economics: More Breaches, Fewer Payments
The most striking development in 2025 is the paradox gripping the ransomware economy: attack volumes have reached unprecedented heights while the traditional encryption-based business model collapses under its own weight.
The Numbers Tell a Stark Story
Throughout 2025, ransomware incidents surged to record levels—a 34% increase over 2024. Yet despite this surge, ransom payments have fallen to their lowest levels on record. The data reveals a cybercriminal ecosystem in transition:
- 149% increase in reported U.S. ransomware incidents in the first five weeks of 2025 compared to 2024
- Average ransomware insurance claims rose 68% to $353,000, even as payment rates declined
- 76% of all ransomware attacks now involve data exfiltration prior to encryption
- 50% of attacks in 2025 targeted critical infrastructure sectors: manufacturing, healthcare, energy, transportation, and finance
This fundamental shift reveals that encryption is no longer the primary weapon—data theft has become the real leverage point. Organizations can no longer rely on ransomware encryption as the "signal" of a breach. Silent data exfiltration campaigns are now more common and more damaging, as evidenced by November's breach landscape.
Manufacturing Under Siege
The manufacturing sector emerged as 2025's most aggressively targeted industry, experiencing a 61% year-over-year increase in attacks. This concentration on manufacturing reflects attackers' strategic pivot toward targets with the lowest tolerance for operational downtime.
High-profile incidents like Jaguar Land Rover's global shutdown and Bridgestone's production disruptions illustrated how ransomware can paralyze supply chains and entire economies. The manufacturing sector now accounts for 65% of industrial ransomware incidents in Q2 2025, with construction being the most impacted subsector.
The Codefinger Threat: Cloud Infrastructure as the New Battlefield
Perhaps no development better exemplifies the evolution of ransomware tactics than the emergence of the Codefinger threat actor, who pioneered a devastating new technique targeting AWS S3 buckets.
How Codefinger Rewrites the Playbook
Unlike traditional ransomware that deploys malicious software, Codefinger exploits AWS Server-Side Encryption (SSE-C) to lock victims out of their own cloud infrastructure without deploying any malware:
- Compromise AWS credentials through phishing, credential stuffing, or stolen API keys
- Encrypt all S3 objects using the victim's encryption functionality
- Replace IAM policies to revoke the victim's own access
- Set lifecycle deletion policies to auto-delete data in 7 days, creating artificial urgency
This technique is devastating because it triggers no malware alerts. It appears as legitimate administrative activity—a user encrypting data for security purposes. Standard data recovery tools become ineffective when the cloud infrastructure itself enforces the encryption.
Halcyon and Trend Micro researchers identified this as a "systemic threat" that forces organizations to rethink their Shared Responsibility Model, specifically regarding the lifecycle and permissions of API keys. The lesson: cloud security is no longer optional defense-in-depth—it's the primary battlefield.
The Ransomware Group Ecosystem: Fragmentation and Consolidation
The collapse of dominant syndicates like LockBit and AlphV under law enforcement pressure didn't slow the ransomware economy—it fractured and multiplied it.
The Power Vacuum Creates Opportunity
- 96 unique ransomware groups operated in the first half of 2025, a 41.18% increase over 2024
- 17 groups became inactive in Q2 2025 alone, including 8base, BianLian, BlackBasta, and Cactus
- 11 net new groups emerged in Q2 2025: KaWa4096, Warlock, Devman, Nova, and Dire Wolf
The New Power Players
Qilin became the most active ransomware group by June 2025, carrying out 81 attacks in a single month—a sharp 47.3% rise. Their sophisticated operations included:
- The Habib Bank AG Zurich breach, stealing 2.5TB of data and nearly 2 million files
- Multiple healthcare and financial services targets across jurisdictions
- Advanced double-extortion techniques combining data theft with encryption
DragonForce surged dramatically with attacks jumping 212.5%, forming shaky alliances with remnants of RansomHub to facilitate "bigger and better infrastructure."
SafePay ransomware significantly accelerated operations, with industrial sector victims increasing from 13 in Q1 to 49 in Q2 2025. Unlike typical RaaS operations, SafePay maintains centralized control, directly managing all attack phases.
The INC Ransom Problem
One group deserves special attention for its complete abandonment of ethical boundaries: INC Ransom. Unlike traditional ransomware groups that claimed to avoid certain sectors, INC Ransom aggressively targets precisely those industries previously considered "off-limits":
- Healthcare facilities (highest priority)
- Emergency notification systems
- Government law enforcement agencies
- Educational institutions
Their attack on Jackson County's emergency warning systems left thousands of communities unable to send critical notifications for two weeks—one of the most serious attacks on public safety infrastructure in U.S. history.
Third-Wave Extortion: Beyond Encryption and Data Theft
The ransomware business model has evolved through distinct phases, and we've now entered what security researchers call the "Third Wave" of extortion: intentional business disruption.
The Triple-Extortion Model
Palo Alto Networks reports that in 86% of recent incidents, attackers deliberately tried to sabotage operations to force payment through tactics including:
- Wiping backups and cloud storage to eliminate recovery options
- Launching DDoS attacks to knock websites offline
- Publicly harassing customers, employees, and partners with threatening calls and emails
- Targeting business partners and suppliers to amplify pressure
- Reporting victims to regulators to trigger compliance penalties
This multi-pronged approach ensures victims face mounting costs from multiple directions simultaneously, even if they have robust backup systems. As one ransomware operator told researchers: "Backups are worthless if we destroy your reputation and regulatory standing first."
The Insurance Industry's Perfect Storm
The insurance sector's 2025 nightmare demonstrates this evolution in action. Scattered Spider, operating alongside ShinyHunters, systematically worked through the sector with military-like precision:
- Farmers Insurance: 1.1 million customer records compromised via Salesforce breach
- Aflac: 50 million individuals affected, data including SSNs and health information
- Erie Insurance: Month-long network outage disrupting services for 6 million policyholders
- Philadelphia Insurance Companies: Personal data compromised, driver's licenses exposed
Google's Threat Intelligence Group warned that Scattered Spider "has a habit of working their way through a sector," proving that entire industries can become systematically compromised when attackers identify profitable patterns.
Breached Company
