“Ransomware attacks are on the rise.” That is what most cyber industry leaders would agree on, with the caveat that ransom payments are trending downward.
Now, why is that?
Logically, ransoms should be increasing, but it seems like companies are less and less keen on paying. And there’s the crux of the problem: Ransomware operators specifically rely on these payments to line their pockets. For a while now, in fact, ransomware has been such a successful threat that it triggered a gold rush of sorts, producing the ransomware-as-a-service (RaaS) business model.
Returning to initial observation, what’s driving this downward remuneration trend, and if it holds up, would that imply that ransomware is on its way out as a major threat?
Key points of this article:
- While ransomware attacks are on the rise, ransom payments are trending lower.
- Defenses have become more robust, thanks to AI, but signs point to bad actors also taking advantage with AI-powered tech and processes.
- Ransomware remains a profitable business, while victims stand on the receiving end of incident costs and regulatory fines.
- Not defenses, not ransomware’s evolution, but embedded systemic weaknesses enable the continued proliferation of attacks.
The past, present, and future, of ransomware
Ransomware’s beginnings go back to the 80s, with the first AIDS trojan (also known as the PC Cyborg Virus) infecting victims via floppy disks. Its notable feature was hiding files on the hard drive (only encrypting their names), later displaying a message claiming a fee was to be paid to obtain a “repair tool.”
This has become a common trope for ransomware attacks, with often-exorbitant payments demanded by operators to decrypt entire systems. In one case, a Fortune 50 company was asked to pay $75 million to the Dark Angels ransomware group. For context, the median payment is around $139,875 for 20251.
However, whether bad actors make good on their promise following payment is another question entirely. While common advice from law enforcement is not to pay, when disruption causes millions in losses per day, some don’t think twice. And yet, there are fewer and fewer firms willing to pay2.
That trend has contributed to an ongoing rupture (more on this below) within the ransomware scene, forcing an evolution in tactics. If encryption is ineffective, then, perhaps, applying force via data leaks might motivate businesses a bit more, going as far as attackers preferring data extortion over encryption.
Cyber-ransom-war
But the rupture in modern ransomware isn’t strictly strategic. As indicated in the ESET Threat Report H2 2025, law enforcement and security researchers have made a lot of progress in disrupting ransomware operations, dismantling their infrastructure, providing free decryptors, and arresting the operatives.
The cards shifting in businesses’ favor also represents an internal conflict within the ransomware scene3, with gangs increasingly fighting each other, rather than just competing, impacting major players like RansomHub, a known RaaS supplier. The result of this is an increasingly shattered landscape, wherein criminals deface and displace each other’s capabilities.
It would also be prudent to mention the tech that’s actively fighting ransomware. Be it via automatic ransomware shielding or clever XDR or MDR operations, detection and response have turned the tables on bad actors with machine learning and fast human response—in ESET’s case, to just around six minutes. Again, for context, the average time it takes to identify and contain a breach stands at 241 days4. What this means is that attackers can’t rely on having the upper hand (in specific cases), unless they do something drastic.
Something drastic
By now, you’ve probably been acquainted with our super-intelligent overlord, artificial intelligence. While it can do a lot of good in speeding up detection engines, for example, it can also cause a lot of harm. In 2025, ESET discovered PromptLock, a proof-of-concept ransomware using GenAI to execute attacks.
The “intelligent” bit is related to how the malware leverages a locally accessible AI language model to generate malicious scripts in real time. During infection, the AI autonomously—based on pre-defined prompts—decides which files to search, copy, or encrypt. In contrast, advanced attacks such as this usually require real operatives running them via command-and-control servers.
It’s a drastic development. AI has already made phishing attacks much more potent, but whether it’ll have the same effect here is still to be seen.
What keeps ransomware relevant?
Ransomware remains relevant not because it’s sophisticated (which AI could make worse), but because it reliably exploits systemic weaknesses.
1. Humans: Human error remains the entry point for a large share of breaches. Phishing, malicious attachments, and credential theft are consistently effective tactics.
2. Organizational weaknesses: Vulnerabilities, a lack of security monitoring, and a shortage of skilled security personnel … these all contribute to weaknesses which, ultimately, drastically raise the chances of even a novice ransomware actor’s success.
All of the above have been written about at length in various ESET blogs. To keep it short, it’s a systemic problem. In effect, ransomware has become a contest between two financial ecosystems—one that profits from disruption, and one that absorbs its cost. And, regardless of who “wins,” the losses cascade downward.
Systemic features enabling ransomware
Let’s get into those systemic problems a bit more. Researchers Tara Wheeler and Ciaran Martin described how ransomware, at its core, is a “misalignment of economic and policy incentives that allow criminals to operate successfully and with impunity.”
The chief enabler is that, in the end, the downward cascade puts the onus on the victims themselves—to unlock their systems, guard sensitive data, and resume operation—and it’s heightened by regulatory enforcement, where fines exist to increase punishment, rather than incentivize continued resilience.
Tony Anscombe’s vlog on ransomware payment bans goes in depth about why it’s not a solution, either:
That is not to say that cyber standards enforcement shouldn’t exist. Whether via cyber insurance requirements or DORA-like asks, businesses will have to keep up with current resilience asks. Whether they do it themselves (with in-house ops) or via an MSP/MDR, it doesn’t matter, as the systemic issues will persist since:
- Criminals are … criminals. Specifically in cyberspace, attribution is difficult, especially with malicious activity vectors from abroad. International policing action could work, but, outside of major operations, it’s not far-reaching enough to make a difference, considering the vast cyber-threat landscape.
- Much software is still not built with security by design in mind. Only recently have regulators begun to address inconsistencies in vulnerability disclosure practices. While not every vulnerability should be made public, responsible disclosure often increases the likelihood that fixes will be developed and deployed. The same issue applies to incident disclosure—delayed reporting can significantly increase the risk of further harm to customers.
- 39% of cyber-insured companies in 2023 still paid the ransom, despite enjoying the support of an insurer. But what’s worse is that insurance payouts actually indirectly fund ransomware operations; attackers learn that victims are likely to pay quickly, and can tailor demands accordingly.
- In critical infrastructure, responsibility largely falls on private companies. Although these sectors often overlap with state functions and require heightened security, governments are typically not accountable when a harbor, rail operator, or energy provider is compromised. Smaller organizations—particularly those reliant on legacy systems—are especially vulnerable, as they often lack the resources needed to maintain strong security.
Ransomware economics limbo
Organizations are caught in a permanent state of partial adaptation—never fully secure, never fully resilient, yet continuously absorbing the cost.
What emerges is a kind of ransomware limbo: a state where defenses improve incrementally, regulations tighten unevenly, and attackers continue to exploit the gaps in between. Progress, while it exists, fails to break the cycle. As long as the underlying incentives persist, the cycle sustains itself.
Additional references:
1) Verizon. (2026). 2026 Data Breach Investigations Report (p. 42). Verizon.
2) Payments are lower, but estimates vary between data sets (Verizon, 2026, p. 42; IBM, 2025, p. 7).
3) ESET Research. (2025). ESET Threat Report H1 2025 (pp. 20–22). ESET.
4) IBM Security & Ponemon Institute. (2025). Cost of a data breach report 2025 (p. 12). IBM.










