Photo by Annie Spratt on Unsplash
77 percent. That's the share of ransomware intrusions in 2025 that ended with data stolen — files encrypted and exfiltrated. One year earlier, that figure sat at 57 percent. The threat has evolved past the simple "pay or stay dark" model into something more expensive and harder to negotiate: double extortion at industrial scale, running on automated infrastructure and cheap stolen credentials.
According to Cybersecurity Dive, citing Bitsight analysis, ransomware incidents surged sharply year-over-year in 2025 while the cost of conventional data breaches trended downward — a divergence that reveals an arms race playing out in two directions simultaneously. The full picture, assembled from Verizon's 2025 Data Breach Investigations Report, IBM's Cost of a Data Breach Report 2025, and CrowdStrike's 2025 State of Ransomware Survey, is more nuanced than any single source captures on its own.
The Evidence
Between 7,419 and 9,251 ransomware incidents were recorded worldwide in 2025, compared to 5,631 to 6,395 the prior year — a 32 to 58 percent increase depending on the counting methodology. Verizon's DBIR, which analyzed more than 22,000 security incidents across 139 countries, found ransomware present in 44 percent of all breaches. For small and midsize businesses, that figure jumped to 88 percent.
The ecosystem driving that volume is itself a data story. Law enforcement takedowns of major ransomware-as-a-service (RaaS) groups — organized criminal networks that lease ransomware tools to affiliates on a commission basis — including LockBit and ALPHV in 2024, didn't reduce total criminal capacity. They fragmented it. As of June 24, 2026, threat intelligence tracking confirmed 124 distinct ransomware groups were operating simultaneously in 2025, a 46 percent increase from 2024 and the highest count ever recorded. Meanwhile, the average price of compromised access credentials fell from $1,400 to $439, effectively running a clearance sale on corporate network access for prospective affiliates.
Major incidents underscore the scale: the Qilin ransomware group executed 81 attacks in a single month by June 2025 — a 47.3 percent spike — while PowerSchool's breach compromised data tied to 62 million students and 9.5 million teachers, and Yale New Haven Health reported 5.6 million patients affected. The FBI's Internet Crime Complaint Center (IC3) received more than 1 million cybercrime complaints in 2025 for the first time ever, with total cybercrime losses reaching nearly $21 billion — including 3,611 ransomware-specific complaints generating over $32 million in direct losses, a figure that explicitly excludes business disruption and remediation costs.
As of June 24, 2026, according to IBM's Cost of a Data Breach Report 2025, the average ransomware or extortion breach cost $5.08 million globally — compared to $4.44 million for traditional breaches, which fell nine percent from $4.88 million in 2024. That $640,000 premium reflects the compounded cost of operational disruption from encryption layered onto data exposure liability from exfiltration.
Chart: While traditional breach costs fell year-over-year, ransomware and extortion breaches commanded a $640,000 premium in 2025, driven by the dual cost of encryption and data exfiltration.
Blast Radius — Who Carries the Real Exposure
Manufacturing absorbed the heaviest load: 1,578 attacks in 2025, representing 28.9 percent of global ransomware volume. Healthcare recorded 460 ransomware attacks and 182 separate data breaches. The United States led globally with 3,975 attacks — 36.2 percent of worldwide incidents — meaning roughly one in three ransomware attacks globally targeted a U.S. organization. If your environment sits in manufacturing, healthcare, or financial services and operates any U.S.-hosted infrastructure, the baseline threat level is not average.
The credential exposure pipeline feeding these attacks is the piece most security teams underestimate. As of June 24, 2026, threat intelligence data shows 54 percent of ransomware victims had prior credentials exposed in infostealer logs — malware that silently harvests saved passwords and session tokens from infected devices — with 40 percent of those logs containing corporate email addresses. The attacker frequently didn't force the door. They bought a key for $439 and walked in. That changes where detection needs to be focused.
This credential-to-ransomware pipeline connects directly to the AI-enhanced attack evolution CrowdStrike documented: 76 percent of global organizations struggle to match the speed and sophistication of AI-powered attacks, with 85 percent reporting traditional detection is becoming obsolete against AI-enhanced campaigns. Forty-eight percent of organizations named AI-automated attack chains as their greatest current ransomware threat. This mirrors the pattern AI Shield Daily tracked in Okta's response to the AI agent identity gap — where machine-speed credential abuse structurally outpaces human-speed detection and revocation workflows.
IBM's data adds the defender-side signal: 16 percent of breaches in 2025 involved attackers using AI tools, while organizations that deployed AI-assisted detection and response extensively cut their breach lifecycle by 80 days and saved nearly $1.9 million on average. The arms race is real, and the performance gap between AI-enabled and traditional security operations is now measurable in dollars and days.
Photo by Sharad Bhat on Unsplash
The Defense Stack That Changes the Math
Technology layer: Behavioral endpoint detection — monitoring for attacker activity patterns rather than known malware signatures — and immutable, isolated backups are the foundational controls. The 64 percent victim refusal rate in 2025, up from 15 percent in Q1 2019 when payment rates peaked at 85 percent, almost certainly reflects organizations that had tested, recoverable backup architectures in place before compromise. As the FBI states explicitly in official guidance: paying a ransom does not guarantee that data will be returned and encourages attackers to pursue additional victims. Backups are the structural alternative to ransom dependence.
Process layer: Credential hygiene closes the most common documented entry point. A systematic dark web credential monitoring program — one that feeds into the identity lifecycle and triggers MFA (multi-factor authentication, requiring a second verification step beyond a password) resets and access audits when exposure is detected — would have flagged prior compromise for a significant share of 2025 victims before attackers acted on that intelligence. This is a compensating control (a security measure that reduces risk when a primary control fails or is absent) that requires process discipline, not expensive tooling.
People layer: Security awareness training that specifically addresses double extortion — the technique where attackers encrypt files and threaten to publish stolen data — helps employees understand why incident response plans and data classification need to be tested, not just filed. Scared employees make poor decisions under extortion pressure. Trained ones don't.
How to Act on This
Ship one control today: test whether ransomware can reach your backup repositories.
In a lab or controlled test environment, take a domain administrator credential and attempt to access, modify, or delete your backup storage. If that account can read, alter, or erase backup data, a threat actor who has compromised any domain admin account on your network can do the same — and will do so before triggering encryption, to eliminate your recovery path. This single architectural gap is what separates organizations that recover operationally within 72 hours from those still negotiating with ransomware operators three weeks post-compromise.
The rest of the security roadmap matters. But not before this.
Frequently Asked Questions
Why are ransomware attacks increasing even after law enforcement took down major groups like LockBit?
Takedowns fragment the market rather than eliminate it. When LockBit and ALPHV were disrupted in 2024, their affiliates didn't retire — they migrated to new or emerging operations. As of June 24, 2026, tracking data confirms 124 distinct ransomware groups were active in 2025, a 46 percent increase from 2024 and the highest count ever recorded. The simultaneous collapse in credential prices — from $1,400 to $439 per compromised account — also lowered the barrier for new affiliates to enter, expanding total volume even as individual operations were disrupted.
Should you pay the ransom in a ransomware attack, or is refusal the right call?
The FBI's official position is clear: paying a ransom does not guarantee data recovery and funds the next campaign against other victims. In 2025, ransom payment rates dropped to a historic low of 23 to 25 percent, down from 85 percent in Q1 2019, with 64 percent of victims refusing to pay. Organizations with tested, offline, and isolated backup architectures are structurally positioned to refuse payment and recover operationally. Investing in backup resilience before an incident is the highest-return alternative to ransom dependence.
How much does a ransomware attack cost compared to a standard data breach in 2025?
As of June 24, 2026, according to IBM's Cost of a Data Breach Report 2025, the average ransomware or extortion breach costs $5.08 million globally, compared to $4.44 million for a traditional data breach — a $640,000 premium that reflects both encryption-related operational disruption and the data exfiltration liability that now accompanies 77 percent of ransomware incidents. Both figures exclude business disruption, reputational damage, and long-term remediation costs. The FBI's direct-loss figure from its 3,611 ransomware complaints in 2025 — $32 million — also excludes those categories.
Bottom line: In my analysis, the divergence between falling traditional breach costs and surging ransomware volume is the clearest signal yet that AI-assisted detection is beginning to work — but only for the subset of organizations that deployed it, and only against the attack vectors those tools are tuned for. Credential theft at $439 per account is operating below the threshold where most enterprise detection stacks fire. Until dark web credential monitoring is integrated as a first-signal trigger in the incident response playbook — not a quarterly audit, a live feed into the identity lifecycle — the blast radius of the average ransomware intrusion will keep expanding regardless of how good the rest of the security stack looks on paper.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs. Research based on publicly available sources current as of June 24, 2026.