Skip to Content

The State of Ransomware 2026: Payments are dropping but encryption is climbing

Insights from 2,158 IT and cybersecurity leaders across 17 countries whose organizations were hit by ransomware in the past year.

This year's data has a few eyebrow-raising departures from the patterns of past State of Ransomware reports. Exploited vulnerabilities lost their three-year grip on the top root-cause spot. Median ransom demands and payments both dropped, yet the average recovery bill still climbed. And small organizations (100-250 employees) are falling further behind their larger peers on the one metric that matters most: stopping the attack before data gets encrypted.

The seventh annual Sophos State of Ransomware report is based on a vendor-agnostic survey of 2,158 IT and security leaders whose organizations were hit by ransomware in the last 12 months. 

Click here to access the full report now.

Download_the_Report.png

Email is the new number one root cause

For the first time in four years, exploited vulnerabilities are not the top way attackers get in. The rankings this year:

  • Malicious email (26%) and phishing (24%) together account for half of all incidents.
  • Compromised credentials (23%) held steady in third.
  • Exploited vulnerabilities (18%) fell 14 percentage points year over year.
  • Brute-force attacks (6%) were flat.

The takeaway for defenders is direct: patching alone will not close the gap. Advanced email protection, DMARC, DKIM, and SPF, and user awareness training belong at the top of the 2026 investment list.

 

sophos-technical-root-cause-of-ransomware-attacks-2023–2026.png

Identity-based attacks now drive most ransomware incidents

79% of ransomware attacks started with an identity-based approach, and 67% of victims confirmed that their ransomware incident was the same event as their most significant identity attack. This finding was also featured in our State of Identity Security 2026 report earlier in the year.

The_identity-ransomware_connection_Venn_Diagram.png

The 2026 Sophos Active Adversary Report, which is based on analysis of real-world incidents remediated by Sophos defenders, arrives at the same finding. 67% of root causes across 661 incident response (IR) and managed detection and response (MDR) cases were identity-related, and multi-factor authentication (MFA) was missing where it mattered in 59% of cases.

MFA is deployed, but not everywhere

97% of victims where compromised credentials were the root cause had MFA enabled in some form at the time of the attack. Coverage gaps are where the damage happens. The Active Adversary Report saw the same pattern: SaaS accounts often had MFA, but VPNs, firewall admin consoles, and legacy apps did not.

sophos-mfa-methods-enabled-at-the-time-of-attack.png

Where ransomware attacks start

For the first time, this year's report maps where respondents say their initial compromises happened inside their IT environments. Across attacks that started with an exploited vulnerability, compromised credentials, or brute force, these were the locations where victims reported that the attacks started:

  • Exposed applications and systems: 38%
  • User devices: 30%
  • Firewalls: 21%
  • VPNs: 8%
  • IoT devices: 3%
sophos-ransomware-attack-locations.png

Firewall compromises carry outsized financial impact because the firewall sits in a privileged position across the organization's infrastructure. When attackers successfully exploit a vulnerability on the firewall, they often gain extensive access across the business, and the resulting ransom demands reflect that leverage. 

When ransomware attacks start with the exploitation of a vulnerability in the firewall, 59% of those demands are for $1 million or more. That’s more than the baseline 48% $1-million-plus demands across all attacks.

Things are getting better, but ransomware is still devastating

Some economics moved in defenders' favor this year, but the picture is mixed. Having data encrypted in a ransomware attack reamins a serious event.

The good news:

  • Median ransom demand: $698,000, down 65% over two years.
  • Median ransom payment: $769,000, down from $1 million last year.
  • 51% of paying organizations negotiated a lower amount than the demand.
  • Only 32% of retail organizations paid, the lowest of any sector.
  • Backup-based recovery jumped to 66% of encrypted-data cases, up 12 percentage points from 2025.

The bad news:

  • Average recovery cost: $1.7 million per incident, up 11% year over year.
  • 56% of attacks still succeeded in encrypting data, up from 50% last year.
  • 48% of encrypted victims paid the ransom, in line with the four-year average of roughly 50%.
  • 72% of local and state government organizations paid, the highest of any sector.
  • The UK saw the highest median ransom demand recorded for any country at $2.5 million.

The organization-size gap is stark: only 34% of small organizations (100–250 employees) stopped attacks before encryption or extortion, well behind the 46% success rate at 3,001–5,000 employee organizations. Scale is buying real defensive outcomes, and small businesses are carrying a disproportionate share of the damage.

Read the report

The 2026 data points to a consistent theme across sections: outcomes improve when identity, email, endpoint, and network defenses operate as one system rather than in isolation. Closing the gap on AI-era attacks will depend less on adding tools and more on connecting the ones already in place.

Download the report to get the full findings, industry breakdowns, and recommendations:

Download_the_Report.png