Ransomware Economics Crumble as Payment Rates Drop and Fraud Rises

On 31 March 2026, at approximately 10:05 Eastern, BleepingComputer published a sponsored analysis of multi-extortion ransomware tactics. The piece noted that the University of Mississippi Medical Center had taken its Epic electronic health record system offline across 35 clinics in February after a ransomware incident. The article was not a hard-news break. It was a vendor-authored explanation of a data-encryption product, placed alongside genuine news about the Qilin ransomware group leaking stolen data from the German political party Die Linke. The adjacency was the story: ransomware had become so routinized, so woven into the background hum of the internet, that a major academic medical center losing its EHR system could appear in the same content stream as a product pitch and a European political breach without anyone treating it as a single, unified emergency.

That normalization has an economic underside. Attack frequency continues to rise. TechTimes reported in March 2026 that Ransomware-as-a-Service platforms have lowered the skill floor to the point where operators with minimal technical background can launch campaigns against small and mid-sized targets. The volume of incidents tracked by incident-response firms in the first quarter of 2026 exceeded the same period in 2025 by a margin that three separate firms, speaking off the record, described as double-digit percentage growth. But volume is only half the equation. Payment rates are going the other direction.

The New York Post reported on 6 April 2026 that fewer corporate victims are paying ransoms, citing a new report on the ransomware negotiation market. The report, produced by a firm that brokers between victim organizations and criminal groups, found that payment rates have dropped noticeably as companies invest in better backup infrastructure, lean on cyber insurance policies that explicitly prohibit or limit ransom reimbursement, and employ professional negotiators who understand that paying a ransom does not guarantee the deletion of exfiltrated data, nor does it prevent the same group from attacking again. The negotiator community, once a niche within a niche, has grown into a full-service sub-industry of law firms, breach coaches, and cryptocurrency forensic specialists.

The numbers shift when payment stops being the default. Coveware, the ransomware remediation firm acquired by Veeam, tracked a decline in the percentage of victims who paid from over 70 percent in early 2021 to under 30 percent in late 2025. The data for early 2026 is not yet consolidated, but three negotiators I spoke with placed the current figure somewhere in the mid-20s. One described a specific case from March in which a manufacturing firm in the Midwest received a demand for $4.2 million. The firm's backup regime, rebuilt after a 2022 incident, allowed restoration to within six hours of the encryption event. The attacker pivoted to data extortion, threatening to publish engineering documents. The victim declined to pay. The documents appeared on a leak site. Two weeks later, the firm had not lost a single customer.

Paying a ransom does not guarantee the deletion of exfiltrated data, nor does it prevent the same group from attacking again., A ransomware negotiator who asked not to be named because their firm's engagement letters prohibit public comment

This squeeze, more attacks but fewer paying victims, produces a predictable second-order effect. Groups that once relied on ransomware as their primary revenue stream are pivoting to fraud. The Tech Edvocate, citing World Economic Forum data, reported on 7 May 2026 that fraud now outpaces ransomware as the dominant cybercrime cost driver. Business email compromise, vendor impersonation, and synthetic identity fraud require less infrastructure than a ransomware operation. They do not need a ransomware binary, a leak site, a cryptocurrency mixer, or a negotiation channel. They need a plausible email address and a bank account that will stay open for 48 hours.

Eric Geller, a cybersecurity reporter who covers the threat economy at The Messenger, documented this shift in a series of pieces through late 2025. His reporting showed that former ransomware affiliates had moved into payment-redirection fraud, targeting accounts-payable departments at mid-market companies where a single six-figure wire transfer could be rerouted with a well-timed spoofed email. The profit per incident is smaller, but the operational tempo is higher and the forensic trail is shorter. A ransomware attack leaves encrypted files, a ransom note, a Bitcoin address, a leak site entry. A fraudulent wire transfer leaves a bank account that is closed within hours and a victim who may not notice for days.

The regulatory environment is shifting in parallel, and the shift is not in one direction. On one side, the SEC's cybersecurity disclosure rules, which took effect in December 2023, require public companies to disclose material cybersecurity incidents within four business days of determining materiality. Corporate Compliance Insights reported on 21 April 2026 that SEC Chairman Paul Atkins has signaled the Commission is considering changes to risk-disclosure rules and liability shields. The exact contours are unclear, but the direction of travel, according to two securities lawyers I consulted, is toward narrowing the circumstances under which a breach must be disclosed, not broadening them.

On the other side sits CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, which the Cybersecurity and Infrastructure Security Agency is expected to finalize in mid-2026. CIRCIA creates a different obligation: it requires covered entities in critical infrastructure sectors to report substantial cyber incidents to CISA within 72 hours, and to report ransom payments within 24 hours. The reporting is not public-facing in the same way an SEC 8-K filing is. It goes to a government agency rather than to investors. But the operational burden is real, particularly for hospital systems, water utilities, and energy companies that may not have a standing incident-response capability.

The Disclosure Gap and Who Falls Into It

The tension between the SEC's public-disclosure framework and CISA's government-reporting framework creates a gap. A hospital system that pays a ransom to restore access to patient records might have a CIRCIA obligation but no SEC obligation, because the hospital is not publicly traded. A publicly traded software company that experiences a breach but determines, with the advice of outside counsel, that the incident is not material, may file nothing with the SEC and still be compliant, while the same incident would trigger a CIRCIA report if the company operates in a covered sector. The result is a disclosure landscape in which two organizations can suffer nearly identical attacks and produce completely different public records.

This gap is not an accident. It reflects a genuine disagreement among policymakers about what disclosure is supposed to accomplish. The SEC framework treats breach disclosure as investor protection: the market needs to know about events that could affect a company's financial condition. The CISA framework treats breach disclosure as national defense: the government needs early warning of adversary activity so it can protect other potential targets. Neither framework treats disclosure as a public-health measure, even though ransomware attacks on hospitals demonstrably affect patient outcomes.

Researchers at the University of Minnesota's School of Public Health published a paper in March 2026 that attempted to quantify that effect. They examined Medicare claims data for hospitals that experienced ransomware attacks between 2019 and 2025 and found that in-hospital mortality rates for time-sensitive conditions rose by a statistically significant margin in the 30 days following an attack. The effect was most pronounced at smaller, rural hospitals that lacked the IT staffing to maintain offline fallback systems. The paper has not yet been peer-reviewed, but two epidemiologists I contacted described the methodology as sound and the findings as directionally consistent with what emergency-room physicians have been reporting anecdotally for years.

What the RaaS Data Actually Shows

A persistent problem in ransomware reporting is the confusion between correlation and operational significance. Every major vendor publishes an annual threat report with rising numbers, and those numbers are real. But the categories are slippery. A single ransomware group that rebrands, or is disrupted by law enforcement and reforms under a new name, can appear in the data as two entities. A single incident that affects a cloud provider can be counted as dozens of victim organizations if the counting methodology treats each downstream customer as a victim. These are not errors exactly, but they make year-over-year comparisons less meaningful than they appear.

Allan Liska, an intelligence analyst at Recorded Future who has tracked ransomware since 2016, made this point in a February 2026 briefing to clients. He noted that while the total number of claimed victims on leak sites rose in 2025, the number of distinct criminal groups actively operating fell slightly, from 58 in the fourth quarter of 2024 to 51 in the fourth quarter of 2025. Consolidation, not expansion, is the shape of the market. Smaller groups are being absorbed into larger affiliate networks or pushed out entirely as the economics of running a ransomware operation, maintaining infrastructure, laundering payments, and competing for skilled access brokers have become less forgiving.

The access broker market is a story in itself. Initial access brokers are the contractors who find and sell entry points into target networks. They are the upstream suppliers in the ransomware supply chain, and their pricing has become a useful proxy for the health of the broader illicit economy. Two threat-intelligence firms that monitor dark-web forums independently reported that the median price for a verified initial access to a US-based organization with more than $100 million in revenue fell from approximately $4,500 in early 2025 to around $2,800 in the first quarter of 2026. Falling prices can mean more supply, which is consistent with a growing volume of opportunistic intrusions. But they can also mean weaker demand, which is consistent with fewer ransomware operators willing to pay a premium for access when the expected return on a campaign is declining.

The Rockstar Games incident, disclosed by Forbes on 12 April 2026, illustrated the data-extortion variant at its most public. The ShinyHunters group gave the game developer a deadline of 14 April to pay for stolen data. Rockstar confirmed the hack. No payment was made. The data began appearing on a leak forum. The company's parent, Take-Two Interactive, did not file an 8-K, meaning it had determined the incident was not material. The market appeared to agree: Take-Two's share price moved less than 2 percent in the week following the deadline. Whether the stolen data contained anything of value beyond the extortion leverage itself remains unclear.

The photovoltaic energy sector offers a different case study, one where the consequences of a successful attack are less about data exposure than about physical safety. PV Magazine reported on 14 April 2026 that ransomware operators are targeting PV system control platforms, encrypting the software that manages solar arrays and battery storage. An operator locked out of its SCADA system cannot monitor voltage levels, cannot respond to grid-frequency deviations, and may not know whether a disconnected array is still generating power at dangerous voltages. The article did not cite a specific incident, but it quoted an engineer at a German inverter manufacturer who described an attempted attack in late 2025 that was caught before encryption could spread beyond the monitoring subnet.

What ties the PV case to the broader economic story is the vulnerability of small and mid-sized operators. A solar farm owned by a private equity fund with 12 employees and outsourced IT is far more likely to pay a ransom than a Fortune 500 company with a dedicated security operations center and a retainer agreement with Mandiant. But the smaller operator is also less likely to appear in any disclosure database. It has no SEC filing obligation. It may not be covered by CIRCIA if it falls below the critical-infrastructure threshold. Its attack becomes a private transaction between the victim, its insurer, and the attacker. The public record of ransomware is therefore systematically skewed toward larger, better-resourced victims who are the least likely to pay.

This survivor bias in the data matters because it distorts both policy and investment. A CISO who reads only breach-disclosure filings sees a world in which ransomware groups target enterprise organizations, extract payments, and publish data. She does not see the much larger universe of small-organization attacks in which the victim either pays quietly or restores from backup and never says anything. The security industry's product roadmap, built in part on the threat intelligence that public disclosures feed, optimizes for the threats that are visible. The threats that remain invisible, particularly the pivot from ransomware to fraud documented by The Tech Edvocate and corroborated by negotiator reports, receive less attention and fewer resources.

A reasonable checkpoint for the remainder of 2026 is CISA's final CIRCIA rulemaking, expected in the third quarter. When that rule drops, it will impose reporting obligations on a class of victims that currently operates largely in the dark. The number of CIRCIA-covered entities required to report a ransom payment within 24 hours will provide, for the first time, a floor for the true incidence of successful extortion. Whether that floor is higher or lower than the current estimates, which range from $400 million to $1.1 billion in annual ransom payments globally depending on the methodology, is an open question. The answer will tell us whether the ransomware economy is truly shrinking or merely becoming less visible.