Ransomware Economy Costs Rise as Victims Stay Silent

On April 21, 2026, the U.S. Department of Justice announced that Angelo Martino, a 41-year-old ransomware negotiator from Land O' Lakes, Florida, had pleaded guilty to conspiring with the BlackCat ransomware group, also known as ALPHV. Martino had been hired by companies in the retail, hospitality, and medical sectors to negotiate with attackers who were extorting them. Instead, prosecutors said, he shared confidential client information with the criminals and helped deploy ransomware against additional victims. He faces up to 20 years in prison.

The case is not an outlier in the conventional sense. It is the logical endpoint of a ransomware economy that has spent the past half-decade professionalising, and of a disclosure regime that asks victims to report breaches while giving them powerful incentives to say as little as possible. American Banker reported that the Martino case exposes a systemic risk for banks: incident-response and ransomware-negotiation firms receive sensitive breach details that a corrupted insider can sell back to the attackers. The negotiator you hire to contain a crisis can become a vector for its expansion.

The negotiator-corruption story is one thread in a larger fabric. The ransomware business model has been reshaped by Ransomware-as-a-Service, or RaaS, platforms that allow operators with minimal technical skill to launch attacks using toolkits built and maintained by others. Tech Times reported in March that these platforms have lowered the barrier to entry far enough that the distinction between a cybercriminal syndicate and a solo actor has blurred. The operator provides the access and the target; the RaaS platform provides the payload, the payment infrastructure, and sometimes the negotiation support.

One RaaS outfit, a group calling itself The Gentlemen, claimed more than 320 victims in the first months of 2026 alone, Infosecurity Magazine reported, citing researchers at Check Point. The group first appeared in late 2025 and scaled through an aggressive affiliate recruitment model, splitting ransom proceeds between the developers and the affiliates who deploy the malware. The speed of that growth, from zero to hundreds of victims in under six months, is the speed of a platform business, not a gang.

The economics have shifted in another direction as well. The World Economic Forum's latest Global Cybersecurity Outlook, published in early 2026, found that cyber-enabled fraud has overtaken ransomware as the primary cybersecurity concern for CEOs, with 94 percent of respondents identifying artificial intelligence as the most significant driver of change in the threat landscape. The Tech Edvocate cited the report in a May 8 analysis, noting that the shift from ransomware to fraud is not merely a matter of frequency but of financial impact. Fraud operations, increasingly automated by AI, scale differently than ransomware campaigns. They do not require a victim to pay; they extract money directly.

That does not mean ransomware is receding. The same WEF report describes ransomware as a persistent threat, and the data from incident-response firms supports that assessment. What has changed is the profile of the typical attack. RaaS platforms have commoditised the mid-market: smaller companies, municipal governments, school districts, and regional healthcare providers are now targets because the cost of attacking them has dropped. A ransomware campaign that once required a team of skilled operators can now be run by a single affiliate with a RaaS subscription and a list of vulnerable VPN endpoints.

The disclosure timeline, meanwhile, remains broken. On April 16, 2026, Cookeville Regional Medical Center in Tennessee notified more than 337,000 patients that their personal and medical data had been compromised in a ransomware attack, Infosecurity Magazine reported. The attack was attributed to the Rhysida ransomware group. The breach occurred in July 2025. The notification went out nine months later.

That nine-month gap is not unusual. It sits well within the range of what U.S. breach-notification laws permit, and in some sectors, at the outer edge of what the SEC's cyber disclosure rules, which took effect in December 2023, require for material incidents. The rules ask companies to disclose material cybersecurity incidents within four business days of determining materiality. But materiality is a judgment call, and companies regularly spend months investigating before they conclude that a breach meets the threshold. The clock does not start at the moment of intrusion; it starts when the company decides the intrusion matters enough to tell someone.

The gap between intrusion and disclosure creates a second market. Ransomware groups have learned that the threat of public exposure is often more valuable than the threat of encrypted data. If a victim will not pay to unlock its files, it may pay to keep the breach out of the news. The Gentlemen and other RaaS groups now routinely operate data-leak sites where they publish samples of stolen data and set countdown timers. The negotiation is as much about reputation as it is about decryption keys.

The Citizens Financial Group incident illustrates how the disclosure gap functions in practice. On April 21, 2026, InvestmentNews reported that the bank was dealing with a data security incident tied to a third-party provider. Citizens said its own operations were unaffected and that customer impact was limited. Meanwhile, a ransomware gang claimed to have accessed millions of records linked to the bank. The public record, as of mid-May 2026, remains incomplete. The bank disclosed a vendor incident. The attackers claimed a larger breach. Neither account has been independently verified.

This pattern, a company describing an incident as limited while attackers claim something larger, has become a familiar feature of the ransomware landscape. It is not proof of dishonesty. Forensic investigations take time, and the initial scope of a breach is often unclear. But it is a structural problem. The public has no mechanism for resolving competing claims in anything close to real time. By the time a full investigation is complete, the news cycle has moved on.

The negotiator supply chain

The Martino case adds a new dimension to the disclosure problem. Companies that are hit by ransomware typically hire specialist firms to handle the negotiation. These firms receive detailed information about the breach: how the attacker got in, what systems were affected, what data was taken, and how much the company is willing to pay. A negotiator who is working with the attackers can feed that information back, enabling the criminals to calibrate their demands and target additional victims.

Prosecutors said Martino did exactly that. According to the Justice Department, he shared confidential client information with BlackCat and conspired to launch attacks against additional U.S. companies, CNN reported. The case is being described by federal investigators as groundbreaking, not because negotiator corruption is new, but because it is the first time the Justice Department has brought charges that trace the insider threat all the way through the ransomware supply chain.

The supply chain itself is largely unregulated. Ransomware negotiation firms are not licensed. There is no mandatory accreditation, no professional body with the power to sanction misconduct, and no requirement that firms disclose when one of their negotiators is compromised. Companies hire these firms under extreme time pressure, often on the recommendation of their cyber insurance carrier, which may have a preferred vendor list. Due diligence, in those circumstances, is compressed.

The cost of downtime

While the negotiator story highlights the human frailties in the response ecosystem, the financial cost of ransomware continues to be driven by operational downtime. INE Security, a cybersecurity training and certification provider, reported on April 30, 2026, that the financial and operational impact of ransomware attacks on industrial environments is escalating, Markets Insider noted. Manufacturing lines, energy systems, and logistics networks cannot simply be restored from backup and restarted; the physical processes they control must be safely shut down and recalibrated, sometimes over days or weeks.

The pv magazine International reported in April that photovoltaic system operators face a parallel risk. Ransomware attacks on PV installations encrypt or lock critical system data and control platforms, preventing operators from managing their assets. An attack that disables a solar farm's control systems during peak generation hours does not just cost the operator revenue; it creates ripple effects across the grid that the operator's disclosure to regulators may or may not capture in a timely way.

The gap between what an attack costs and what is reported is itself an economic problem. Public companies disclose material incidents in SEC filings. But the filings describe the cost in broad terms: business interruption, remediation expenses, legal fees. The downstream cost, the lost revenue at a supplier whose shipments were delayed because a logistics provider was down, the cancelled surgeries at a hospital that diverted patients after an attack, the grid instability caused by a solar farm that went dark, rarely appears in any single disclosure. It is distributed across balance sheets that are not required to connect the dots back to the original intrusion.

The systemic version of the ransomware disclosure failure is not that companies lie. It is that the reporting framework was designed for a world in which breaches were discrete events with identifiable boundaries. Ransomware attacks in 2026 are supply chain events. They propagate through third-party vendors, managed service providers, and software platforms. The Gentlemen did not attack 320 separate companies. They attacked a small number of entry points and followed the trust relationships outward. Each downstream victim files its own disclosure, or does not, and no single entity is responsible for assembling the full picture.

The case exposes a systemic risk for banks: incident-response and ransomware-negotiation firms receive sensitive breach details that a corrupted insider can sell back to the attackers., Carter Pape, American Banker, May 1, 2026

There are efforts underway to tighten the rules. The SEC has signalled that it views delayed ransomware disclosures as an enforcement priority, and the Department of Justice has made clear, through the Martino prosecution, that it will pursue insider corruption in the incident-response supply chain. But enforcement alone cannot close the gap. The gap exists because the incentives to minimise, delay, and fragment disclosure are embedded in the structure of the market. Companies pay ransoms in part to keep breaches quiet. They hire negotiators to manage the criminals, not to produce a public record. They disclose when the law requires it, and the law requires it only after they have decided the breach matters enough to say so.

Until the regulatory framework treats the disclosure clock as starting at the moment of reasonable detection, not at the moment of materiality determination, the nine-month gap between the Cookeville attack and the Cookeville notification will remain normal. Until ransomware negotiation firms are subject to the same kind of fiduciary scrutiny that applies to other crisis-management professions, the Martino case will remain a warning rather than a turning point. And until someone is responsible for connecting the dots across the supply chain, the full cost of a ransomware attack will remain knowable only in retrospect, long after the attackers have moved on to the next target.