What’s Actually Happening in Ransomware Right Now?

For a long time, ransomware was often explained in fairly simple terms: attackers get into a network, encrypt files, demand payment, and hope the victim pays.

That description is no longer enough.

Ransomware today is broader, more commercialised, and more disruptive than many organisations still realise. It is no longer just about encryption. It is increasingly about extortion, identity compromise, operational disruption, and applying pressure at multiple points to force a response.

That shift matters, because if organisations are still preparing for ransomware as though it only looks like a “locked files” incident, they may already be behind.

“Ransomware is no longer just a malware problem. It’s a business pressure tactic.”
Jai Aenugu, CEO and Founder, TechForce Cyber

Ransomware is getting bigger, not simpler

Verizon’s 2025 Data Breach Investigations Report found ransomware was present in 44% of breaches, up from 32% the year before. It also reported that ransomware was linked to 75% of system intrusion breaches, underlining how central it remains to serious compromise activity.

That does not suggest a threat fading into the background. If anything, it suggests the opposite. Ransomware is still highly active, but it is no longer playing out in just one predictable way. The pressure model has matured, and the routes attackers use to gain access have diversified.

“The threat hasn’t become simpler. It’s become more adaptive, more targeted, and more commercially mature.”
Jai Aenugu

Encryption is now only part of the story

One of the clearest shifts in the current landscape is that encryption is no longer the only, or always the main, lever attackers use. Google Threat Intelligence Group’s 2026 ransomware report

said that a growing share of the incidents it reviewed from 2025 involved data theft and extortion pressure, while Palo Alto Networks Unit 42’s Global Incident Response Report 2026 has now reported more clearly that extortion is moving beyond encryption alone. In its 2026 report, Unit 42 found that encryption appeared in 78% of extortion cases in 2025, down sharply from the near-or-above-90% levels seen from 2021 to 2024. The report also said data theft remained a consistent feature of extortion activity, appearing in more than half of cases year over year.

That matters because an organisation can still face a significant ransomware-style crisis even when systems are not comprehensively encrypted. Palo Alto Networks Unit 42’s Global Incident Response Report 2026 reported that several 2025 intrusions proceeded with extortion even when victims retained access to their systems, with data exposure, direct pressure, or both creating enough leverage without file-locking. It also noted that some groups escalated pressure by contacting employees, customers, or partners, amplifying reputational and operational strain even when systems remained accessible.

“If your definition of ransomware begins and ends with encryption, you’re looking at yesterday’s problem.”
Jai Aenugu

Attackers are not always breaking in, but logging in

Another important shift is the growing role of identity compromise and access abuse. Microsoft’s Digital Defense Report 2025

says that in many cases attackers are no longer breaking in, they are logging in, with identity remaining a consistent entry point across cloud and hybrid environments.

At the same time, Google Threat Intelligence Group’s 2026 ransomware report

reported that in roughly one third of the ransomware incidents it reviewed from 2025, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls. CISA’s StopRansomware Guide and the CISA/FBI #StopRansomware: Play ransomware advisory also continue to highlight valid accounts, exploited public-facing applications, and remote access services such as RDP and VPNs as common initial access routes.

In practical terms, a lot of current ransomware risk starts with stolen credentials, phishing or vishing, abused remote access, compromised SSO, or exposed public-facing systems.

“More and more, attackers aren’t breaking in. They’re logging in, moving quietly, and applying pressure when it hurts most.”
Jai Aenugu

The real impact is business disruption

This is one of the biggest reasons ransomware can no longer be treated purely as a technical issue. Palo Alto Networks Unit 42’s Global Incident Response Report 2026 found that in over 90% of breaches, preventable gaps materially enabled the intrusion, while 87% of intrusions involved activity across multiple attack surfaces. That shows how modern attacks can escalate quickly, moving beyond one compromised system to create wider operational impact.

That is why ransomware is now a resilience issue, not just an IT issue. The most significant damage often comes from halted operations, service interruption, leadership distraction, recovery costs, and reputational fallout rather than the ransom demand alone.

The pressure is also being applied faster. Palo Alto Networks Unit 42’s Global Incident Response Report 2026 found that the fastest 25% of intrusions reached exfiltration in 72 minutes in 2025, down from 285 minutes the year before. It also reported that the share of incidents reaching exfiltration in under one hour rose from 19% to 22%.

“The biggest cost of ransomware is often not the ransom. It’s the disruption, the downtime, and the pressure it creates across the business.”
Jai Aenugu

More victims are refusing to pay, but that does not mean the threat is shrinking

Some of the payment data may look encouraging at first glance. Chainalysis’ 2026 Crypto Crime Report ransomware findings

reported that total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%. Verizon’s 2025 Data Breach Investigations Report

also reported that 64% of victim organisations in its 2025 dataset did not pay the ransom.

But that does not mean the threat is going away. Lower payment levels do not necessarily mean fewer attacks or lower impact. A plausible reading of the broader trend is that pressure tactics are diversifying as victims become less likely to pay, which helps explain the increased focus on data theft, extortion, and operational disruption.

“Lower payments don’t mean lower risk. They often mean attackers are finding new ways to force a decision.”
Jai Aenugu

What this means for organisations

The practical takeaway is that ransomware defence today is less about one silver bullet and more about reducing the number of routes attackers can use. CISA’s StopRansomware Guide recommends measures including stronger identity protection, MFA, tighter control of remote access, faster patching of internet-facing systems, protected backups, and response planning in advance.

In real terms, organisations should be looking closely at identity hardening, remote access exposure, patching discipline, early detection of credential theft, backup resilience, and incident response readiness. The question is no longer just whether the business can recover encrypted files. It is whether it can contain access abuse, limit disruption, protect data, and make good decisions under pressure.

“Good ransomware defence is not just about prevention. It’s about reducing opportunity, containing impact, and being ready to respond.”
Jai Aenugu

The takeaway

Ransomware today is faster, more commercialised, more identity-led, and more focused on disruption and extortion than encryption alone.

The organisations that respond well to this shift will not just be the ones with better tools. They will be the ones that understand ransomware as a wider resilience challenge and prepare accordingly.

“The organisations that will handle ransomware best are the ones treating it as a business resilience issue now, not after an incident.”
Jai Aenugu