Ransomware Explained: How Modern Attacks Work and the Global Policy Debate
Ransomware in 2026 is a franchised, automated industry: access brokers hand off breached networks in seconds, affiliates rent attack kits for the price of a streaming subscription, and victims face double and triple extortion. A complete guide to how modern attacks work, who runs them, the landmark 2025-26 incidents, and the global fight over whether paying should be illegal.
In the fastest cases recorded in 2025, the criminals who break into a corporate network now hand the keys to a ransomware crew in a matter of seconds, not hours. By the next morning a hospital is back to pen and paper, a car plant has gone dark, or a power utility is wrestling control systems back from an attacker. Ransomware in 2026 is no longer a lone hacker locking files for a few hundred dollars. It is a fast, automated, franchised industry with rented tools, customer-support desks and negotiated payouts. This guide explains exactly how that machine works, who runs it, what it costs the world, and the growing global fight over whether victims should even be allowed to pay.
What ransomware actually is
Ransomware is malicious software that takes something you need and holds it hostage. In its original form it encrypted your files and demanded payment, usually in cryptocurrency, for the key to unlock them. That simple idea has since grown into the most disruptive form of cybercrime on the planet, because attackers worked out that the real leverage is not just locking data, it is threatening to leak it, destroy it, or turn off the systems a business or hospital depends on to function.
The shift that matters most is industrialisation. A decade ago an attack was a single criminal with a single tool. Today it is a supply chain: one group writes the malware, another rents it, a third specialises in breaking in and selling that access on. Each step is optimised, automated and, increasingly, accelerated by artificial intelligence. That is why the timelines below have collapsed from weeks to seconds.
The anatomy of a modern attack
Almost every major ransomware incident follows the same rough sequence. Understanding it is the first step to interrupting it, because defenders who can detect any one of these stages can often stop the attack before encryption.
- Initial access. Attackers get in through a phishing email, a stolen or purchased password, or an unpatched internet-facing system. A whole criminal sub-industry of "initial access brokers" does nothing but get a foot in the door and sell it on.
- The handoff. The broker passes that access to a ransomware operator. In 2025 the median time for this handoff collapsed to 22 seconds, so defenders often have almost no window between the break-in and the real attack beginning.
- Reconnaissance and lateral movement. Inside the network, attackers map it and move sideways using legitimate administrative tools, a technique called "living off the land" that helps them slip past security software while they hunt for backups, domain controllers and the most valuable data.
- Exfiltration. Before anything is locked, sensitive data is quietly copied out. This stolen copy is the leverage for everything that follows.
- Encryption. The ransomware is deployed, scrambling files across servers and laptops and dropping a ransom note. Operations grind to a halt, sometimes within minutes.
- Extortion and negotiation. The demand arrives, usually with a countdown timer and a public "leak site" threatening to publish the stolen files. Negotiation, and sometimes a cryptocurrency payment, follows.
The extortion ladder: from locked files to all-out pressure
The single biggest evolution in ransomware is not technical, it is psychological. Attackers kept adding new ways to pressure victims into paying. Today most serious operations use at least double extortion.
| Stage | How the pressure works |
|---|---|
| Single extortion | Encrypt the files, sell back the decryption key. The classic model, and now the weakest, because good backups defeat it. |
| Double extortion | Steal the data first, then encrypt. Even if you restore from backups, the attacker threatens to publish your secrets. This is now the dominant model. |
| Triple extortion | Add a third squeeze: a denial-of-service attack to knock you offline, or direct threats to your customers, patients or partners whose data was caught up in the breach. |
| Quadruple extortion | Harass third parties, tip off journalists or regulators, and weaponise breach-disclosure rules to force a faster, larger payout. |
Ransomware-as-a-Service: the criminal economy
The engine behind the surge is a business model borrowed straight from legitimate tech: Ransomware-as-a-Service, or RaaS. It splits the work of building the malware from the work of attacking with it, exactly as a software company separates its developers from its salespeople.
This division of labour is what lowers the barrier to entry. Someone with little technical skill can rent a ready-made attack kit, complete with a payment portal and victim "support" chat, for as little as around $40 a month. The developers who maintain the platform typically take a 30 to 40 percent cut of each successful ransom, leaving the rest to the affiliate who carried out the attack.
| Who | What they do | Typical share |
|---|---|---|
| Operator / developer | Builds and hosts the malware, payment portal, leak site and negotiation desk. | 30 to 40% of the ransom |
| Affiliate | Breaks into victims, deploys the ransomware, runs the negotiation. | 60 to 80% of the ransom |
| Initial access broker | Specialises in gaining the first foothold and selling it on. | Flat fee per access |
The result is a resilient, franchised ecosystem. When one brand is taken down by police, its affiliates simply move to a competitor, which is why the industry keeps growing even as individual groups disappear.
Ransomware by the numbers
The headline numbers tell a striking, two-sided story for 2025: more attacks than ever, but fewer victims paying and smaller average payouts as defences and law-enforcement pressure improve.
| Metric | Figure | Source |
|---|---|---|
| Average cost of a data breach (global) | $4.44 million | IBM, 2025 |
| Average cost of a ransomware or extortion breach | $5.08 million | IBM, 2025 |
| Share of all breaches involving ransomware | 44% (88% at SMBs) | Verizon DBIR, 2025 |
| Most-targeted sector by volume | Manufacturing | Coveware, 2025 |
| Total ransoms paid on-chain | $820 million | Chainalysis, 2025 |
Who is behind it: the major groups of 2025-26
The landscape shifts constantly as groups are taken down, rebrand and splinter, but a handful of names dominate. According to Check Point, just four groups accounted for roughly 41 percent of all named victims in early 2026.
| Group | What to know |
|---|---|
| Qilin (Agenda) | The most prolific operation of 2025-26, which surged after rival RansomHub shut down and its affiliates moved across. |
| Akira | High-volume and operationally stable, a particular threat to small and mid-market organisations. |
| The Gentlemen | A fast-scaling newcomer from late 2025 running a self-propagating, Go-based encryptor, dissected by Microsoft in 2026. |
| Clop (Cl0p) | Known for mass supply-chain campaigns that exploit a single flaw in file-transfer software to hit hundreds of victims at once. |
| LockBit | Rebuilding after a major 2024 law-enforcement takedown, but still a top-tier name by volume. |
| INC Ransom | Named alongside Qilin as a key driver of the 2026 surge. |
When it gets real: landmark attacks of 2025-26
Statistics are abstract until a factory stops or a hospital closes. These verified incidents show the real-world reach of modern ransomware, across manufacturing, healthcare, critical infrastructure and, closer to home, India.
| Victim | When | Impact |
|---|---|---|
| Jaguar Land Rover (UK) | Aug to Oct 2025 | Production halted for around five weeks; described as the most damaging cyberattack in British history, with an estimated economic impact near 1.9 billion pounds and thousands of supply-chain firms affected. |
| University of Mississippi Medical Center (US) | Feb 2026 | Clinics across the state were forced to close and staff reverted to pen and paper for record-keeping for about two weeks. |
| Poland energy sector | Disclosed Jan 2026 | Operational-technology systems at roughly 30 distributed-energy sites were compromised. The grid backbone held and power stayed on, but it was a stark warning for critical infrastructure. |
| DaVita and Yale New Haven Health (US) | 2025 | Two of the largest healthcare breaches of the year, exposing data on roughly 2.7 million and 5.6 million people respectively. |
| Tata Technologies (India) | Jan 2025 | The Hunters International group claimed the attack and later leaked what it said was 1.4 TB of data. The company said operational impact was limited. |
Watch: how ransomware works
If you prefer a quick visual primer, this short explainer from IBM walks through the mechanics of an attack and the core defences.
The global policy fight: should paying be illegal?
A serious debate is now under way over whether governments should simply ban ransom payments. The logic for a ban is clean: no payments, no profit, no industry. The case against is messier and more human. Opponents warn that a blanket ban would punish victims who have no other way to recover, could push payments underground where they fund crime invisibly, and might just shift attackers toward whichever sectors are exempt.
Different jurisdictions are landing in very different places. The picture below is current as of mid-2026.
| Jurisdiction | Stance on paying a ransom |
|---|---|
| United Kingdom | Proposed in 2025, not yet law: a ban on payments by the public sector and critical national infrastructure, plus a requirement for other victims to report their intention to pay before paying, and mandatory incident reporting within 72 hours. |
| United States | No federal ban for private firms. Several states, including Florida, Tennessee and North Carolina, prohibit public bodies from paying. |
| European Union | No ban. The NIS2 directive mandates fast incident reporting (a 24-hour early warning and a 72-hour update), not payment bans. |
| India | No ban on paying a ransom; reporting rules are covered below. |
The influential Ransomware Task Force, convened by the Institute for Security and Technology, argues that a blanket ban is premature. It says a string of conditions, from better victim support to stronger reporting, must be in place first, or a ban risks doing more harm than good.
Reporting rules: where major economies stand
Banning payment is one lever governments pull; forcing fast disclosure is another, and here the world is moving quickly, on very different clocks.
| Country or bloc | How fast must a victim report? |
|---|---|
| India | Among the strictest anywhere: CERT-In requires reporting a ransomware incident within 6 hours of detection, with a separate breach-notification duty to the Data Protection Board under the DPDP Act. |
| European Union | Under the NIS2 directive, essential and important entities must send an early warning within 24 hours and a fuller notification within 72 hours. |
| Australia | Since May 2025, larger businesses and critical-infrastructure operators must report any ransom payment within 72 hours of paying it. |
| United States | No general federal mandate for private firms yet. Under CIRCIA, critical-infrastructure operators will have to report incidents within 72 hours and ransom payments within 24 hours once the rules are finalised, expected in 2026. |
| United Kingdom | Proposed in 2025, not yet law: mandatory incident reporting within 72 hours, alongside the planned public-sector payment ban. |
The direction is unmistakable: faster, mandatory disclosure. For an individual victim the rule is simpler everywhere, report at once. In India that means calling 1930 or filing at cybercrime.gov.in.
How to protect yourself and your organisation
There is no single product that stops ransomware. Resilience comes from layering a few defences that, together, make you a harder and less profitable target.
- Keep offline, tested backups. Immutable or offline backups you have actually practised restoring are the single best defence, because they let you recover without paying.
- Patch fast, especially anything internet-facing. AI has collapsed the gap between a flaw becoming public and being exploited, so treat exposed systems as urgent.
- Turn on multi-factor authentication everywhere. Most intrusions begin with a stolen password, and a second factor stops most of them dead.
- Segment your network. If one machine is compromised, segmentation stops the attacker reaching everything else.
- Limit administrator rights. Fewer privileged accounts means fewer paths for an attack to spread.
- Train people to spot phishing. It remains the number-one way in, and a sceptical workforce is a real control.
- Write and rehearse an incident-response plan. Decide in advance who you call, how you isolate systems, and whether you would ever pay.
For individuals, the basics matter just as much: keep your phone and computer updated, use a unique password for every account with a password manager, switch on multi-factor authentication, be wary of unexpected attachments and links, and back up your devices.
If you have been hit: the first hour
The first hour shapes everything that follows. Move deliberately, not in a panic.
- Isolate. Disconnect affected devices from the network and wi-fi to stop the spread. If you can, avoid powering them off, as memory can hold useful evidence.
- Preserve evidence. Keep the ransom note, system logs and any messages from the attackers. They matter for investigators and insurers.
- Report it. In India, call 1930 or file at cybercrime.gov.in. Organisations must also notify CERT-In within 6 hours.
- Do not rush to pay. Paying is no guarantee of recovery, only about half who pay get all their data back, and for some public bodies it may be unlawful.
- Get expert help. Engage incident responders and your insurer before opening any negotiation.
Frequently asked questions
What is the difference between single, double and triple extortion? Single extortion only encrypts your files. Double extortion also steals a copy first and threatens to leak it, defeating backups as a defence. Triple extortion adds more pressure, such as a denial-of-service attack or threats to your customers.
What is Ransomware-as-a-Service? A business model where one group builds and rents out the ransomware and infrastructure, while affiliates pay to use it to carry out attacks, splitting the proceeds.
Is it illegal to pay a ransom? In most countries, including India, the United States for private firms, and the EU, paying is not banned, though it may breach sanctions rules if the group is sanctioned. The UK has proposed banning payments by the public sector and critical infrastructure, but it is not yet law.
Does paying guarantee I get my data back? No. In 2025 only about 49 percent of organisations that paid recovered all their data, and paying also marks you as willing to pay again.
How do most ransomware attacks start? Through phishing emails, stolen or purchased passwords, and unpatched internet-facing systems.
How fast do attacks happen now? Very fast. In 2025 the median time for an access broker to hand a breached network to a follow-on attacker fell to 22 seconds, leaving defenders little time to react.
Sources
- Mandiant M-Trends 2026, the 22-second access handoff (via SecurityWeek)
- Verizon 2025 Data Breach Investigations Report
- IBM Cost of a Data Breach Report 2025
- Chainalysis 2026 Crypto Crime Report, ransomware payments
- Coveware quarterly ransomware reports
- Sophos State of Ransomware 2025
- Check Point Q1 2026 Ransomware Report
- Microsoft Security, The Gentlemen ransomware analysis
- Jaguar Land Rover cyberattack overview
- HIPAA Journal, University of Mississippi Medical Center attack
- The Record, Poland power-grid cyberattack
- BleepingComputer, Hunters International and Tata Technologies
- UK Government response on ransomware payment proposals (2025)
- Ransomware Task Force, roadmap on a potential payment ban
- CERT-In Directions 2022, 6-hour incident reporting (PDF)