VYPR
trendPublished Jul 16, 2026· 1 source

Ransomware Victims Pay Less, Fueling Extortionist Innovation

Ransomware victims are increasingly unwilling to pay ransoms, forcing cybercriminal groups to innovate with AI and new evasion tactics, while the US targets enablers of these attacks.

Ransomware victims are paying less to cybercriminals, a trend that is compelling attackers to explore new strategies and reshape the extortion industry. Top ransomware groups are demonstrating constant innovation, including developing new capabilities to evade endpoint detection and response systems, as seen with the Deadlock group. The ransomware-as-a-service operation, The Gentlemen, has notably leveraged artificial intelligence tools to refresh its malware more rapidly and uses this as a recruitment incentive for affiliates, according to a recent report from ReliaQuest.

This shift towards AI-driven innovation may be linked to the increasing number of non-paying victims. The Gentlemen, for instance, recorded the highest number of non-paying victims among ransomware groups in the second quarter. While ransomware groups do not disclose all victims who pay, researchers track market share by monitoring their data-leak blogs, which list a subset of alleged victims who refused to pay. ReliaQuest's analysis revealed a 51% year-over-year increase in total victim listings during the second quarter, reaching 2,252, with Qilin, DragonForce, Akira, and LockBit rounding out the top five.

However, rankings do not tell the complete story. ReliaQuest advises defenders to focus on attacker behaviors rather than leaderboard fluctuations, as some of the most disruptive groups might not always appear in the top ranks. Meanwhile, the cost of recovering from a ransomware attack continues to rise, averaging $1.7 million over the past 12 months, an 11% increase from the previous year, according to Sophos.

The median ransom payment has significantly decreased, now standing at $698,000, down from $1.3 million the previous year and $2 million in the 2024 report. Sophos also noted a median ransom payment of $769,000 in their latest findings, a drop from $1 million last year. The willingness of victims to pay varied considerably by sector, with 72% of local and state governments paying, compared to 45% of healthcare firms and 32% of retailers.

In parallel with these trends, the United States has taken action against cybercrime enablers. The Treasury Department sanctioned two individuals accused of facilitating cybercrime: Dmytro Rashevskyi, an administrator for the VPN provider First VPN Service, and Yegeniy Silayev, who allegedly sold cryptors used to disguise malware. The Treasury stated that First VPN Service aided ransomware groups by concealing attack origins, deploying malware, and managing stolen data.

These sanctioned services are alleged to have caused billions of dollars in losses across various sectors, including businesses, hospitals, financial institutions, and government entities. The dismantling of 1VPNS in a multinational law enforcement operation in May highlights the increasing global effort to disrupt the cybercrime ecosystem.

Beyond ransomware, other cyber threats continue to emerge. Cybercriminals are exploiting the demand for Celine Dion's concerts through a sophisticated ticket scam involving social engineering on Facebook and fake ticketing websites. Group-IB researchers discovered fraudsters infiltrating fan groups, building trust, and then offering tickets via direct bank transfers instead of official resale platforms. Victims receive seemingly legitimate ticket transfers, but the same digital ticket is sold multiple times, with only the first attendee gaining entry.

This multifaceted threat landscape, characterized by evolving ransomware tactics, targeted scams, and actions against cybercrime infrastructure, underscores the need for continuous vigilance and adaptation by cybersecurity professionals and organizations worldwide.

Synthesized by Vypr AI