Ransomware Statistics 2026: 16 Key Numbers
On-device OCR. Secure, built for iOS.
Ransomware Statistics 2026: 16 Key Numbers
Ransomware appeared in 44% of all data breaches in 2025, up from 32% the year before, according to the Verizon Data Breach Investigations Report. IBM's 2025 Cost of a Data Breach Report puts the average cost of a ransomware incident at $5.08 million, excluding the ransom payment itself. Attackers now move from initial access to deployment in a median of just 5 days, and Sophos found that 94% of ransomware victims had their backups targeted. Cybersecurity Ventures projects global ransomware damage will reach $74 billion in 2026. These 16 statistics show the real scale of a threat that destroys files, halts operations, and leaves businesses without the documents they depend on.
Ransomware has become the dominant form of cybercrime against businesses of every size. The combination of encrypted files, stolen data, and crippled operations creates losses that go far beyond any ransom figure. For context on the broader digital threat environment, our cybersecurity statistics overview maps the full landscape of attacks businesses face in 2026.
This post covers attack frequency, financial costs, downtime, ransom payment trends, backup vulnerability, and the outsized risk faced by small businesses and critical sectors. It draws from the most credible primary sources available: IBM, Verizon, Sophos, Chainalysis, the FBI, ENISA, and Cybersecurity Ventures. Below are the 16 statistics that define ransomware in 2026.
1. Ransomware appeared in 44% of all data breaches in 2025
Ransomware featured in 44% of all confirmed data breaches analyzed in the 2025 Verizon Data Breach Investigations Report, a sharp jump from 32% the year before. The same report recorded ransomware in 31% of all security incidents, more than double the 14% share from the prior year. Verizon analyzed over 22,000 security incidents and 12,195 confirmed breaches across 139 countries for this edition, the largest dataset in the report's history. The scale of the jump signals that ransomware is no longer one threat among many - it has become the defining breach mechanism. For businesses that focus on phishing or credential theft as primary risks, these numbers are a stark reminder that the endpoint of most attacks is now file encryption and data extortion. Protecting documents and data before an attack is the only reliable defense, since recovery after encryption is slow, expensive, and uncertain.
Source: Verizon - 2025 Data Breach Investigations Report
2. IBM puts the average ransomware incident cost at $5.08 million
The average cost of a ransomware or extortion incident reached $5.08 million in 2025, according to IBM's Cost of a Data Breach Report. That figure covers detection, containment, notification, lost business, and recovery - but it does not include any ransom payment. The broader average for all breach types fell slightly to $4.44 million globally, but ransomware incidents continue to track above that baseline because they typically involve longer detection windows and more extensive remediation. In the United States, the average total breach cost reached a record $10.22 million across all incident types. IBM's research also found that organizations using AI security tools extensively saved nearly $1.9 million per incident and cut their breach lifecycle by 80 days. The practical implication is that the cost of prevention is a fraction of the cost of response, and document security is part of that prevention equation.
Source: IBM - Cost of a Data Breach Report 2025
3. 88% of small business breaches involve ransomware
Ransomware featured in 88% of all confirmed data breaches at small and medium-sized businesses in 2025, compared to just 39% at large enterprises, according to Verizon's DBIR. The gap is dramatic and reflects a structural problem: smaller organizations are less likely to have network segmentation, mature detection tools, or a dedicated incident response capability. The median ransom payment across all victims fell to $115,000 in 2025, a figure that falls within the annual revenue of many small businesses. Verizon found that SMBs bore nearly four times the attack volume relative to their size compared with larger organizations. The data demolishes the assumption that small businesses fly under attackers' radar. In practice, SMBs are primary targets precisely because their defenses are lighter and their backups are less reliable - making payment more likely when an attack succeeds.
Source: Verizon - 2025 Data Breach Investigations Report
4. 94% of ransomware victims had their backups targeted
Sophos found that 94% of organizations hit by ransomware in the past year reported that attackers attempted to compromise their backups during the attack, according to the State of Ransomware 2025 report. More troubling, 57% of those compromise attempts succeeded. When backups were compromised, the consequences multiplied fast: victims were almost twice as likely to pay the ransom, and their total recovery bill was eight times higher than for those whose backups remained intact. Median ransom demands reached $2.3 million when backups were compromised, versus $1 million when they were not. The backup-targeting behavior has become standard practice for ransomware operators because it removes the victim's exit route. An organization that believed its offline backups made it immune to ransomware pressure now faces a far more complicated calculation. Offsite and offline document storage, including on-device copies, becomes materially more valuable in this context.
Source: Sophos - The State of Ransomware 2025
5. Recovery costs fell to $1.53 million but remain substantial
The average cost to recover from a ransomware attack - excluding the ransom payment itself - dropped 44% to $1.53 million in 2025, down from $2.73 million in 2024, according to Sophos. That improvement reflects faster detection, better incident response tooling, and the growing share of attacks stopped before encryption completes. Recovery costs scale with company size: organizations with 100-250 employees averaged $638,536, while those with 1,000-5,000 employees faced $1.83 million. Despite the positive trend, $1.53 million represents a business-threatening sum for most small and mid-sized organizations. Sophos also found that 53% of ransomware victims fully recovered within a week in 2025, up from 35% in 2024, which indicates real progress in resilience. Still, 47% of victims needed more than a week to restore operations, and every day of downtime adds to the final bill in lost revenue and productivity.
Source: Sophos - The State of Ransomware 2025
6. Attackers deploy ransomware in a median of 5 days
The median time from initial network access to ransomware deployment has compressed to just 5 days in 2025, down from 9 days the previous year, according to Sophos and Verizon research. Earlier in the decade, attackers often spent weeks or months inside a network before triggering encryption. That dwell time gave defenders a window to detect unusual activity and intervene. A 5-day window is narrow enough to outpace most security monitoring cycles in organizations without dedicated threat hunting. More than half of ransomware deployments in 2025 occurred within 24 hours of initial access, and 10% occurred within five hours. The acceleration is enabled by automation, pre-packaged ransomware kits, and the purchase of pre-established network access from initial access brokers. The practical consequence is that the gap between infection and data loss has almost closed - making prevention and pre-breach document security the only reliable strategies.
Source: Sophos - 2025 Active Adversary Report
7. Ransomware payments totaled $820 million on-chain in 2025
Ransomware operators collected approximately $820 million in cryptocurrency payments from victims in 2025, according to Chainalysis blockchain analysis, with the final figure expected to rise to around $900 million as late-attributed payments are counted. Despite rising attack volumes, the payment total is lower than prior years, reflecting a record-low payment rate of 28% among victims. The median ransom payment surged 368% year over year to nearly $60,000 in 2025, from roughly $12,700 in 2024, as groups concentrated on extracting larger sums from fewer victims. The $820 million figure captures only confirmed on-chain payments and excludes unreported incidents, out-of-band settlements, and indirect costs. It represents the minimum floor of the ransomware economy, not its ceiling. The combination of rising attack frequency and falling payment rates signals a partial shift in victim strategy - but with 28% still paying, the economics remain profitable for attackers.
Source: Chainalysis - Crypto Crime Ransomware 2025
8. Global ransomware damage is projected at $74 billion in 2026
Cybersecurity Ventures projects global ransomware damage costs will reach $74 billion in 2026, breaking down to $203 million per day, $8.5 million per hour, and $141,000 per minute. These figures encompass ransom payments, productivity loss, recovery labor, legal costs, regulatory penalties, and reputational harm. The same projections place the 2031 figure at $275 billion annually, a roughly 4x increase in five years, driven by the continued growth of ransomware-as-a-service groups and expanding attack surface. The trajectory from $20 billion per year in 2021 to $74 billion in 2026 represents a compound annual growth rate above 25%. These are damage estimates, not just direct payments, which is why they dwarf the Chainalysis payment totals. Every hour a business is offline, every file that cannot be retrieved, and every customer relationship damaged by a breach contributes to numbers of this scale.
Source: Cybersecurity Ventures - Ransomware Damage Costs 2026
9. The FBI recorded 3,156 ransomware complaints in 2024
The FBI's Internet Crime Complaint Center logged 3,156 ransomware complaints in 2024, a 9% increase from the 2,825 recorded in 2023, according to the IC3 Annual Report. Ransomware was the most pervasive threat to critical infrastructure sectors for the year. The top variants responsible for IC3 complaints were Akira, LockBit, RansomHub, FOG, and PLAY. FBI-reported figures represent a fraction of actual incidents - organizations often resolve attacks quietly to avoid reputational damage or regulatory scrutiny. The IC3 data also does not capture losses that victims report directly to local FBI field offices. Total cybercrime losses tracked by the FBI reached $16.6 billion in 2024, a 33% increase from 2023, and ransomware was a leading driver of that growth. Since 2022, the FBI has provided over 4,000 decryption keys to ransomware victims, helping avoid more than $800 million in payments.
Source: FBI IC3 - 2024 Annual Report
10. Half of 2025 ransomware attacks hit critical infrastructure
Ransomware targeted critical infrastructure in 50% of the 4,701 recorded incidents between January and September 2025, a 34% year-over-year increase, according to industry analysis. Healthcare emerged as the single hardest-hit sector, with more than one healthcare organization struck every day. IBM's data puts the average healthcare data breach cost at $9.7 million, the highest of any industry, reflecting the combination of regulatory penalties, patient safety requirements, and the sensitive nature of medical records. The FBI's 2024 IC3 report independently confirmed that ransomware is the dominant threat to critical infrastructure, with healthcare, financial services, and energy bearing the heaviest burden. When ransomware hits a hospital, it does not just lock files - it disrupts patient care, disables diagnostic equipment, and forces manual workarounds for processes that depend on digital records. The sector concentration means attacks on critical services carry costs that extend well beyond the balance sheet. See our data breach statistics for a broader view of how sector-specific breach costs break down.
Source: Industrial Cyber - Ransomware Attacks Critical Infrastructure 2025
11. 75% of ransomware attacks now include data exfiltration
Three quarters of ransomware attacks in 2025 involved data exfiltration before encryption, according to Sophos research. This tactic - known as double extortion - means attackers steal documents and data first, then encrypt the victim's systems. Even if the victim restores from backup and refuses to pay for a decryption key, the stolen data remains in attacker hands and can be published or sold. The proportion of attacks using this tactic has grown steadily as ransomware groups realized that backup-equipped victims had an exit route from encryption-only extortion. With exfiltration in place, that exit is blocked. For businesses that handle sensitive client documents, contracts, personnel records, or financial files, the implications go beyond operational disruption into client liability and regulatory exposure. The shift makes the pre-breach security of document storage - including keeping sensitive files local and private - more consequential than ever.
Source: Sophos - The State of Ransomware in Enterprise 2025
12. Nearly half of victims paid the ransom in 2025
Forty-nine percent of organizations that had data encrypted by ransomware in 2025 paid the ransom and recovered their data, according to Sophos. That payment rate is slightly lower than the 56% recorded in 2024 but remains the second-highest rate in six years of Sophos tracking. Among those that paid, 53% paid less than the initial demand, 29% matched it exactly, and 18% paid more than asked. Organizations paid an average of 85% of the initial ransom demand. The data shows that even with improving recovery capabilities, nearly half of victimized businesses still conclude that paying is their fastest or cheapest path back to operations. The payment rate drives the ransomware economy: as long as nearly half of victims pay, the business model remains profitable. The inverse is also true - the declining payment rate, from 56% to 49%, is slowly eroding the incentive structure, though the effect is gradual.
Source: Sophos - The State of Ransomware 2025
13. Average ransomware downtime reaches 24 days
The average downtime a company experiences following a ransomware attack is 24 days, according to multiple 2025 security industry reports. Organizations face between 21 and 27 days of disruption across most reported studies, with healthcare facing the longest recovery windows due to patient safety requirements and regulatory validation processes. Every day of downtime carries direct costs: idle staff, missed revenue, emergency vendor fees, and parallel manual operations. For a 100-person business, even conservative downtime cost estimates add hundreds of thousands of dollars on top of any ransom or technical recovery expenses. The 24-day figure reflects an average; smaller organizations with weaker backup infrastructure often take longer, while well-prepared enterprises with tested recovery playbooks can compress the window significantly. The 15% of victims who recovered in a day in 2025 did so because they had tested, isolated backups and pre-arranged incident response - not because they were lucky.
Source: Sophos - The State of Ransomware 2025
14. ENISA ranks ransomware as the second-highest cyber threat in Europe
The European Union Agency for Cybersecurity (ENISA) ranked ransomware as the second most prevalent cybersecurity threat across Europe in its 2024 Threat Landscape report, behind only distributed denial-of-service attacks. ENISA tracked 11,079 total cybersecurity incidents in the reporting period, including 322 incidents targeting two or more EU member states simultaneously. Public administration, healthcare, and transport were the most targeted sectors. The most frequently deployed ransomware strains against EU public sector organizations included RansomHub, LockBit 3.0, and 8Base. The ranking reflects ransomware's particular danger to government and critical services, where encrypted files can halt public service delivery and disable infrastructure that citizens rely on. ENISA's report also highlighted attackers' increasing use of living-off-the-land techniques - abusing built-in system tools - to blend in and avoid detection during the pre-encryption dwell period.
Source: ENISA - Threat Landscape 2024
15. 60% of small businesses close within 6 months of a ransomware attack
Research consistently cited across cybersecurity industry reports finds that approximately 60% of small businesses that suffer a significant ransomware attack close within six months of the incident. The path to closure is not always a direct financial wipeout: it can also be the accumulated cost of downtime, the loss of client trust, the expense of mandatory breach notification, and the months of operational disruption that follow. Nearly one in five small business owners who experience a cyberattack go bankrupt or shut down operations permanently. The asymmetry between large and small organizations is stark - enterprises can absorb a $5 million incident as a balance sheet line item, while many small businesses cannot survive even a fraction of that cost. This statistic is why phishing awareness and document security hygiene are survival-level concerns for small business owners, not optional IT investments. Our analysis of phishing statistics covers how most ransomware infections begin.
Source: Cybersecurity & Infrastructure Security Agency / Various Industry Research - SMB Ransomware Impact
16. Ransomware attacks surged 32% globally in 2025
Global ransomware attacks rose 32% in 2025 compared to 2024, with manufacturers emerging as the most targeted single industry, according to reporting from Industrial Cyber and Breachsense tracking of ransomware group activity. The total number of victims recorded across all tracked ransomware groups reached 7,307 in 2025, spread across 138 distinct criminal groups. Attack volumes increased despite declining payment rates, suggesting groups are compensating for lower success rates with higher frequency. Chainalysis separately tracked a 50% surge in claimed attacks even as payments fell, confirming the attack-volume-up, payment-rate-down dynamic. The growth of ransomware-as-a-service has lowered the technical barrier for new entrants, expanding the pool of threat actors beyond traditional criminal groups to include opportunistic affiliates. For any organization, the rising frequency means the question is less whether an attack will be attempted and more whether defenses will hold when one arrives.
Source: Industrial Cyber - Global Ransomware Attacks Rose 32% in 2025
What These Numbers Reveal About the Ransomware Threat in 2026
The statistics above converge on a single conclusion: ransomware has become systemic. It features in nearly half of all breaches, targets every sector, and concentrates disproportionate damage on the smallest organizations. The Verizon finding that 88% of small business breaches involve ransomware - versus 39% for large enterprises - captures the structural unfairness of the threat. SMBs lack the layered defenses and recovery infrastructure that help larger organizations absorb attacks, yet they face the same or higher targeting rates.
The backup-compromise data from Sophos is among the most important findings in recent years. When 94% of victims have their backups targeted and 57% of those attempts succeed, the traditional "maintain good backups" advice becomes necessary but not sufficient. Organizations need backup strategies that attackers cannot reach: air-gapped, encrypted, and tested. On-device local storage - documents that never leave a device and are never synced to a network share - represents one layer of that resilience. The same logic applies to sensitive documents that businesses handle daily: contracts, IDs, financial records, and client files that, if encrypted or stolen, create immediate operational and legal problems.
The double-extortion data reinforces this point. When 75% of attacks include data exfiltration alongside encryption, the question is not just whether you can restore operations - it is whether sensitive files were exposed. A business that scans and stores client documents in a cloud service with broad network access creates a different risk profile than one that keeps sensitive files on-device and local. The cost and downtime statistics make one thing clear: investing in prevention and document hygiene is orders of magnitude cheaper than recovering from an incident.
Ransomware does not just lock systems - it destroys documents, exposes data, and shuts businesses down. The organizations that fare best are those that treat document security as a daily practice, not a post-incident lesson.
Keep Your Documents Off the Ransomware Target List
Most ransomware damage touches documents first: contracts, invoices, IDs, receipts, and client files that get encrypted or stolen. Cloud-synced storage and network shares are exactly the high-value, easily-reachable targets ransomware operators go after. The case for keeping sensitive documents on-device - private, local, and never exposed to a network-accessible repository - has never been stronger.
Filewise is an on-device PDF and document scanner for iPhone that keeps everything local. Scan contracts, receipts, IDs, and business documents into sharp, searchable multi-page PDFs with on-device OCR - and keep them on your device with Face ID lock, not in a shared drive that ransomware can reach. No account required, no cloud sync, no ads.
Join the Filewise waitlist and start keeping your scanned documents private, local, and out of reach of network-targeting malware.
Filewise is launching soon - the private, on-device PDF scanner for iPhone with no ads and no subscription traps.
Join the Filewise Waitlist
On-device scanning and OCR · Face ID document lock · Launching soon on iOS
Frequently Asked Questions
How common are ransomware attacks in 2025?
Ransomware appeared in 44% of all confirmed data breaches in 2025, up from 32% the year before, according to the Verizon 2025 DBIR. The FBI logged 3,156 ransomware complaints in 2024 alone, a 9% increase year over year, while attack tracking firms recorded over 7,300 named victims globally in 2025 across 138 distinct criminal groups.
How much does a ransomware attack cost a business?
IBM's 2025 Cost of a Data Breach Report puts the average ransomware incident cost at $5.08 million, excluding any ransom payment. Sophos found that average recovery costs (also excluding ransom) fell to $1.53 million in 2025, down from $2.73 million in 2024. When backups are compromised, recovery costs are eight times higher than when they remain intact.
How long does recovery from ransomware take?
The average ransomware downtime is 24 days, though Sophos found that 53% of victims fully recovered within a week in 2025. Recovery speed depends heavily on backup quality and incident response preparedness. Healthcare organizations consistently face the longest recovery periods due to patient safety validation requirements before systems can be restored.
Why are small businesses especially vulnerable to ransomware?
The Verizon 2025 DBIR found ransomware in 88% of small business breaches, compared to 39% at large enterprises. SMBs typically lack network segmentation, dedicated security teams, and tested recovery playbooks. The median ransom payment of $115,000 in 2025 can represent a significant portion of a small business's annual revenue, and approximately 60% of small businesses that suffer a major attack close within six months.
🔒 Secure & on-device | 📱 Built for iOS