Ransomware is a cybersecurity issue that refuses to disappear. If anything, attacks are becoming more disruptive, difficult to fix and financially costly.

The average ransom demand in 2025 was $1.3 million and over half of payments cost over $1 million. A stark contrast compared with ransomware attacks a decade ago which saw average ransom demands of under $1000 according to a Symantec report published in 2016.

Even when victims refuse to pay a ransom in return for a decryption key, ransomware attacks are still costly. You just have to look at the long-term operational and financial impact ransomware attacks had on organizations like Jaguar Land Rover, Marks & Spencer and Asahi in 2025.

In 2026, there has already been several high-profile ransomware incidents, indicating the problem shows no signs of abating.

The uncomfortable truth is that ransomware has been known to be significant cybersecurity risk to organizations for at least a decade, but it’s also more disruptive than ever before. So, why is this the case?

Criminal Hackers Monetize Poor Cyber Hygiene

While the many successful ransomware groups are well-resourced and can resort to sophisticated social engineering techniques to infiltrate their target, most of the time, it’s the same old cybersecurity vulnerabilities and exposures which provide them with unauthorized network access.

“Ransomware attacks are happening at scale and targeting every type of organization, causing a significant amount of business disruption. CISOs are very much focused on trying to mitigate the threat of ransomware, but unfortunately, it’s just the monetization of poor cyber hygiene,” Gavin Millard, VP of product at Tenable told Infosecurity.

Cybercriminals continue to use unpatched software vulnerabilities, phishing attacks and the exploitation of weak or re-used passwords to access networks.

This is compounded with a lack of basic cybersecurity protections like multi-factor authentication (MFA).

In addition, excessive and unnecessary user permissions remain a major risk. When accounts have access to systems or data they don’t actually need, attackers who compromise those accounts can quietly move laterally across the network, escalate privileges and expand their reach without being detected.

“The problem isn’t ransomware itself, the problem is everything before that,” Etay Maor, VP of threat intelligence at Cato Networks told Infosecurity.

“We’re still failing with basic stuff. If you ask detection and response team, they’ll tell you that over 80% of attacks are because of a misconfigured security system or an unpatched system.”

More Complex IT Environments, More Entry Points

Enterprise networks have become larger and more complex to manage compared with just a decade ago, making the attack surface exponentially larger.

For instance, cloud infrastructure has become core to how organizations operate. Meanwhile businesses are rapidly rolling out artificial intelligence (AI) tools like chatbots and AI agents as part of their infrastructure.

These deployments are made with efficiency in mind, but if they’re not configured correctly, they can expand the attack surface. Cloud suites which allow employees to be productive from anywhere can also be exploited by cybercriminals.

For ransomware actors, abusing legitimate accounts makes it harder for their targets to detect malicious activity. Organizations can monitor the context of how an account is being used, such as it being used at unusual times of day, or engaging in activity not regularly associated with the account, but even then, it may be too late.

Cybersecurity personnel have limited time windows to fix problems, especially if activities like applying software patches or operation system updates can’t take place during peak business hours. That can easily result in known security issues not being fixed.

“Behind everything you don’t have fixed, is effort.  You’ve only got a finite amount of effort that you can apply to problem. We know that if you have good cyber hygiene for these issues go away. But finding the right things to fix or finding where you could fix things faster is a tough job, especially in a complex environment,” said Millard.

Social Engineering Users to Bypass Cybersecurity Controls

Cybercriminals don’t even have to take over accounts themselves: they use social engineering to trick employees into unwittingly compromising networks on their behalf.

Selena Larson, senior threat intelligence analyst at Proofpoint told Infosecurity, “Social engineering has always been a part of the overall delivery for cybercrime. But now we’re seeing things like ClickFix, which is absolutely taking over the landscape in terms of initial access.”

ClickFix is a social engineering technique that uses dialogue boxes containing fake error or verification messages to lure people into copying, pasting and running malicious content on their own computer.

“It’s pretty unique, because by convincing users to run a script themselves, they’re getting users to bypass security controls. The threat actor doesn’t really have to do anything except convince somebody to follow these instructions,” Larson added.

AI Supercharges Ransomware Attacks

AI has also opened new avenues for attackers, who can now exploit LLMs and other AI tools to help produce customized, bespoke lures, emails and other content, no matter where in the world they’re looking for victims.

They can also use deepfake audio or video calls to pose as IT support staff or senior executives to manipulate users into performing actions which provide or escalate network access.

“They have completely ramped up their operational tempo and their ability to customize and specifically target users in geographical regions with specific lures for the people they’re targeting,” said Larson.

While the most lucrative ransomware attacks are concentrated around operations by highly organized cybercriminal gangs, the rise of AI-assisted ransomware kits and tactical playbooks means lower-level threat actors are capable of causing big problems for victims.

Maor noted that AI makes things quicker for attackers and it lowers the bar of what it takes to deploy attacks. 

“In 2016, if you wanted to deploy ransomware, you needed to know things. Now, it can all be taken over by AI: if you want to write some code you can use prompts to get an AI to write it,” he said.

Why Paying Ransoms Just Means More Ransomware

Security vulnerabilities, social engineering, AI tools which make it easier for attackers to build and distribute ransomware: these are just some of ways cybercriminals can infiltrate networks, encrypt files and demand a ransom.

But ultimately, ransomware continues to be an active threat because some victims are paying that ransom. As long as payments to cybercriminals are made, ransomware attacks will continue.

Tenable’s Millard urged for a different approach to ransomware to be taken.

“You should not pay your way out of the fact you didn’t have a robust incident and response or disaster recovery plan,” he said. “Because all you’re doing is enabling attackers to invest more money into making ransomware faster and more scalable.”

Conclusion: Stronger Security Cuts Ransom Risk

Putting robust security controls in place to prevent attackers from accessing an organization’s network is a key step in avoiding ever having to consider paying a ransom.

Maor quipped, “There’s a quote from Pirates of the Caribbean, Jack Sparrow says ‘The problem is not the problem, the problem is your attitude about the problem’. The problem isn’t ransomware itself; the problem is everything before that.”

“It’s the way we detect, mitigate and prevent all the steps that lead to the actual doom of the ransomware itself,” he added.

By applying security patches and updates, by enforcing multi-factor authentication on user accounts, by ensuring that the security team is well-resourced and has enough time to detect and examine potential red flags which might indicate there might be a problem, it can help to disrupt ransomware attacks before they happen.

It can be difficult to encourage boards to invest in these things. But the cost of prevention is far cheaper than the cost of dealing with a ransomware attack.