Executive Summary
Ransomware payment economics in 2026 reflect a maturing extortion market with increasingly sophisticated pricing strategies, professional negotiation on both sides, and the deep intertwining of cyber insurance with ransom outcomes. Average ransom demands have increased 23% year-over-year compared to 2024, while the percentage of victims paying has declined slightly — suggesting that while groups are pricing more aggressively, improved resilience and negotiation sophistication are moderating overall payment rates.
Total estimated ransomware payments in 2025 exceeded $2.1 billion globally, continuing a trend of year-over-year growth despite law enforcement pressure and improved defences. The 2026 projection, based on Q1 data, suggests $2.4–2.7 billion for the full year.
Demand and Payment Data
Average Initial Demands by Sector (2025–2026)
| Sector | Median Initial Demand | Median Final Payment | Payment Rate |
|---|---|---|---|
| Healthcare (large systems) | $4.2M | $1.8M | 38% |
| Financial services | $5.7M | $2.1M | 29% |
| Manufacturing | $2.8M | $1.1M | 44% |
| Government/Education | $1.9M | $620K | 22% |
| Technology | $3.4M | $1.3M | 31% |
| Legal/Professional | $2.1M | $890K | 41% |
| Retail/Consumer | $1.6M | $580K | 35% |
These figures aggregate data from public disclosures, cyber insurance filings (anonymised), and incident response firm reporting. Individual cases vary significantly based on company size, data sensitivity, insurance coverage, and negotiation quality.
Negotiation Outcomes
The ransomware negotiation market has professionalisied significantly. Dedicated negotiation firms — some spun off from IR companies, others standalone — now handle a substantial portion of negotiations for insured organisations. The data shows a clear pattern:
Without a professional negotiator, victims achieve a median 31% reduction from initial demand. With a professional negotiator, that figure rises to 57%. Where a ransomware attorney is involved, the median reduction reaches 65%.
The attorney involvement advantage comes partly from negotiation skill and partly from legal privilege concerns — communications between victim organisations and their counsel about ransom payments may have different disclosure and discovery characteristics than communications through other channels.
On timing, the median settlement takes 8 days from first contact, with a range of 2 days (time-pressured cases with large data exfiltration threats) to 47 days (complex cases with legal complications). Groups with strict deadlines — LockBit, RansomHub — see 72% of settlements within 72 hours of the first deadline.
The Cyber Insurance Effect
Cyber insurance has become one of the most significant structural factors in ransomware economics.
Coverage and Limits
The cyber insurance market has tightened substantially since the 2021 crisis period. Average policy limits for SMEs sit around $2M (up from $1M in 2022, but often insufficient against larger demands), while enterprise coverage over $1B in revenue typically runs $50M–$150M across tower structures. Ransomware-specific sublimits are common, often set at 50% of the overall cyber limit, with waiting periods for new ransomware coverage typically running 90–180 days after policy inception.
The Insurance Signal Problem
Threat actors have developed methods to identify insurance-covered victims. Searching exfiltrated data for cyber insurance policy documents is routine — a significant proportion of enterprise networks contain email discussions of insurance terms. Groups calibrate demands to align with estimated coverage limits, demanding slightly below the coverage ceiling to maximise payment probability. The negotiation tactic of explicitly citing a victim’s policy limit (“We know your coverage is $X”) is sometimes accurate, sometimes a bluff, but demonstrates how deeply this intelligence-gathering has become embedded in extortion operations.
Several major insurance carriers have acknowledged that policy documents being found in victim data is a genuine operational security concern and have begun recommending that coverage terms not be stored in standard email systems.
Insurer-Mandated Negotiation
Most enterprise cyber insurance policies now require insurer involvement in ransom negotiations as a condition of coverage. Insurers employ staff negotiators or contracted firms and maintain databases of previous interactions with ransomware groups — data that informs negotiation strategy. This has created a documented effect where insurers, with repeat-player advantages, typically achieve better settlements than one-time corporate victims negotiating independently.
Geographic and Regulatory Factors
OFAC Sanctions Compliance
The U.S. Treasury Office of Foreign Assets Control (OFAC) has designated several ransomware actors, creating legal complications for payments that may flow to sanctioned individuals or entities. Organisations conduct sanctions screening on wallet addresses before payment, and some refuse payment entirely when actor attribution suggests sanctions exposure. OFAC’s 2021 guidance establishing that voluntary self-disclosure before payment can mitigate penalties has been used by dozens of organisations.
Payments to groups with clear OFAC designations (Evil Corp entities, individuals designated in connection with REvil) are rare from U.S. organisations. Groups are aware of this and some structure their affiliate programs to obscure connections to designated individuals.
EU NIS2 and Notification Requirements
The EU NIS2 Directive’s notification requirements — initial notification within 24 hours, detailed report within 72 hours for “significant incidents” — have affected the negotiation timeline calculus for European organisations. Several victims have reported using the notification deadline as leverage in negotiations: “We have 24 hours before we must notify regulators, at which point our options change significantly.”
Payment Methods and Traceability
Bitcoin remains the dominant payment currency by volume, but its traceability has driven a shift toward privacy-focused alternatives. Monero (XMR) is demanded by roughly 40% of active groups as the primary or sole payment option. Bitcoin via mixing and tumbling remains common, though chain analysis firms have improved de-mixing capabilities. Multi-hop exchanges through non-KYC platforms are the most common evasion approach for Bitcoin payments among sophisticated operators.
The FBI and DOJ have demonstrated increasing success in tracing and recovering Bitcoin ransomware payments, including the Colonial Pipeline recovery in 2021 and subsequent cases. This has shifted sophisticated actor behaviour toward Monero where possible.
Notable Anomalies and Outliers
Largest confirmed 2025 payment: $42M (manufacturing conglomerate, data exfiltration only, no encryption)
Fastest settlement: 3.5 hours from first contact to payment (healthcare organisation, active patient data involved, no dedicated security team, no IR firm engaged)
Longest refusal: A Fortune 500 technology company refused payment for 8 months while dealing with the consequences — data published in multiple tranches, regulatory investigations opened, class action lawsuit filed. The stated reasons included OFAC concerns and a policy-level decision against funding threat actors.
Outlook
The core driver of ransomware economics — the gap between the cost of a breach and the cost of the ransom — will continue to support demand as long as organisational security, backup resilience, and negotiation sophistication remain uneven. The groups that survive law enforcement pressure are running increasingly sophisticated extortion businesses rather than ad hoc criminal operations, and their pricing reflects genuine analysis of victim payment capacity.