Part 3 of Cognyte’s Ransomware Series 

From Gangs and Victims to Systemic Trends 

In the first two blogs of this series, we examined how ransomware gangs operate and evolve and why certain sectors, such as tech companies, government, financial services and healthcare, remain disproportionately targeted. Those discussions highlighted two foundational realities: ransomware is a mature criminal ecosystem and sector-specific exposure dramatically shapes attacker behavior. 

This third installment builds directly on those insights by focusing on where ransomware operations are heading next. This blog analyzes emerging operational trends, regulatory countermeasures and intelligence-driven defenses that security leaders across national SOCs, critical infrastructure, financial services, telecom, transportation and healthcare must account for in 2026 and beyond. 

Understanding these trends is not academic. It is a prerequisite for preparedness. Recent ransomware statistics and ransomware attack trends show that the operational sophistication of attacks, particularly against critical infrastructure and regulated sectors, continues to increase. As the financial rewards of ransomware attacks remain high and the barriers to entry continue to fall, attacks will continue to increase. Organizations that fail to adapt their detection and prevention strategies will find themselves reacting to last year’s threats, while adversaries move on. 

Ransomware Attacks in 2026: Converging Tactics, Expanding Impact 

Current ransomware trends reflect a shift toward scalable access models, credential-driven intrusion and repeatable extortion techniques. The ecosystem of ransomware groups continues to cycle between fragmentation and consolidation. While new groups emerge frequently, successful tactics are rapidly copied, refined and scaled. The result is a threat landscape defined less by novel malware strains and more by repeatable, high-return attack chains that exploit trust, vulnerable credentials and third-party dependencies. 

Key Ransomware Statistics from 2025 

• Approximately 7,809 confirmed ransomware incidents were publicly disclosed globally based on dark web data leaks and extortion platforms. This is an increase of roughly 27.3% year-over-year compared to 2024. (Cognyte’s annual threat landscape report) 
• Critical infrastructure and essential sectors (manufacturing, healthcare, energy, transportation, finance) accounted for 33.6% of all ransomware attacks, underscoring persistence of strategic targeting. (Cognyte’s annual ransomware report) 
• North America remained the most targeted region, representing an estimated 47–52% of global incidents in 2025. 
• EU and broader Europe saw continued growth in attack share, with notable spikes in countries such as Spain with +61% year-over-year in reported incidents. 
• Data exfiltration was involved in roughly 76% of ransomware cases where infiltration preceded or replaced encryption, reflecting a shift toward data extortion tactics. 
• We analyzed over 125 ransomware groups during 2025, reflecting both established actors and new actors entering the ransomware ecosystem. (Cognyte’s annual threat landscape report) 
• Ransom demands are inconsistent, but some sectors reported declines in payment rates as organizations improved their defensive posture and backup resilience. 
• Attackers increasingly utilized credential compromise, third-party vendor exploitation and automated scanning tools as primary vectors in ransomware campaigns. 

Ransomware 2024 vs 2025 Comparison Table

Top 3 Ransomware Trends to Watch for in 2026 

Supply Chain Attacks and Mass Exploitation of Trusted Platforms 

Mass exploitation refers to attacks that leverage a single vulnerability or access point to compromise hundreds or thousands of downstream organizations simultaneously. Rather than targeting victims individually, ransomware operators increasingly focus on software vendors, managed service providers and data transfer platforms that sit upstream in enterprise ecosystems. 

The MOVEit campaign in 2023 demonstrated the scale and efficiency of this approach, enabling the Cl0p ransomware group to compromise data across hundreds of organizations through a single managed file transfer product. This tactic aligns closely with the dynamics discussed in Part 1 of this series: ransomware gangs behave like businesses, prioritizing operational efficiency and return on investment. 

More recently, the Cl0p ransomware group and associated threat cluster FIN11 conducted a high-impact campaign targeting Oracle E-Business Suite (EBS) enterprise resource planning environments by exploiting a critical zero-day vulnerability (CVE-2025-61882) and related flaws to exfiltrate sensitive business data from dozens of organizations before issuing extortion demands.  
 
In this campaign, nearly 30 alleged victims, including major enterprises spanning technology, manufacturing, professional services and transportation, were publicly listed on Cl0p’s leak site. The analysis suggests that hundreds of gigabytes or even terabytes of files were stolen from impacted Oracle EBS deployments.  

This incident underscores how adversaries can weaponize vulnerabilities in enterprise platforms, even those which are widely deployed and trusted, to simultaneously compromise multiple downstream organizations, amplifying impact and complicating incident response. 

Infostealer-Derived Credentials as a Primary Access Vector

Infostealers are malware designed to harvest credentials, session cookies and authentication tokens from infected endpoints. These logs are then aggregated, sold and resold in criminal marketplaces, forming a persistent supply chain for ransomware initial access. 

Rather than relying on phishing or direct exploitation, ransomware operators increasingly purchase validated credentials and integrate them into automated attack chains. This allows attackers to bypass perimeter defenses entirely and blend into legitimate user activity, particularly dangerous for sectors with large remote workforces or complex SaaS environments. 

A notable evolution in this trend is the observed misuse of enterprise collaboration and ticketing platforms, including Atlassian and Jira environments. Credentials associated with service accounts or operational email addresses (e.g. [email protected]) frequently appear in infostealer logs, providing attackers with privileged visibility into workflows, infrastructure details and internal communications. This reflects a broader shift toward credential-based intrusion as the preferred entry point for ransomware campaigns. 

Recycling Scams and Secondary Extortion 

So-called recycling scams are not cases where organizations are unaware they have been breached. Instead, they exploit a more common reality: organizations often lack full visibility into the scope and downstream exposure of stolen data, particularly when they are under intense pressure to respond to an incident. 

In these scenarios, threat actors demand payment for data that has already been exfiltrated, sometimes months earlier, and may already be circulating among brokers or on dark web forums. The urgency of regulatory deadlines and reputational risk can push organizations into paying, even when containment has already occurred. 

Recent high-profile cases, including repeat extortion attempts against healthcare and municipal entities, illustrate how attackers resurface previously stolen datasets to extract additional payments. This model aligns closely with the healthcare-focused attacks discussed in Part 2 of this series, where operational disruption and patient safety concerns amplify pressure on victims. 

The Global Ransomware Regulatory Environment 

Governments are increasingly treating ransomware as a national security and systemic risk issue, rather than a purely criminal matter. Regulatory responses generally fall into three categories: mandatory disclosure, financial disincentives and resilience mandates. These regulatory responses are directly informed by ransomware statistics demonstrating increased attack frequency and growing systemic risk to critical infrastructure providers. 

1. Mandatory Disclosure Requirements 
   Mandatory reporting aims to improve collective visibility into ransomware activity and accelerate coordinated response. 
   • Australia implemented mandatory ransomware and cyber extortion payment reporting in May 2025, requiring disclosure within 72 hours. Early indicators suggest improved national-level situational awareness, though organizations face increased compliance pressure during active incidents. 
   • United States legislation, including the Cyber Incident Reporting for Critical Infrastructure Act, mandates reporting of ransomware incidents and payments, enabling cross-sector trend analysis and federal response coordination. 
   • Several U.S. states, including New York, have introduced accelerated reporting timelines and post-payment justification requirements for public entities. 
2. Reducing Financial Incentives 
   • Some jurisdictions are attempting to directly disrupt ransomware economics by restricting or criminalizing payments. 
   • Countries such as Italy and the UK are advancing legislation that prohibits or criminalizes ransomware payments within public or essential services sectors. 
   • These measures aim to reduce attacker profitability but also raise complex operational and ethical challenges for victim organizations. 
3. Strengthening Cyber Resilience (NIS2 and DORA) 
   • Rather than focusing solely on incidents, the EU is emphasizing preventative resilience through frameworks such as the NIS2 Directive and the Digital Operational Resilience Act (DORA). These regulations mandate improved risk management, incident response and third-party oversight across critical sectors. 
   • Japan’s Basic Act on Cybersecurity, while less prescriptive, has contributed to increased investment in preventative controls and cross-sector coordination, particularly among critical infrastructure operators. 

Intelligence-Led Defense Against Modern Ransomware 

From Trend Awareness to Actionable Intelligence 

Understanding ransomware trends is only valuable if organizations can translate insight into prevention. Modern ransomware defense depends on external threat intelligence, particularly visibility into an organization’s attack surface, credential exposure and data leakage beyond the perimeter. As ransomware attack trends continue to favor credential-based access and third-party exploitation, external threat intelligence becomes a foundational capability rather than a supplementary add-on. 

Cognyte’s LUMINAR enables organizations to operationalize threat intelligence to protect against the trends outlined above. The platform can provide visibility across a wide range of sources, including deep and dark web forums, criminal marketplaces, independent research, commercial feeds, historical datasets and traditional intelligence channels. 

By correlating these sources, LUMINAR can help organizations identify: 

• Credential exposure from infostealer logs before access is abused 
• Early indicators of mass exploitation campaigns targeting trusted vendors 
• Evidence of data leakage that could enable secondary or recycled extortion attempts 

Rather than responding after extortion pressure is applied, organizations can intervene earlier in the ransomware attack chain. 

LUMINAR delivers rapid, intelligence-driven value by integrating seamlessly into existing SOC, SIEM, and SOAR workflows, supporting continuous monitoring, risk prioritization and informed decision-making throughout the incident lifecycle. 

Conclusion 

Ransomware attacks remain highly profitable, adaptive and resilient, regardless of increasing global regulation. Legislative pressure may alter attacker behavior; however, it does not eliminate motivation. 

As demonstrated across all three blogs in this series, successful ransomware defense requires:

• Understanding how ransomware groups operate and monetize attacks 
• Recognizing sector-specific risk dynamics 
• Anticipating emerging trends and regulatory constraints 
• Investing in preventative, intelligence-led security strategies