Macro Trends in Ransomware Volume, Payments, and Ecosystems as AI and RaaS Reshape Attacker Economics

The cybersecurity landscape in 2026 is witnessing transformative shifts driven by the integration of artificial intelligence (AI) and the evolution of Ransomware-as-a-Service (RaaS) models. These developments are fundamentally altering attacker economics, attack volumes, payment behaviors, and the structure of ransomware ecosystems.

Escalating Ransomware Attack Volumes Amid Declining Payments

Recent data indicates that ransomware attack volumes continue to surge. In 2025, ransomware incidents increased by approximately 50%, reflecting attackers' increased activity and the proliferation of automated, AI-enhanced attack methods. Despite this surge, ransom payments have declined to a historic low of around 28%, as organizations become more resistant to paying ransoms and adopt stronger defenses.

This paradox—rising attack frequency paired with decreasing ransom payments—suggests a strategic shift among cybercriminals. Instead of focusing solely on extorting victims, attackers are pivoting toward data theft and double extortion schemes, leveraging AI to automate exfiltration and increase operational efficiency. Threat actors now prioritize identity and access management (IAM) breaches, exploiting compromised credentials and supply chain vulnerabilities rather than just hacking systems.

Regional Targeting and Sector-Specific Trends

Key regions, particularly English-speaking countries, still account for a significant portion of ransomware activity, with reports indicating 70% of incidents occurring in these areas. Critical sectors such as healthcare, manufacturing, and energy remain prime targets. For example, the Mississippi Medical Center attack resulted in 11 days of operational disruption, highlighting vulnerabilities in interconnected IoT devices and unpatched firmware.

Supply chain vulnerabilities are exploited at an alarming rate; for instance, over 600 Fortinet appliances were compromised via supply chain manipulation, demonstrating how malicious firmware updates can facilitate ransomware deployment, espionage, or further attacks.

How AI and RaaS Are Accelerating Operations

The integration of generative AI has revolutionized ransomware operations. Threat actors harness AI to:

• Automate reconnaissance and vulnerability scanning, including zero-day exploits.
• Craft personalized spear-phishing campaigns using deepfake technology.
• Create polymorphic malware that evades signature-based defenses.
• Speed data exfiltration, with AI-driven attacks now capable of stealing data in as little as 72 minutes.

Generative AI lowers the technical barriers to entry and enables amateur actors to conduct sophisticated attacks. For example, a financially motivated threat actor with limited expertise used AI to breach hundreds of FortiGate devices at scale.

This acceleration of attack chains and automation has led to ecosystem churn, where ransomware groups frequently rebrand, shift, or dissolve, only to be replaced by new actors leveraging the same AI-enabled tools. The RAMP forum seizure exemplifies how criminal communities are fracturing and reforming rapidly, driven by AI-enabled operational agility.

Changing Profitability and Ecosystem Dynamics

While attack volumes are up, ransomware revenues are stagnating or declining. Chainalysis reports that ransom payments in 2025 topped $800 million, but the average payment rate has fallen sharply. This decline is partly due to victims' increased refusal to pay and improved defensive measures.

At the same time, attack profitability is influenced by the cost savings from automation and the reduced need for large-scale attacks. Cybercriminals now focus on smaller, more targeted campaigns, often using AI to identify high-value victims quickly.

Furthermore, attack ecosystems are becoming more fluid. As some ransomware groups face law enforcement pressure or internal fractures, new groups emerge, often using RaaS models that allow affiliates to conduct attacks with minimal technical skill, further fueling attack proliferation.

Defensive Innovations and Cryptographic Resilience

In response, organizations are deploying AI-powered autonomous defense platforms that anticipate, detect, and neutralize threats in real time. These Unified Agentic Defense Platforms (UADP) integrate multiple AI agents to coordinate responses proactively, significantly reducing dwell time and impact.

Additionally, the rise of Post-Quantum Cryptography (PQC) aims to safeguard data against future threats posed by quantum computing. Efforts like the Ampcus Cyber’s CISO Intelligence Council emphasize cryptographic agility, enabling rapid deployment of quantum-resistant standards.

Securing AI supply chains is also critical. Establishing trusted hardware sourcing, governance of AI data, and defenses against autonomous AI attacks are now priorities. Countries like Australia and the UAE are pioneering layered cybersecurity frameworks that embed AI-driven defensive tools to stay ahead of increasingly sophisticated AI-powered adversaries.

Strategic Priorities Moving Forward

To navigate this evolving landscape, organizations must:

• Enhance IAM security, especially against deepfake-enabled phishing and credential breaches.
• Operationalize cryptographic agility by adopting PQC standards swiftly.
• Deploy AI-driven detection and response systems capable of real-time threat mitigation.
• Secure supply chains and hardware to prevent malicious code injection.
• Foster international collaboration for threat intelligence sharing and joint development of frontier tooling.

Conclusion

The convergence of AI and RaaS models is reshaping attacker economics in profound ways. Attack volumes are rising exponentially, yet ransom payments are declining as defenders become more resilient and less willing to pay. Meanwhile, innovative AI-driven tools are enabling faster, more targeted, and more automated attacks, fueling ecosystem churn and complicating traditional defense paradigms.

Success in this environment requires proactive, adaptive, and cryptographically resilient strategies—embracing automation, secure supply chains, and international cooperation to maintain cybersecurity resilience amidst this rapid transformation.

---

Additional Resources

• "Anthropic: Making Frontier Cybersecurity Capabilities Available to Defenders" discusses emerging AI capabilities in cybersecurity.
• "The quantum threat: why PQC readiness matters" emphasizes cryptographic agility.
• "600+ FortiGate Devices Hacked by AI-Armed Amateur" highlights the accessibility of AI-powered attacks.
• "AI-powered Cyber-Attacks Up Significantly in the Last Year, Warns CrowdStrike" underscores the accelerating threat landscape.

As AI continues to evolve, so must our defenses—viewing cybersecurity as a dynamic, ongoing race between offense and defense in this AI-empowered era.