Back to blog

June 4, 2026

Ransomware Isn't Getting Cheaper. Your Board Just Thinks It Is.

Written by

Naeem Hussain, CEO

Here is a stat that sounds like good news: in 2025, 69% of ransomware victims chose not to pay the ransom. The median amount paid by those who did is now $139,875, down from $150,000 the year before.

If you stopped reading there, you might walk into your next board meeting and declare progress. Ransomware is still everywhere, sure, but at least organizations are paying less and standing their ground more.

The problem is that the ransom is not the cost. It never really was.

Nearly Half of All Breaches Are Ransomware Now

Let's start with the scope of the problem, because it matters.

According to the 2026 Verizon Data Breach Investigations Report (DBIR), ransomware was present in 48% of all breaches last year. That is up from 44% the year before. Nearly one in every two security incidents that results in a data breach now involves ransomware in some form.

Think about what that means for how you run your risk program. Most organizations still treat ransomware as a serious but relatively uncommon scenario. Something to plan for, but not something you expect to happen. At 48%, that framing no longer holds. Ransomware is not a tail risk. It is the baseline.

And it is not slowing down in any meaningful way. The DBIR describes the ransomware market as going through "commoditization," where attackers are scaling to cover margin compression. In other words, ransomware has turned into a business model, and that business model is running efficiently. The barrier to launching an attack keeps dropping. The number of actors keeps rising. And the targets remain virtually everyone.

The Ransom is the Smallest Part of What This Costs

Here is where many boards get the math wrong.

When a ransomware event hits, the ransom demand is the number that shows up in internal emails (and if you’re unlucky, possibly also in news headlines). It is concrete. It feels like the thing to negotiate or refuse. But for most organizations, the ransom itself represents a fraction of the total financial impact.

Think through what actually happens after a ransomware attack locks your systems.

Operations stop, or slow to a crawl. Every hour your systems are down is revenue you are not generating, orders you are not filling, services you are not delivering. For a mid-sized manufacturer or a healthcare system, the cost of a single day of operational disruption can run well into the hundreds of thousands of dollars. A week-long recovery, which is common, can be catastrophic.

Then come the recovery costs. Rebuilding systems, restoring data from backups (if they exist and haven't been compromised), hiring forensics firms to understand what happened and what was accessed. These costs are real, and they are substantial. They also take time to show up in full, which is why many organizations systematically underestimate them in their pre-incident planning.

There are legal costs. Depending on your industry and jurisdiction, a ransomware event may trigger notification obligations to customers, patients, or partners. That means lawyers. It means communications consultants. It means call centers to handle incoming questions.

And then there is reputational damage, which is the hardest to quantify but often the most lasting. Customers lose trust. Prospects choose a competitor. Renewal conversations get harder. For publicly traded companies, the stock market has a habit of reacting quickly and unkindly.

None of this appears in the $139,875 median ransom figure. When you add up the real total cost of a ransomware event, including downtime, recovery, legal, notification, and lost business, you are typically looking at a number that is ten to twenty times the ransom itself.

So, the fact that organizations are paying less in ransom is not the signal your board should be celebrating. The more important questions are: How long would recovery take? What does an hour of downtime actually cost this business? And have we modeled the full financial exposure, not just the ransom scenario?

A New Layer Nobody Was Expecting: Mandatory Reporting

And then, just as organizations were getting comfortable with the operational and financial dimensions of ransomware risk, regulators started adding new obligations.

In Australia, mandatory ransomware reporting came into effect on May 30, 2025, under the country's Cyber Security Act. Any entity with an annual turnover above AUD $3 million (roughly $2.15M US) is now required to report ransomware payments to the government. Not just the incident. The payment. With tight timelines and real consequences for non-compliance.

And there’s also the U.S., with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This law mandates strict reporting guidelines to The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The law dictates that any organization considered to have critical infrastructure must report to the authorities within 24 hours of making a ransom payment, and within 72 hours of recognizing a substantial cyber incident. Entities considered to have critical infrastructure include finance, healthcare, energy, and IT.

So how come Australia is considered the first government to mandate ransomware reporting, if the U.S. law was legislated a couple of years earlier? Quite simple. CIRCIA required CISA to complete a multi-year formal rulemaking process before its mandates became active legally binding requirements. Due to implementation delays and extensive public feedback on its scope, the final rules establishing the mandatory U.S. reporting obligations have not been published yet; they are expected to be published in the coming months. This is why Australia is the first government to actually mandate reporting on ransomware payments.

And there’s more. Additional Federal requirements mandate that if the organization interacts with sanctioned entities or countries for the payment of ransomware, then the payment must also be reported to and authorized by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).

Moreover, numerous U.S. states (such as Florida, New York, and Ohio), as well as specific financial regulators (like the New York State Department of Financial Services), enforce their own localized ransomware payment reporting mandates for municipal governments and state-regulated entities.

And while Australia got there first, and the U.S. is expected to implement the mandate in the coming months within CIRCIA, this is not just an Australian and U.S. story. Similar frameworks are being developed in the UK and across the European Union. The direction of travel is clear. Governments want visibility into ransomware payments, and they are increasingly willing to mandate it.

For a GRC team, this changes the calculus significantly.

Before these regimes, a ransomware incident was primarily an operational crisis with financial consequences. Now it is also a regulatory event with reporting timelines, documentation requirements, and cross-jurisdictional complexity. If your organization operates in multiple countries, which most organizations of any meaningful size do, you may simultaneously face different obligations in each of them.

And here is the part that catches most teams off guard. These reporting obligations do not wait for the chaos to settle. They are triggered quickly, often within days of the incident. While your IT and security teams are in full crisis mode trying to restore systems, your compliance team needs to simultaneously figure out which regulators require notification, what information needs to be reported, and by when.

If you have not built that process in advance, you will be building it in the worst possible moment.

What This Means for How You Build Your Risk Program

Taken together, the 2026 DBIR ransomware picture adds up to a clear message for risk and compliance leaders.

First, ransomware needs to live in your risk register as a high-probability event, not a high-impact-but-unlikely one. At 48% of breaches, the probability assumptions that made sense five years ago are simply outdated. Your likelihood ratings, your risk appetite statements, and your board reporting all need to reflect the current reality.

Second, your financial modeling needs to go deeper than the ransom figure. Build out full economic scenarios for a ransomware event, including downtime costs, recovery costs, legal and notification costs, and realistic estimates of reputational impact. This is the number your CFO and board actually need, to make informed decisions about investment in controls and insurance.

Third, your compliance function needs to own the regulatory reporting dimension of a ransomware event, with documented runbooks prepared in advance. Which jurisdictions apply to your business? What are the specific triggering thresholds and timelines in each? Who in your organization has the authority to make the decision about whether a payment was made, and how does that decision get documented? These are questions to answer before an incident, not during one.

Finally, and maybe most importantly, all three of these workstreams need to be connected. Right now, most organizations handle ransomware risk as a security problem, ransomware recovery as an IT problem, and regulatory reporting as a legal or compliance problem. In practice, all three happen at the same time, with shared information requirements and overlapping decisions. A GRC program that integrates these threads, with shared risk data, shared incident documentation, and a single source of truth for regulatory obligations, is significantly better positioned than one that treats them as separate domains.

The Bottom Line

The headline ransomware numbers in the 2026 DBIR look like a mixed picture. Prevalence is up. Payments are slightly down. You could tell either story.

But the more useful story is this: ransomware has become a near-certainty for organizations of any scale, the true cost is much higher than many boards have modeled, and the regulatory environment is adding new obligations that most compliance teams are not yet ready for.

The organizations that handle ransomware best in the next few years will not necessarily be the ones with the best incident response. They will be the ones that treated it as a risk management problem long before the attack ever happened.

 

 

--------------

Data in this post is drawn from the 2026 Verizon Data Breach Investigations Report. Ransomware prevalence figures are cited from page 11. Financial trend data is from page 42. Australia's mandatory reporting regime is detailed on page 44.

On This Article

Copied!

Book A Demo
Platform
Platform Overview
Enterprise GRC
Cyber Compliance
AI Governance & Security
INDUSTRIES
Transportation & Logistics
Financial Services & Banking
Retail & E-commerce
Healthcare and Life Sciences
Technology & Communications
Government & Public Sector
Manufacturing & Industrial
Energy & Utilities
Service & Consulting
NGO & Not Profit Organizations
RESOURCES
Blog
Case Studies
Ebooks
Guided Tour
Newsletters
Webinars
News
Company
Partners
About
Careers
Privacy Policy
EULA
Support Policy
EULA for Azure
©2026, All rights reserved.
ISO 27017 Information Security Management Systems Certified badge with a globe design.
ISO 27018 Certified information security management system logo with a globe and key symbol.
info@lockthreat.com
5865 North Point Pkwy STE 100, Alpharetta, GA 30022
Help