Cybersecurity

The ransomware renaissance: $120 million demands, triple extortion, and the new rules of digital extortion

Ransomware attacks in 2025 and 2026 have outstripped everything before them. Demands have hit $120 million. Criminal crews have turned into specialized firms. They are hitting hospitals, power grids, and software supply chains with surgical precision. This is not a surge. It is a structural transformation.

Emmanuel Fabrice Omgbwa Yasse

2026-06-30 · 5 min read

The ransomware renaissance: $120 million demands, triple extortion, and the new rules of digital extortion

The ransomware landscape of 2025 and 2026 looks nothing like what organizations faced two years ago. The old spray-and-pray operations run by low-skill actors have given way to a multi-billion-dollar criminal industry. Think corporate structures, relentless innovation, and eye-watering financial demands.

Data aggregated from incident response firms, threat intelligence platforms, and leaked dark web forums paints a stark picture: ransomware is not just surviving, it is evolving faster than many defenses can keep up.

Record-breaking demands and payments

The most eye-catching trend is the sheer size of ransom demands. Early in 2025, a multinational healthcare conglomerate was hit with a $120 million demand, the largest publicly recorded in history. The victim refused to pay. But other organizations have quietly wired eight-figure sums to get back online. According to data from Coveware and Chainalysis, the average ransom payment jumped 38% year-over-year in the first quarter of 2025, hitting $1.2 million. By Q3 2025, that figure climbed to $1.6 million, fueled by a handful of mega-payments in the $10 million to $50 million range.

Today's criminal groups use data to set their prices. They scour leaked insurance documents and financial disclosures to calibrate demands precisely to a victim's ability and willingness to pay. The “big game hunting” strategy, picking on large enterprises with deep pockets, is now the standard playbook.

The rise of specialized ransomware groups

The era of a single dominant ransomware variant is over. In its place, dozens of specialized groups have emerged, each zeroing in on particular sectors, geographies, or technologies. Notable newcomers include:

  • VoidCrypt v3, A group that exclusively targets energy grids and utilities, using custom-built exploits for SCADA systems.
  • PhantomLace, Focused on cloud-native environments, exploiting misconfigured Kubernetes clusters and serverless functions for initial access.
  • RansackAI, The first ransomware group to integrate large language models for automated negotiation, victim profiling, and even code obfuscation.

Established groups have adapted, too. LockBit 4.0, released in late 2024, introduced a modular architecture that lets affiliates select plugins tailored to specific industries, from healthcare to manufacturing, boosting infection success rates by an estimated 25 percent.

Sectoral shifts: critical infrastructure in the crosshairs

One of the most alarming developments is the deliberate targeting of critical infrastructure. In 2025, attacks on healthcare, energy, water treatment, and transportation accounted for 41 percent of all ransomware incidents, up from 28 percent in 2023. The reports show that threat actors are no longer shying away from sectors where loss of life is a possible consequence, they are actively pursuing them, knowing that operational urgency translates into faster payments.

Healthcare took the heaviest hit: over 180 hospitals and clinic networks were attacked in 2025, leading to canceled surgeries, diverted ambulances, and at least three documented patient deaths linked to delayed care. Energy infrastructure attacks in Europe and North America caused localized blackouts and forced industrial facilities to shut down production for days.

Supply chain and ransomware-as-a-service 2.0

Ransomware-as-a-Service (RaaS) has matured into a full-fledged ecosystem. Affiliate recruitment now mirrors legitimate software partnerships, with tiered commission structures, marketing materials, and even training programs. The data reveals that the average affiliate can earn between $300,000 and $900,000 a year, drawing talent from both criminal circles and legitimate tech jobs.

Supply chain compromises have become the preferred attack vector. By targeting managed service providers (MSPs), software vendors, and cloud platforms, attackers can compromise hundreds of victims in a single operation. The Kaseya-style attack is no longer an outlier, it is a template. In 2025, ten major supply chain ransomware events each affected over 1,000 downstream organizations.

Extortion tactics evolve: triple extortion becomes standard

Triple extortion, encrypting data, exfiltrating it for leak auctions, and conducting DDoS attacks, is now standard practice. Some groups have added a fourth layer: notifying a victim's customers, partners, or regulators directly via email or social media, ratcheting up legal and reputational pressure. The psychological dimension of extortion is being weaponized systematically.

Data leak sites have become professionalized marketplaces, with searchable databases, sample previews, and bidding wars for exclusive access to stolen datasets. In 2025, the average time from initial access to data publication dropped from 12 days to 7, driven by automated exfiltration pipelines.

Defensive responses and the role of AI

Defenders have not been sitting still. The reports highlight a surge in the adoption of AI-driven detection and response tools. Behavioral analytics, anomaly detection, and automated containment have reduced mean dwell time from 10 days in 2023 to just 3 days in 2025 for organizations with mature security operations. But attackers are also using AI: to craft more convincing phishing lures, to evade endpoint detection systems, and to reverse-engineer patches in hours.

The cat-and-mouse game has intensified. What remains clear is that ransomware cannot be solved by technology alone. Organizational resilience, cyber insurance reforms, and international law enforcement cooperation are now equally critical.

Outlook for 2026 and beyond

If current trends hold, 2026 will bring even more specialization, higher demands, and deeper integration of AI into both attack and defense. The threat intelligence points to the emergence of ransomware groups that will operate on a franchise model, offering turnkey operations to non-technical criminals. The democratization of ransomware, paradoxically, will coexist with a concentration of the highest-impact attacks among a small number of elite groups.

Organizations that treat ransomware as a board-level risk, invest in proactive threat hunting, and rehearse incident response plans will fare better. But the underlying drivers, financial reward, low risk of prosecution, and a seemingly endless supply of exploitable vulnerabilities, show no sign of abating.

The ransomware renaissance of 2025-2026 is not a passing storm. It is the new climate.