Ransomware Economics 2026 — Payment Rates Down, Pressure Up, India Now Top-5 Victim Geography

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
May 8, 2026
6 min read
Read as
Ransomware economics in 2026: payment rates dropped from ~75% (2019) to ~28% (Coveware Q3 2024), but median payment sizes rose to ~$200K. Total ecosystem revenue likely declined modestly while attack volume held steady — operators compensated by hitting more victims at higher pressure. Indian organisations now register in the global top-5 of victim geographies, driven by SMB exposure and slow patching cadence. This post covers the post-Conti / post-LockBit landscape, how the threat-actor economy actually works in 2026, and the strategic implications for Indian CISOs sizing their ransomware-readiness programs.

Ransomware is no longer the “lone wolf locks your files” story. It is a mature criminal economy with affiliate networks, leak-site marketing, negotiation specialists, and infrastructure-as-a-service. Tracking the economic structure clarifies which defensive investments matter and which are theatre.

The numbers — what the public data shows

Payment rates: Coveware’s quarterly reports show consistent decline — 76% paid in 2019, dropping to ~28% in Q3 2024. Drivers: better backups, regulatory pressure (US OFAC sanctioning specific groups, EU NIS2 enforcement, India’s CERT-In 6-hour reporting), insurance refusal to cover ransom payments without preconditions.

Average payment size: rose from ~$110K (2020) to ~$200K (2024). Operators pivoted to fewer-but-bigger victims; SMBs paying $50K replaced by mid-market paying $250K-$500K.

Attack volume: roughly stable. Public leak-site postings on the major RaaS sites averaged 400-500/month through 2024-2025. Volume is steady; payments down; fall-off in revenue compensated by better targeting.

Top operators 2025: LockBit (degraded by Operation Cronos in Feb 2024 but active rebranded), BlackCat/ALPHV (exit-scammed Mar 2024 but operators surfaced as RansomHub), Akira, Play, Black Basta, Qilin, Hunters International (Hive successor). Constant rebranding driven by law-enforcement pressure.

The double-extortion model — and why it broke down

2019-2022 evolution: ransomware operators added data exfiltration before encryption. Even if victim restored from backup, they faced public leak. Double pressure → higher payment rate.

2023-2024 evolution: triple extortion (DDoS + ransom + leak), quadruple (DDoS + ransom + leak + harassment of customers). Diminishing returns: organizations adapted, paid less. Worse for operators.

2025 evolution: data-exfil-only (no encryption). Operators pivot to “we won’t lock your systems, we’ll just leak your data unless you pay.” Examples: Cl0p’s MOVEit campaign, BianLian by 2024, Hunters International’s “RansomHub” rebrand. Faster intrusions (no encryption phase = less dwell time = lower detection); pure pressure economics.

The affiliate economy

RaaS structure: core operators write the encryption tool, run the leak site, manage negotiations. Affiliates execute intrusions and earn 70-85% of the ransom. The split has tightened from 70/30 in 2020 to 80/20 by 2024 — operators competing for skilled affiliates.

Affiliate sourcing: Telegram and Russian-language forums (XSS, Exploit). Recruitment posts seek “pentesters” with specific skills (Active Directory privilege escalation, EDR-evasion engineering, Cobalt Strike). Affiliate skill bands:

  • Tier 1 — independent operators capable of full-chain intrusion. Earn $1-5M/year. Maybe 100-200 globally.
  • Tier 2 — affiliated with a single RaaS, execute supplied playbooks. Earn $200K-$1M/year.
  • Tier 3 — initial-access brokers. Sell access ($1K-$50K) to affiliates. Don’t operate ransomware themselves.

Indian organisations as victims

Coveware Q3 2024: India ranked #5 globally by victim count; #2 if normalised by GDP. Drivers:

  • SMB exposure. Mid-size Indian companies (manufacturing, education, healthcare) often run unsupported Windows Server, unpatched VMware, no EDR. Easy targets.
  • Edge-gear lag. Cisco, Fortinet, SonicWall edge devices in Indian deployments often run firmware 12-24 months old. Mass-exploit campaigns (e.g., Fortinet CVE-2024-21762) hit Indian operators particularly hard.
  • MSP target concentration. Indian managed-service providers serving SMB customers became amplifying targets — one MSP breach → dozens of customers affected.
  • Insurance penetration low. Indian cyber insurance market is small; many SMB victims have no coverage and fewer professional negotiators. Higher payment rate when they do pay; sometimes higher amounts due to inexperience.

Notable 2024 Indian cases (publicly reported): AIIMS Delhi 2022 (still recovering operationally); ICICI Direct 2024 (limited disclosure); Tata Power 2022 (Hive); various pharma manufacturers (Cipla, Glenmark — limited public disclosure). Likely 10x more unreported cases.

What’s working defensively

  1. Immutable backups. Object-lock S3 / Wasabi / Azure Blob immutability makes encrypt-and-extort variants ineffective. The 28% who pay are largely those without recoverable backups.
  2. EDR + 24/7 SOC monitoring. Mean-dwell-time for ransomware operators is 5-7 days. EDR with active SOC catches the precursor activity (Mimikatz, BloodHound, Cobalt Strike beacons).
  3. Patching cadence on edge gear. Most ransomware intrusions in 2024-2025 entered via known-CVE on edge devices. Fast patching ends most affiliate-tier operators’ workflow.
  4. Network segmentation. Active Directory tier separation, micro-segmentation prevent lateral movement. Affiliates pivot to easier targets when segmentation is real.
  5. Tabletop exercises with leadership. The decision to pay/not-pay should not be made under crisis. Rehearse with legal, comms, finance pre-incident.

What’s not working

  • Cyber insurance as the primary defence. Insurers have tightened underwriting; many policies now exclude ransomware payments without prior notification and approval; renewals require documented controls (MFA, EDR, backups). Insurance is a recovery aid, not a substitute for security.
  • “Don’t pay” pledges as policy. The 2023 international counter-ransomware initiative encouraged member states’ organisations not to pay. Operationally, decision-making is more nuanced — pay-or-not depends on data sensitivity, business continuity, regulatory exposure. Blanket “never pay” is rarely workable.
  • One-time security audits. Annual pentest is necessary but insufficient. Continuous monitoring catches the actual intrusion timeline.

Strategic implications for Indian CISOs

  1. Treat ransomware-readiness as a continuous program, not a one-time project. Quarterly tabletop, monthly backup-restore tests, weekly EDR-detection-rate review, daily threat-hunt.
  2. Budget realistically. A ransomware-mature posture for a 1000-employee Indian company is roughly ₹2-4 crore/year (EDR + 24/7 SOC + immutable backup + tabletop). Cheaper than one paid ransom; cheaper than CERT-In disclosure obligations + DPDP penalty exposure.
  3. Pre-arrange incident-response retainer. Standby with a forensics + IR firm. Deploying one on day-of-incident costs 5-10x and delays response.
  4. Pre-arrange legal counsel for breach-notification (CERT-In, DPB), customer communications, and ransom-payment-decision support. The first 72 hours determine the regulatory outcome.
  5. Pre-decide your ransom philosophy. Document board-approved policy. “We don’t pay” or “we pay only if X criteria met.” Decision should not be improvised under pressure.

FAQ

Are ransomware operators getting smarter or are defences getting better?

Both. Operators added exfil-only, faster intrusions, better targeting. Defences added immutable backups, kernel-level EDR, fast patching. The gap is narrower than 2020, still favours operators against unprepared organisations.

Should we have a Bitcoin reserve “just in case”?

No. Buying Bitcoin pre-incident creates accounting and regulatory complications. If you need to pay, your IR firm will arrange a ransom-broker. Bitcoin reserves are not standard practice; they suggest naivety to attackers if disclosed.

What’s the role of CERT-In’s 6-hour reporting in this?

The April 2022 directive requires reporting within 6 hours of awareness. Reportable incidents include ransomware. CERT-In coordination is helpful for attribution and pattern matching across industry. Pre-build the reporting workflow; don’t try to figure it out during incident.

Are India-specific ransomware variants emerging?

Some — local-language ransom notes, India-targeted lure documents (GST notices, CBI summons). The encryption / exfil tooling itself is mostly the same global toolkits. India-specific operations remain a small fraction of overall traffic.

Should we share IOCs with peer organisations?

Yes. India’s NIXI-ISAC, sectoral ISACs (BFSI-ISAC, Auto-ISAC), and informal CISO networks are useful intel-sharing channels. Anonymisation is acceptable; the value of shared IOCs significantly exceeds the privacy cost.


⚖️ Legal: Ransom payment in India is not explicitly criminal but may trigger Prevention of Money Laundering Act (PMLA) issues if proceeds traced to sanctioned entities. CERT-In reporting required within 6 hours of incident awareness. DPDP §8(6) breach notification within 72 hours. Engage Indian counsel before payment decisions.

Worried about your exposure?

Get a free attack-surface review

We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.

Book exposure review Replies in 4 working hrs · India-only · Senior consultants