Ransomware Shift: Low Payouts Force Return to Encryption and Targeted Disruption

Ransomware actors tested a pure data-theft extortion model after several high-profile breaches, but that volume-led approach is becoming commercially unsustainable as fewer organizations choose to pay for returned or suppressed records. Early waves that harvested broad troves of information generated outsized returns, yet later saturation and growing corporate and regulatory resistance depressed payment rates and revenue for mass-data dumps. As a result, many criminal groups are returning to encryption and operational disruption, where halting business continuity continues to produce leverage over victims that cannot readily restore critical systems. Analysts observed a bifurcation in market dynamics: a low-value, high-volume tier that yields little revenue and a high-impact, targeted tier that still commands six-figure settlements in isolated cases. Q4 2025 recorded higher average and median settlements driven by a small number of catastrophic incidents rather than a broad resurgence in widespread payments. Attack activity remains concentrated among a relatively small set of affiliates, with professional services, healthcare and technology among the most frequently targeted sectors. At the same time, threat actors are trimming operational footprints, diversifying monetization of access, and prioritizing targets with weak recovery capabilities to protect profits. Recent law-enforcement actions — notably the coordinated seizure of the RAMP forum — illustrate how disrupting visible marketplaces increases short-term friction for criminal ecosystems and can yield valuable forensic leads (user records, transaction logs and linked infrastructure). However, takedowns typically spur migration: participants often fragment into invitation-only forums, private channels and bespoke platforms that are harder to monitor, raising the operational cost for some adversaries while complicating long-term disruption. The practical value of such seizures depends on rapid forensic exploitation and legal follow-through — prosecutions, asset seizures, and international cooperation — to convert digital evidence into meaningful degradation of criminal networks. For defenders, the shifting economics mean prioritizing blast-radius reduction and recovery readiness to make payment an unattractive and unnecessary option. For insurers, incident responders and boards, the variability in settlement size and the persistence of decryption-driven outages complicate underwriting and incident planning. Looking ahead, expect continued hybridization of tactics and migration toward more discrete, resilient criminal infrastructures that favor targeted disruption over indiscriminate data sales.