In February 2026, a hospital system in the Midwest went dark. Not a power outage — a ransomware attack that encrypted patient records, billing systems, scheduling, and pharmacy databases across fourteen facilities at the same time. For eleven days, doctors wrote prescriptions on paper. Nurses tracked vitals on whiteboards. Three surgeries were postponed. The ransom demand was million in Bitcoin. They ended up paying .5 million after negotiation. That hospital system had cybersecurity insurance, a dedicated security team, and had passed a compliance audit six weeks before the attack.
That call happened to me in 2019. I remember it was a Tuesday, because I’d just fallen back asleep after my cat knocked a glass off the nightstand. And honestly? Things have gotten so much worse since then. Ransomware in 2026 isn’t the same beast it was seven years ago. It’s probably closer to a whole different species at this point.
How We Got Here
So the first known ransomware showed up in 1989 — a thing called the AIDS Trojan, spread via floppy disks. Wild, right? But comparing that to what’s running now is like comparing a paper airplane to an F-35. Modern ransomware operations look like well-funded startups. I’m not exaggerating. They’ve got HR departments. Customer service portals. They negotiate payment terms with their victims, and some even offer “discounts” for paying quickly. It’d be almost impressive if it weren’t destroying people’s lives.
And the scale keeps growing. Cybersecurity Ventures projects ransomware damages will hit $265 billion annually by 2031. That’s up from roughly $20 billion in 2021. Average ransom payments in 2025 crossed the $500,000 mark, with major attacks demanding tens of millions. Those are just the cases that get reported, too. A big chunk of victims pay quietly, never tell anyone, and the real numbers are worse than anything in the reports.
The Problem: Nobody Listened Until the Gas Ran Out
May 2021. DarkSide hits Colonial Pipeline. You probably remember this one. Colonial supplies about 45% of the fuel consumed on the U.S. East Coast. When they shut down pipeline operations as a precaution, gas stations from Virginia to Florida started running dry within days. People were filling plastic bags with gasoline. Actual plastic bags. It was chaos.
Colonial paid 75 bitcoin — around $4.4 million at the time. The FBI later clawed back about $2.3 million, but the damage was already done. And here’s what kills me about that whole situation: the entry point was a single VPN account without multi-factor authentication. One password, probably scooped from an old data breach, and it brought a piece of American infrastructure to its knees.
Every sysadmin I know watched that news coverage with a mix of vindication and dread. We’d been screaming about unpatched VPNs and missing MFA for years. The answer was always “it’s on the roadmap” or “we don’t have budget this quarter.” Well, the quarter arrived eventually. It brought 75 bitcoin worth of consequences with it.
That should’ve been the wake-up call for everyone. For some organizations, it was. For way too many others? They watched it happen to Colonial and still didn’t turn on MFA. I think there’s something about human psychology where we just can’t believe the bad thing will happen to us until it does.
The Attempt: Backups Were Supposed to Save Us
For a while, the conventional wisdom was simple. Keep good backups, and ransomware can’t hurt you. Attackers encrypt your files? No problem. Restore from backup and move on with your life. Don’t pay the ransom. Easy.
And look — that approach worked for a while. It really did. Organizations that maintained solid backup strategies could recover without paying, and security professionals (myself included) spent years preaching the gospel of the 3-2-1 backup rule: three copies of your data, two different media types, one copy offsite. It seemed like we’d found the answer.
But attackers aren’t stupid. They adapted.
The Failure: Double and Triple Extortion Changed Everything
Around 2020, groups started doing something that completely broke the backup strategy. Before encrypting anything, they’d quietly spend days — sometimes weeks — copying your most sensitive data to their own servers. Customer records. Financial documents. Employee information. Trade secrets. All of it, siphoned out through encrypted channels that blended right in with normal traffic.
Then came the ransom note. But now it said something different. “Sure, restore from your backups. We don’t care. But we’ve got all your data, and we’re going to publish it unless you pay.” That’s double extortion, and it changed the game entirely. Suddenly backups weren’t enough. You could get your systems back online, but you were still facing regulatory fines, lawsuits, reputational damage, and breach notification costs.
Triple extortion goes even further. Not satisfied with pressuring just the organization, attackers started contacting customers, partners, and patients directly. “We have your personal records. Pay us $500 or we publish everything.” It’s already happened — the Vastaamo psychotherapy center in Finland saw attackers individually extort patients by threatening to release their therapy session notes. Some of those patients were minors. I’m not sure there’s a word strong enough to describe how vile that is.
Some groups even pile DDoS attacks on top of everything else. Refuse to pay? Now your website’s being hammered offline while you’re already scrambling to recover from the encryption. It’s like someone setting your house on fire and then slashing your tires so you can’t drive to get help. The whole point is to create so much pressure from every direction that paying feels like the only option left.
The Supply Chain Problem Made It Even Worse
Mid-2023 brought a different kind of nightmare. The Cl0p ransomware group found a zero-day vulnerability in MOVEit Transfer, a file transfer application used by thousands of organizations. They didn’t even bother with traditional encryption. Instead, they mass-exfiltrated data from hundreds of organizations at once and threatened to publish it unless ransoms were paid.
Over 2,600 organizations. 77 million individuals affected. The BBC. British Airways. Ernst & Young. The U.S. Department of Energy. State governments, universities, hospitals, banks. One vulnerability in one product, and it rippled outward like a shockwave.
What really gets me is how patient Cl0p was. Evidence suggests they’d known about the MOVEit vulnerability since at least 2021. They sat on it. They waited. They tested their approach during the GoAnywhere attacks earlier in 2023 (which hit over 130 organizations), and then they rolled out the main event. That level of planning and operational discipline from a criminal group — it’s honestly a little terrifying. Estimated total damages from MOVEit exceeded $10 billion.
You can lock down your own systems perfectly. But if a vendor you depend on gets compromised, your data goes with it. That’s the supply chain problem, and there’s no easy fix for it.
Ransomware-as-a-Service: Crime Got Franchised
Maybe the most dangerous shift in this whole space is RaaS — Ransomware-as-a-Service. The name sounds like a bad startup pitch, and the business model is disturbingly similar to one. RaaS operators build and maintain the ransomware software, the payment infrastructure, the negotiation portals, the data leak sites. Then they recruit affiliates — basically freelance attackers — who carry out the actual operations. Affiliates keep 70-80% of the ransom. The platform takes the rest.
What this means in practice is scary. You don’t need to be a skilled programmer anymore to launch a ransomware attack. You need a subscription and enough technical know-how to follow instructions. Some RaaS operations provide tech support, training materials, and dashboards showing your attack statistics. It could be wrong to call it “democratized crime,” but that’s pretty much what it is.
LockBit was the biggest example. At its peak, they were responsible for roughly 44% of all global ransomware incidents. Operation Cronos took them down in February 2024 — law enforcement from 10 countries seized infrastructure, arrested affiliates, and even trolled LockBit’s leader by posting on the group’s own leak site. Great moment. But LockBit tried to come back within days, and other groups rushed to fill the vacuum. ALPHV/BlackCat, Play, 8Base, Akira. By 2025, RansomHub and Medusa had risen to take LockBit’s place. Taking down one group barely dents the overall ecosystem.
Who’s Getting Hit the Hardest Right Now
Short answer: everyone. Longer answer: some sectors are getting absolutely hammered.
Healthcare sits right at the top. Hospitals can’t afford downtime when lives are on the line. Attackers know this and they’re counting on the urgency to drive fast payments. A University of Minnesota study found a significant increase in in-hospital mortality during ransomware attacks. When your systems go down in a hospital, surgeries get delayed, ambulances get diverted, medication systems fail. People die. That’s not an abstraction.
Schools are another prime target, and this one really bothers me. Limited IT budgets. Sprawling networks. Thousands of users who click on everything. Massive amounts of sensitive data — student records, research, financial information. The Los Angeles Unified School District (second-largest in the U.S.) got hit by Vice Society in 2022. Five hundred gigabytes of stolen data. K-12 schools across the country have been hit hundreds of times.
Manufacturing and infrastructure organizations face their own version of this problem. Legacy systems that can’t be easily patched. Operational technology networks that were never designed with security in mind. Catastrophic consequences from downtime — a manufacturing plant offline for a week might lose millions in production. JBS, the world’s largest meat supplier, paid $11 million in ransom in 2021 after their attack briefly disrupted meat supply chains across the U.S. and Australia.
How an Attack Actually Unfolds
It’s not like the movies. Nobody clicks one bad link and — boom — everything explodes. Real attacks are methodical. They typically unfold over days or weeks.
Getting in. Phishing emails with malicious attachments. Exploitation of public-facing vulnerabilities in VPNs, firewalls, or web applications. Compromised RDP connections with weak or stolen credentials. Abuse of legitimate remote access tools. In 2025, exploitation of edge devices — firewalls, VPN appliances, perimeter equipment — became the single most common initial access method, surpassing phishing for the first time. That’s a significant shift.
Spreading out. Once inside, attackers set up multiple backdoors so they maintain access even if one gets discovered. Then they move laterally. They’re escalating privileges, mapping the environment, hunting for domain controllers and backup servers and file servers — anything that maximizes impact. And here’s the tricky part: they often use legitimate admin tools. PowerShell. PsExec. Remote desktop. From the network’s perspective, it looks like normal admin activity. That’s exactly why it’s so hard to catch.
Stealing data. Before they encrypt a single file, they’re copying your most sensitive information. Encrypted channels, common cloud storage services — it blends with normal traffic. This stage can last days. Terabytes of data, slowly siphoned out while nobody has any idea.
The finale. Ransomware deployed across as many systems as possible. Usually timed for maximum pain — Friday night, holiday weekends, known maintenance windows. Files get encrypted. Backups get targeted and deleted if they’re reachable. The ransom note appears. By this point, the attackers have already won. Everything after is damage control.
What Actually Works (From Someone Who’s Cleaned Up the Messes)
Okay, here’s where I want to shift gears and actually be helpful, because I don’t want anyone reading this to feel hopeless. You can protect yourself. The controls aren’t mysterious or expensive (well, some are expensive, but most aren’t). They’re mostly just… unglamorous. Nobody gets a promotion for patching servers. But patching servers might save your company.
Patch your stuff. I know, I know. Boring. But a huge percentage of ransomware attacks exploit known vulnerabilities with available patches. MOVEit had a patch. Exchange ProxyShell had patches. Log4Shell had patches. Attackers aren’t generally using secret zero-days. They’re using vulnerabilities that were disclosed months ago and never fixed because somebody’s change management process moves at the speed of continental drift. Start with edge devices — VPNs, firewalls, internet-facing systems. Patch those within days, not weeks. This alone would probably prevent more attacks than any single expensive tool you could buy.
Turn on MFA. Everywhere. No exceptions. Multi-factor authentication on every remote access point, every admin account, every email account, every cloud service. If Colonial Pipeline had MFA on that one VPN account, the attack likely wouldn’t have happened. MFA blocks the vast majority of credential-based attacks. Use app-based authentication or hardware keys — not SMS, which can be SIM-swapped. And watch out for MFA fatigue attacks, where attackers spam push notifications until someone hits “approve” just to make it stop. Number-matching or FIDO2 keys are better for high-value accounts.
Build backups that attackers can’t touch. The 3-2-1 rule is a minimum, not a goal. In 2026, you need at least one immutable backup — one that literally can’t be modified or deleted for a defined retention period, even by an administrator. Cloud providers offer immutable storage options. Air-gapped backups (physically disconnected from the network) are even better if you can manage them. And please — test your restores regularly. I’ve seen organizations discover during an actual incident that their “backups” hadn’t been working for months. A backup you’ve never tested isn’t a backup. It’s a wish.
Segment your network. If an attacker compromises one workstation, can they reach the domain controller? The backup server? If everything can talk to everything on your network, a single compromised machine means it’s over. Break things up. Put your backup infrastructure on its own segment with strict access controls. Separate operational technology from IT networks with firewalls or air gaps. Segmentation won’t prevent the initial breach, but it limits how far attackers can spread — and that’s often the difference between “one workstation got encrypted” and “we lost everything.”
Get real endpoint protection. Traditional antivirus isn’t cutting it anymore. Modern EDR (endpoint detection and response) tools watch process behavior, detect suspicious patterns, and can automatically isolate compromised machines. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint — they’ve all shown they can catch ransomware. The catch (there’s always a catch) is that they need to actually be deployed on everything, monitored by someone paying attention, and not set to “alert only” because someone got tired of false positives three months ago.
Fix your email security. Phishing is still one of the top entry points. Good email filtering sandboxes attachments, scans links at time-of-click (not just when the email arrives), and strips macros from Office documents. Train your users too, but don’t rely only on training. Humans click things. That’s what we do. The goal is to reduce what reaches inboxes and catch what slips through as fast as possible.
You Need an Incident Response Plan Before You Need One
“We’ll figure it out when it happens” isn’t a plan. I’ve watched organizations waste critical hours during active attacks arguing about who has authority to disconnect systems, who should talk to the press, whether to call law enforcement, and who can approve a ransom payment. Those hours cost money, data, and sometimes the whole business.
Before anything bad happens, you should already know: Who leads the response? Who can disconnect systems? When do you engage legal counsel? When and how do you contact the FBI or CISA? What’s the communication plan for employees, customers, and media? Do you have a cryptocurrency wallet set up in case you decide to pay (setting one up during an attack wastes time you don’t have)? Do you have a retainer with an incident response firm like Mandiant, CrowdStrike, or Secureworks? What are your recovery time objectives for your most important systems?
Run tabletop exercises. Get everyone in a room — IT, legal, communications, executives — and walk through a realistic scenario. I’ve run these, and they’re always eye-opening. Executives discover they didn’t realize how dependent they were on specific systems. IT discovers they don’t have authority to make time-sensitive decisions. Legal discovers notification requirements they hadn’t thought about. Everyone discovers gaps. Much better to find those gaps in a conference room over coffee than at 2 AM during a real incident with sirens going off.
The Pay-or-Don’t-Pay Question
Every victim faces this, and there’s no clean answer. The FBI recommends against paying because it funds criminal operations and encourages more attacks. That’s true. Every ransom paid makes the next attack more likely. But it’s easy to take a principled stand when it’s not your hospital that can’t access patient records, or your business bleeding $100,000 a day in downtime.
A 2024 Sophos report found that 56% of organizations hit by ransomware paid up. Of those, 84% got data back — but only 68% got ALL of it back. And paying doesn’t guarantee attackers will actually delete stolen data. You’re trusting criminals to keep their word. Some victims have been re-extorted months later with the same data the attackers promised to destroy.
From what I’ve seen, the best position is to never be in the position where you have to make that choice. Invest in prevention. Maintain tested backups. Have a plan. If you do those things well, paying should never come up. But if the worst happens, engage law enforcement and professional incident responders before making any decisions. And understand that paying guarantees nothing.
Where 2026 Is Headed
AI-assisted attacks are picking up speed. Attackers are using large language models to write more convincing phishing emails, automate vulnerability discovery, and speed up malware development. The days of spotting scam emails by their broken grammar are fading fast. These days, a phishing email might read better than half the legitimate emails in your inbox.
Cloud infrastructure is becoming a bigger target. As organizations move to AWS, Azure, and Google Cloud, attackers follow. Misconfigured storage buckets, exposed API keys, compromised cloud credentials — all of it’s being used to deploy ransomware or steal data from cloud environments. The attack surface has expanded massively, and honestly, cloud security skills haven’t kept pace with cloud adoption.
Regulatory pressure keeps mounting. The SEC now requires public companies to disclose material cybersecurity incidents within four days. Multiple states have breach notification laws with tight timelines. The EU’s NIS2 directive imposes security requirements across a broad range of sectors. The cost of a ransomware attack now includes not just the ransom and recovery, but potentially significant fines for weak security practices or late notification.
Cyber insurance is tightening too. Premiums have skyrocketed. Insurers require MFA, EDR, tested backups, and incident response plans before they’ll even write a policy. Some are excluding ransomware payments entirely. You can’t buy a cyber insurance policy and treat it as your primary defense anymore. Those days are gone.
Ransomware isn’t going away. The money’s too good, the barriers to entry are too low, and too many organizations still run unpatched systems on flat networks with no MFA. But every control you put in place raises the cost for the attacker. Most ransomware affiliates are opportunists — they want easy targets, not hard ones. Make yourself a hard target. Patch, segment, back up, test, plan. It’s not glamorous work, but it’s the work that matters.
(0) Comments