336-886-3282[email protected]
Preferred Data Logo
Schedule

Ransomware Payments Drop to 28% Record Low Even as Attacks Surge 50%: What NC Businesses Must Know

New Chainalysis data shows ransomware payment rates hit an all-time low of 28%, but attacks surged 50% year-over-year with $820M+ in payments. Learn what separates businesses that recover without paying.

Cover Image for Ransomware Payments Drop to 28% Record Low Even as Attacks Surge 50%: What NC Businesses Must Know

New data from blockchain intelligence firm Chainalysis shows that the percentage of ransomware victims who pay their attackers has dropped to 28% in 2025, the lowest rate in four consecutive years of decline. At the same time, ransomware attacks surged approximately 50% year-over-year, with total on-chain payments reaching at least $820 million and likely approaching $900 million as more events are attributed.

The data tells two stories simultaneously: businesses are getting better at surviving ransomware without paying, but attackers are compensating with higher volume and larger demands.

Key takeaway: According to Chainalysis, the median ransom payment rose 368% from $12,738 in 2024 to $59,556 in 2025, even as fewer victims paid. Ransomware is adapting, not declining. The businesses that survive without paying share specific, implementable security characteristics.

Assess your ransomware readiness today. Preferred Data Corporation provides cybersecurity assessments and managed security services for NC businesses. BBB A+ rated since 1987. Call (336) 886-3282 or request a security assessment.

The Numbers: What Chainalysis Found

The Chainalysis 2026 Crypto Crime Report provides the most comprehensive view of ransomware economics available:

Metric202220242025
Payment rate78.9%62.8%~28%
Total payments--$820M+ (est. ~$900M)
Active extortion groups~30~5085
Median payment-$12,738$59,556
YoY attack increase--~50%

Several key trends emerge:

  • Payment rates have fallen from 78.9% to 28% in three years, a dramatic shift in victim behavior
  • 85 active extortion groups operated in 2025, far more than previous years when a small number of groups dominated
  • Median ransom demands rose 368%, indicating attackers are extracting more from the smaller percentage who do pay
  • The United States remains the most targeted country, followed by Canada, Germany, and the U.K.

This data aligns with earlier Coveware reports showing steady payment rate declines throughout 2025.

Why Fewer Businesses Are Paying

The decline in ransomware payments is not accidental. It reflects measurable improvements in organizational preparedness:

Better Backup Architectures

The single largest factor in reducing payment rates is the adoption of immutable, tested backup systems. Organizations with proper backup can restore operations without negotiating with attackers.

The 3-2-1-1-0 backup rule has become the standard:

  • 3 copies of data
  • 2 different storage types
  • 1 copy off-site
  • 1 copy immutable (cannot be modified or encrypted)
  • 0 errors confirmed through regular testing

Learn about Preferred Data's backup and disaster recovery services

Improved Incident Response

Businesses with documented, rehearsed incident response plans make faster decisions during attacks. They know their recovery capabilities before the ransom note appears, eliminating the panic that historically drove payments.

Regulatory and Insurance Requirements

Cyber insurance carriers now mandate specific security controls before issuing policies. These requirements, including endpoint detection and response (EDR), multi-factor authentication (MFA), and backup testing, happen to be the same controls that make ransomware recovery possible without paying.

According to StrongDM's research, 91% of small businesses still have not purchased cyber liability insurance. Those that have are better protected because of the security controls their policies require.

Law Enforcement Coordination

Federal agencies including the FBI and CISA have expanded support for ransomware victims, sometimes providing decryption keys from investigations. Organizations that report incidents early access resources unavailable to those who go it alone.

Why Attacks Are Still Surging

Despite lower payment rates, ransomware remains enormously profitable. Chainalysis data shows attackers have adapted through:

Volume compensation. With payment rates at 28%, attackers need roughly 3x more victims to maintain the same revenue compared to 2022 rates. The 50% year-over-year increase in attacks reflects this math.

Higher demands. The 368% increase in median ransom payments means attackers extract far more from each victim who does pay. A smaller number of larger payments can sustain criminal operations.

Double and triple extortion. Data exfiltration before encryption adds a second pressure lever. Even victims who restore from backups face threats of published data, regulatory consequences, and reputational damage.

Initial access brokers (IABs). The ransomware supply chain has industrialized. According to Chainalysis, IABs generated $14 million in 2025 selling access to compromised networks. The average price for network access dropped from $1,427 in Q1 2023 to just $439 in Q1 2026, driven by automation, AI-assisted tooling, and oversupply from info-stealer logs.

More groups, more competition. With 85 active extortion groups in 2025, the ransomware ecosystem has fragmented. More actors competing means more attacks across a broader target set.

High-Profile Incidents in 2025

Chainalysis highlighted several major incidents that demonstrate ransomware's continued impact:

  • Jaguar Land Rover: Estimated $2.5 billion in damages
  • Marks & Spencer: Breached by the Scattered Spider threat group
  • DaVita Inc.: 2.7 million patient records exposed

These incidents affected large enterprises, but the same threat groups and their affiliates routinely target small and mid-sized businesses, particularly those in manufacturing, healthcare, and professional services.

What This Means for North Carolina Businesses

The Piedmont Triad and Research Triangle are home to thousands of manufacturers, construction companies, healthcare organizations, and professional services firms. These industries are disproportionately targeted:

Manufacturing remains the most-targeted sector for industrial ransomware. NC manufacturers in High Point and Hickory holding proprietary designs, serving defense supply chains, or operating connected production environments face elevated risk.

Healthcare organizations in the Triangle and Triad handle protected health information (PHI) subject to HIPAA. A ransomware attack creates both operational disruption and regulatory exposure.

Construction companies managing distributed workforces, shared devices, and high-value bid data are increasingly targeted. The competitive nature of construction bidding makes data theft particularly damaging.

Professional services firms in Raleigh-Durham, Greensboro, and Charlotte handling client financial data, legal documents, and intellectual property represent high-value targets for data extortion.

What Separates the 72% Who Don't Pay

The businesses that recover from ransomware without paying share specific characteristics that can be implemented by any organization:

1. Immutable, Regularly Tested Backups

Not just backups that exist, but backups tested for full restoration within the last 90 days. Many organizations discover during an attack that their backups are incomplete, corrupted, or encrypted alongside production systems.

Action item: Schedule a full restore test of your most critical systems this month. Document the time required and any gaps discovered.

2. Endpoint Detection and Response (EDR)

Traditional antivirus catches known threats. Modern ransomware uses fileless techniques, legitimate tools (living-off-the-land), and AI-generated evasion that bypass signature-based detection.

EDR provides behavioral detection, automated containment, and forensic capabilities that can stop ransomware before encryption completes.

Learn about Preferred Data's endpoint protection services

3. Network Segmentation

Flat networks allow ransomware to spread from a single compromised endpoint to every system. Segmentation contains the blast radius. A compromised workstation in accounting should not have direct access to production systems, backups, or domain controllers.

4. 24/7 Monitoring

Ransomware attacks frequently begin on Friday evenings or holiday weekends. Chainalysis data shows IAB activity spikes roughly 30 days before ransomware deployment, meaning there is a detection window for organizations with continuous monitoring.

5. Rehearsed Incident Response Plans

A plan in a binder is not a plan. Teams that have walked through tabletop exercises respond faster, communicate more clearly, and make fewer costly mistakes under pressure.

Action item: If you have an incident response plan, schedule a tabletop exercise within 30 days. If you don't have one, building it is your highest security priority.

Building Your Ransomware Defense: A Prioritized Roadmap

For North Carolina businesses starting or improving their ransomware defenses:

Week 1-2: Foundation

  • Enable MFA on all accounts (blocks 99.9% of automated attacks per Microsoft)
  • Verify backup status and schedule a restore test
  • Deploy EDR on all endpoints (replace traditional AV)

Week 3-4: Visibility

  • Implement network segmentation between critical system zones
  • Enable audit logging across all systems
  • Review and tighten Active Directory permissions

Month 2: Resilience

  • Create or update your incident response plan
  • Conduct a tabletop exercise with leadership and IT
  • Review cyber insurance coverage and requirements
  • Implement DNS filtering to block known malicious domains

Month 3: Maturation

  • Deploy immutable backup (air-gapped or WORM storage)
  • Conduct penetration testing
  • Launch security awareness training with phishing simulations
  • Establish relationship with an incident response provider

Ongoing:

  • Monthly patching
  • Quarterly backup restoration tests
  • Bi-annual tabletop exercises
  • Annual penetration testing
  • Continuous monitoring via managed security provider

The Cost of Preparation vs. Recovery

The math is straightforward:

  • Average managed security services: $75-$175/user/month for comprehensive protection
  • Median ransom demand (2025): $59,556 (even paying doesn't guarantee recovery)
  • Average total breach cost for SMBs: $254,445 according to Astra Security
  • Business closure rate after breach: 60% within six months per StrongDM

For a 50-person NC business, comprehensive managed security might cost $3,750-$8,750/month. One ransomware incident costs 3-7x the annual security investment, plus operational disruption, customer trust damage, and potential regulatory penalties.

Key takeaway: Ransomware is a $900 million industry that is growing more fragmented, more aggressive, and more automated. The 28% payment rate proves that preparation works. The 50% increase in attacks proves that preparation is not optional.

About Preferred Data Corporation

Preferred Data Corporation (PDC) is a managed IT and cybersecurity services provider headquartered in High Point, North Carolina, serving businesses across the Piedmont Triad and Research Triangle. With over 37 years of experience protecting North Carolina businesses, PDC delivers comprehensive managed security services including 24/7 monitoring, EDR deployment, immutable backup and disaster recovery, incident response planning, and cybersecurity assessments.

Assess your ransomware readiness:

Frequently Asked Questions

Should my business ever pay a ransomware demand?

The FBI recommends against paying ransomware demands. Payment does not guarantee data recovery, funds criminal operations, and may violate OFAC sanctions if the threat actor is in a sanctioned jurisdiction. The 28% payment rate shows most businesses can recover without paying when properly prepared.

How quickly can ransomware encrypt our entire network?

Modern ransomware can encrypt an entire small business network in minutes to hours, depending on the variant and network size. However, attackers typically spend days to weeks inside the network before deploying encryption, giving organizations with monitoring a window to detect and stop the attack.

What is double extortion ransomware?

Double extortion combines data encryption with data theft. Even if you restore from backups, attackers threaten to publish stolen data. This is why backup alone is not sufficient, you also need monitoring, segmentation, and data loss prevention to limit what attackers can exfiltrate.

Does cyber insurance cover ransomware?

Most cyber insurance policies cover ransomware incidents, but carriers increasingly require specific security controls (MFA, EDR, tested backups, incident response plan) as conditions for coverage. Failing to maintain these controls can void your policy. Review your policy requirements with your provider and managed IT partner.

My business is too small to be a target. Is that true?

No. With 85 active extortion groups and automated scanning tools, ransomware attacks are increasingly opportunistic. Chainalysis data shows initial access to small business networks sells for as little as $439. If your systems are internet-facing and unpatched, you are a target regardless of size.

Support