Cyber insurance MGA Cowbell said ransomware attacks rose 45% last year, even as average ransom payments fell sharply.
Cowbell’s 2026 claims report shows average ransom payments declined about 44% between 2022 and 2025. The firm attributed the fall to stronger negotiation strategies, better claims handling, and more prepared insureds.
Stephanie Hewerdine, Cowbell’s director of claims, said the drop likely reflects several factors, with insured preparedness among the most important. More organisations now have incident response plans and stronger backups, which help them restore operations without needing a decryption key.
Ransomware attacks are set to rise sharply, with victims publicly named on leak sites expected to climb from 5,010 in 2024 to more than 7,000 by the end of 2026, according to QBE. The jump marks a fivefold increase since 2020, when only 1,412 victims appeared on those sites.
QBE’s cyber report explains how attackers exploit weaknesses tied to cloud adoption and AI use to reach sensitive data and disrupt operations.
Government and administrative bodies emerged as the most targeted sector worldwide between August 2023 and August 2025, representing 19% of all incidents. IT and telecommunications followed at 18%. Manufacturing, logistics, and transport combined accounted for 13%.
The spread shows how attackers chase scale and dependency rather than niche targets.
Ransomware attacks bring more than direct financial loss.
When negotiations happen, response teams review the compromised data first. If attackers did not access sensitive or personally identifiable information, the case for paying weakens.
Teams now take a more measured approach instead of reacting emotionally. They examine the data, assess recovery options, and weigh the cost-benefit case for paying or refusing a ransom.
Data breaches accounted for 33.5% of Cowbell’s reported claims over the past 18 months. Cybercrime represented 31.8%, while extortion events made up 18.3%.
The report shows ransomware and other extortion-based attacks are shifting away from encryption-only models toward data-only schemes and double extortion.
In data-only attacks, hackers do not encrypt systems. They steal data and threaten to release it. That lowers the entry barrier because attackers do not need more technical encryption tools. It’s quicker, cheaper, and nasty enough.
Hewerdine said smaller and less sophisticated threat actor groups are becoming more active. Some groups lack the resources to buy or build encryption tools, but they still try to extort insureds by threatening data exposure.
Double extortion attacks remain a concern. In those cases, attackers demand payment both to restore access and to prevent sensitive information from being released. Some threat actors then fail to keep their side of the deal. They may withhold full decryption or demand more money after receiving an initial ransom.
Ransomware negotiations once had more of an honor among thieves dynamic. Attackers who failed to follow through risked damaging their reputation and reducing future payment chances.
Smaller groups do not always behave that way. Hence more broken promises, more secondary demands.
Cowbell’s claims data shows that more than two-thirds of cases with identified threat actors involved only seven groups. Akira accounted for 38.8% of those cases, while Qilin represented 14.2%. Together, the two groups made up more than half of identified threat actor cases.
According to Beinsure analysts, the figures show a cyber market moving into a more fragmented threat environment. Large ransomware groups still matter, but smaller affiliates and splinter groups are changing negotiation risk and recovery planning.
Cowbell also identified professional services, construction, manufacturing, healthcare, and wholesale trade as industries with higher exposure.
These sectors depend heavily on systems and sensitive information, making response plans, backups, and claims preparation more important.
Hewerdine expects attackers to use artificial intelligence more often to automate attacks. She also expects more data extortion events and continued growth among smaller threat actor groups.
Law enforcement pressure has disrupted some larger ransomware groups, but that has created splinter groups and affiliates. Hewerdine said some actors now lease out encryption tools, turning ransomware into a commercial service model.
The more ransom payments feed it, the larger the ecosystem grows. Reducing ransom payments benefits insureds, insurers, and the wider market. Better recovery options, stronger preparation, and tougher negotiation can help get businesses running again without feeding threat actors.
