Ransom payments climbed sharply in 2025, with 24% of ransomware victims paying - up from 14% the previous year - as the number of active threat groups rose 16% to 67, according to a new global report. The S-RM and FGS Global Cyber Incident Insights Report 2026, drawing on data from more than 800 incidents responded to globally in 2025, found the average ransom payment reached USD $296,000. Ransomware accounted for 45% of all incidents.

Asia-Pacific recorded the biggest regional surge, with over 760 organisations named on ransomware leak sites - a 59% increase on 2024. East and South-East Asia saw a 71% rise, the highest of any region globally.

US-based businesses remained the primary target, accounting for more than 60% of incidents. The report noted 45 unique threat actors targeted American companies - more than the rest of the world combined.

Despite the well-documented risk, basic security controls remain widely undeployed. Only 22% of ransomware victims had fully rolled out and actively monitored endpoint detection and response (EDR) tools across their environments.

VPN vulnerabilities continue to be the most exploited entry point. Single-factor remote access solutions accounted for 34% of ransomware entry methods in 2025, while public-facing infrastructure vulnerabilities accounted for a further 27.6%.

The Akira ransomware group alone was responsible for nearly 70% of Sonicwall-related incidents. VPN devices were the identified source in 68% of all remote access exploitation cases.

For Business Email Compromise (BEC) attacks - which made up 27.9% of all cases - credential phishing accounted for 80% of confirmed entry methods. Of BEC victims, 47% had not enforced multi-factor authentication (MFA) in their Microsoft 365 environment. The average diverted funds from BEC attacks reached USD $165,000.

Double Extortion Now Standard Practice

Data exfiltration featured in 80% of ransomware attacks, as threat actors increasingly combine encryption with the threat of publishing stolen information to maximise leverage.

The report noted that data decryption is no longer the primary motivator for paying a ransom. In 88% of ransomware cases, victims had backups in place, with 69% having mostly viable backups - an improvement for the third consecutive year. However, viable backups alone did not eliminate ransom payment: 30% of victims with fully viable backups still paid.

While 60% of victims chose to engage with threat actors - often to determine what data had been exfiltrated - only 41% of those who engaged ultimately paid.

Financial services topped the sector rankings, accounting for 12.7% of all incidents. Of financial services victims, 56% had no EDR deployed at all - nearly double the cross-sector average of 34%.

Healthcare was targeted by 21 unique threat actors - the highest of any sector - and also struggled with MFA deployment on remote access solutions. Industrials and manufacturing recorded the highest ransom payment rate at 37%, compared with the 24% average across all sectors, reflecting the acute operational disruption ransomware causes in those environments.

Professional services firms, particularly law firms, saw a higher-than-average rate of BEC attacks - 49% of cases versus a 28% average - due to frequent sharing of document links with clients.

Australia Under Escalating Pressure

Australia ranked eighth globally for ransomware victims in 2025, with attacks rising 27% year-on-year to 130 disclosed cases. Small and medium enterprises accounted for 78% of Australian organisations named on ransomware leak sites.

The Australian Cyber Security Centre reported that the cost of ransomware incidents for SMEs rose 14% to AUD $56,000. National carrier Qantas suffered a significant data breach affecting millions of customers during 2025.

Australia's Cyber Security Act introduced mandatory reporting requirements for ransom payments to the Australian Signals Directorate within 72 hours - the first legislation of its kind globally. The obligation applies to all organisations with an annual turnover of AUD $3 million or more operating in Australia, regardless of ownership.

The ransomware ecosystem continued to fragment. Established ransomware-as-a-service operators Akira and Qilin together accounted for 45% of incidents. However, 61 other threat groups were also active, many operating with limited experience and unpredictable tactics.

The report identified new groups making Asia-Pacific organisations a strategic focus. Group NightSpire (101 total victims, 34% in Asia) and Dire Wolf (56 total victims, 50% in Asia) were among the most active new entrants.

"The landscape is also shifting: English-speaking threat actors claimed high-profile targets, AI-enhanced communications made established groups and lone operators more effective across borders, and attacks surged across Asia-Pacific," the report's authors wrote.

AI Agents Expanding Enterprise Attack Surface

The report identified insecure AI adoption within enterprises - not just AI-assisted attacks - as a primary emerging risk. As organisations deploy AI agents with access to email, files and integrated systems, they create new non-human identities with broad privileges.

AI agents are vulnerable to prompt injection attacks - where malicious instructions are embedded in data the agent processes. The report cited multiple real-world examples of agents being manipulated into exfiltrating data or facilitating account takeovers.

The report also noted that the report cited Anthropic's own disclosure of a case in which its Claude chatbot was allegedly used to carry out automated end-to-end ransomware attacks. The authors concluded that fully autonomous attacks are not yet driving financially motivated incidents at scale, but warned that AI is compressing attack timelines and lowering the technical barrier for amateur threat actors.

A cautionary example was the January 2026 launch of OpenClaw, an open-source autonomous AI agent. The report described it as "riddled with vulnerabilities," with agents tricked into divulging passwords, API keys and downloading malware - yet it was installed hundreds of thousands of times.

"In 2026, organisations will do well to apply the same identity, privilege, and monitoring discipline to AI systems that they apply to human users," the report stated.

The report identified five key trends for 2026:

• AI agent adoption will expand attack surfaces and complicate incident response, requiring new forensic frameworks for non-human identities.
• Extortion will become more targeted, with AI-assisted triage of stolen data used to identify the most legally and reputationally damaging material.
• Disrupted ransomware groups will rebrand rather than disappear, with operators retaining capabilities across law enforcement actions.
• Ransomware execution speeds will accelerate further, compressing defender detection and response windows.
• Unsecured VPNs will remain the most reliable entry vector until organisations fully adopt zero-trust architectures.

The full report is available at https://www.s-rminform.com/cyber-security/cyber-incident-insights-report.