Ransomware keeps growing, even as payment rates drop

Ransomware appeared in 48% of all breaches this year, up from 44% the prior year, and remains the dominant monetization method for financially motivated criminal groups. For SMBs specifically, the numbers are striking: approximately 96% of ransomware victims in the dataset were small organizations. These attacks rarely make national headlines, but they are very common.

There's a real silver lining here, though. The percentage of victims who did not pay the ransom rose to 69%, up from 65% the prior year. The median ransom payment also continued its downward trend, from $150,000 in 2024 to $139,875 in 2025. Organizations are getting better at preparing for and surviving ransomware without capitulating to attackers.

This doesn't mean ransomware is becoming less dangerous. Operational downtime and supply chain disruption often cause far more damage than the ransom itself. But it does suggest that better backups, better incident response planning, and improved resilience are making organizations measurably stronger. 

The report also notes a growing infostealer-to-ransomware pipeline worth watching. Roughly 27% of ransomware victims in the study had no prior credential leak event in the year before the attack. But of those who did experience a prior credential leak, half of them fell victim to ransomware within 95 days. Small organizations in the dataset experienced a median of seven credential leak events per year. Monitoring for compromised credentials, through dark web monitoring services or threat intelligence feeds, can give you an early warning that you're a target.

Third-party risk is now unavoidable

Breaches involving a third party jumped 60% year over year, now accounting for 48% of all breaches. That's up from 30% just two years ago, meaning the number has roughly doubled in that time.

These aren't exotic supply chain attacks, they're largely the result of insecure authentication and misconfigured cloud environments at external vendors and service providers. The report looked at third-party cloud environments directly and found that only 23% of third-party organizations fully remediated missing or improperly configured MFA on their cloud accounts. For weak passwords and permission misconfigurations, the median time to resolve 50% of findings was close to eight months.

The implications are especially significant for DIB organizations: your attack surface isn't just your own network. It includes every cloud platform, SaaS tool, and managed service provider. A shared responsibility matrix may mean some of this risk lives with the vendor, but the breach and its consequences land on you.

This is an area where your vendor risk management program needs to ask tougher questions: What authentication controls does your vendor use on their cloud environment? Do they enforce MFA on accounts that have access to your data? When did they last rotate service account credentials?

Social engineering is getting more sophisticated, especially by phone

The human element was present in 62% of breaches, and social engineering appeared as the third most common breach pattern. Email phishing remains the dominant vector, but the threat is expanding.

Phone-based attacks (voice phishing and SMS) are succeeding at rates approximately 40% higher than email-based campaigns, based on simulation data in the report. The pattern driving this is pretexting: synchronous, interactive attacks where a threat actor impersonates a help desk agent, a vendor, or an IT staffer and walks an employee through taking a harmful action in real time. These were a significant initial access vector in several high-profile ransomware cases this year.

The report also flagged "ClickFix" attacks, where malicious websites present themselves as a CAPTCHA and prompt users to open a terminal window and paste a command. These are appearing in real incidents and they work even on technically sophisticated users because they combine social pressure with a plausible pretext.

For DIB organizations especially, the espionage-motivated variant is worth paying extra attention to. State-affiliated actors used social engineering in about 25% of espionage-motivated incidents, often through long-term rapport-building: fake recruiters, malicious job application processes, and fake IT troubleshooting requests via Teams or other collaboration platforms.

Security awareness training needs to cover scenarios beyond "don't click suspicious links in email." Train your help desk staff explicitly on how to handle requests for credential resets or remote access from unknown callers. Run tabletop exercises that include voice and messaging scenarios, and consider whether your collaboration tools are configured to allow external message requests by default. Several breach cases in the report involved attackers reaching employees via Microsoft Teams from outside the organization.

AI is being used to accelerate existing techniques, not invent new ones

Generative AI use by threat actors is real and growing. The report collaborated with Anthropic to analyze 793 threat actors who were flagged for violating acceptable use policies on Claude, and found that in the median case, actors sought AI assistance across approximately 15 distinct attack techniques. Some actors were querying across 40 or 50 techniques.

AI is primarily being used to automate and scale well-known attack techniques, not to unlock genuinely novel capabilities. Less than 2.5% of observed AI-assisted techniques involved rare or uncommon methods. What AI does do is lower the barrier for less-sophisticated actors to execute attacks that would previously have required more skill, and it accelerates the pace and scale of existing techniques. AI-assisted vulnerability research and exploit development is also showing up in the data, which connects directly to the vulnerability exploitation trend we noted earlier.

Shadow AI is a separate concern worth flagging: 67% of users were accessing AI services through personal (non-corporate) accounts on corporate devices. Source code was the most common data type uploaded to external AI models. For DIB organizations with Controlled Unclassified Information (CUI) handling requirements, this is a compliance risk that needs visibility and clear policy.

The threat landscape for DIB and manufacturing organizations

Manufacturing saw 2,713 confirmed breaches this year, with ransomware accounting for 61% of them. Vulnerability exploitation was the top initial access vector at 38%, followed by phishing at 13% and credential abuse at 11%. Third-party involvement was high at 61% of breaches. If you're a manufacturer in the defense supply chain, these numbers are describing your environment.

Public Administration breaches, the closest proxy for government-adjacent organizations in the DBIR, show an even higher rate of state-affiliated actor involvement, with nation-state groups appearing in roughly one-third of breaches. Vulnerability exploitation drove 82% of hacking-related breaches in that sector. For DIB organizations that interface with government systems or hold CUI, the combination of ransomware from financially motivated criminals and targeted espionage from state actors represents a genuinely dual threat.

The report includes a deep-dive section that documents a large-scale operation in which individuals affiliated with North Korea used stolen identities to obtain remote employment at companies across multiple sectors. The report estimates these IT workers used approximately 15,000 possible stolen identities, with each individual typically holding three to five simultaneous positions. Technology, engineering, HR, and marketing roles were targeted. For organizations onboarding remote contractors or employees, particularly in sensitive technical roles, this is a real insider threat vector that needs to be part of your hiring and identity verification process.

Eight security practices to prioritize in 2026

Most SMBs and DIB organizations are tackling a deeply complex threat landscape with limited security resources. The good news is that Verizon’s DBIR surfaces a lot of data to help these organizations understand which problems are the most urgent for them to address so they can focus their efforts. 

Based on what the 2026 DBIR reveals, these are the actions that will have the biggest impact in protecting your organization against the attack paths most likely to affect you. 

1. Treat CISA KEV as your mandatory patch list.

If a vulnerability is on the KEV catalog and it's in your environment, it needs a remediation plan and a deadline. When you have to triage, prioritize recently exploited vulnerabilities over those with no recent exploitation activity. Build a repeatable vulnerability management process, not just a spreadsheet.

2. Enforce MFA everywhere.

Remote access, VPNs, cloud applications, email, all of it. MFA is still one of the highest-leverage controls you can implement, and the data on third-party breaches shows that many of them come down to absent or misconfigured MFA on vendor cloud accounts. Check your own and ask your vendors about theirs.

3. Build a credential monitoring capability.

Whether through a commercial service or threat intelligence feed, you want to know when employee credentials show up in breach dumps. The infostealer-to-ransomware pipeline is real, and early warnings give you time to act.

4. Extend your security awareness training to include phone and messaging vectors.

Email phishing training is table stakes at this point. The attacks that are growing and succeeding involve voice calls, SMS, and collaboration platforms. Train all of your employees to recognize these attacks, and your help desk especially.

5. Harden your identity and privilege management posture.

The report's deep dive on privilege escalation found that 65% of attack techniques in this area can be mitigated through properly managing access permissions. Disable dormant accounts, enforce least-privilege for service accounts, and review who has admin access and whether it's still warranted.

6. Know your third party risks.

Map the vendors and service providers who have access to your systems or data, and ask them the hard questions about their authentication controls and patch cadence. This is especially important if you're pursuing CMMC Level 2 certification, since your third-party risk posture is part of your posture.

7. Get your backup and recovery program tested.

The decline in ransom payments isn't a matter of organizations standing up to attackers — organizations that don't pay generally have functioning backups and recovery plans. If you haven't run a recovery or tabletop exercise recently, now’s a good time.

8. Address Shadow AI with policy and visibility.

If your employees are uploading source code or sensitive documents to external AI tools via personal accounts, you likely don't know it yet. A clear acceptable use policy and DLP visibility into AI tool usage will tell you what's actually happening.

The bigger pattern this data points to

The 2026 DBIR doesn't tell us anything genuinely surprising about what good security looks like. It tells us that the basics still matter the most, and that the organizations doing them consistently are the ones that fare better when (not if) something goes wrong.

But the data also reveals a broader message that reflects a larger shift happening across the cybersecurity industry. Patching timelines, credential leak pipelines, third-party exposure windows that sit open for months — these aren't due to gaps in knowledge or awareness, but a lack of visibility. The operational capacity to detect drift, close gaps continuously, and maintain a posture that reflects reality rather than the last time someone ran a scan or completed an assessment.

Point-in-time compliance checks were designed for a threat environment that no longer exists. When 50% of ransomware victims had a credential exposure event in the 95 days before the attack, a yearly review cycle isn't protecting you from anything. The most secure organizations aren't necessarily the ones with the largest security teams. They're the ones that have built continuous visibility: automated control monitoring, real-time drift detection, and the operational processes to act on signals quickly when they appear.

Organizations that treat security as a continuous posture rather than a periodic event will be those less likely to end up as an unfortunate data point in next year’s DBIR.

Secureframe can help you gain this visibility and enhance your security posture by simplifying and automating manual tasks related to security, privacy, and compliance.

• Consolidate compliance and risk data in one source of truth via 300+ native integrations and the Secureframe API.
• Automate cloud remediation, risk assessments, policy management, and security questionnaires with AI.
• Closely monitor and manage your third-party vendor relationships.
• Conduct continuous monitoring to look for gaps in controls to maintain continuous compliance
• Automate the assigning, tracking, and reporting of required security and privacy compliance training.
• Get personalized advice based on your company’s unique risks and industry requirements from our in-house compliance team.

To learn more about how Secureframe can play an integral part in enhancing your security and compliance posture, request a demo today.