Ransomware victims refuse to pay as data extortion soars

Arctic Wolf has published its 2026 Threat Report, finding that 77% of organisations hit by ransomware last year did not pay. At the same time, data-only extortion and remote access abuse rose sharply across its incident response caseload.

The report draws on hundreds of incident response engagements and threat intelligence from the past year, along with telemetry from the Arctic Wolf Aurora platform, which processes more than 9 trillion events each week.

Ransomware, business email compromise (BEC) and data incidents made up 92% of the incident response work covered. Ransomware remained the most common category, but the biggest shift came from data incidents, which rose from 2% to 22% of cases.

Shift in extortion

Data-only extortion incidents increased 11-fold year on year. The report attributed the change to organisations improving recovery processes and restoring systems without paying.

"Attackers continue to rely on operational efficiency - logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities," said Ismael Valenzuela, vice president of labs, threat research and intelligence at Arctic Wolf.

Ransomware payments remained the exception: in 77% of cases, victims refused to pay. When payments were made, professional negotiation reduced demands by an average of 67%.

The report also pointed to earlier intervention. Pre-ransomware activity accounted for 5% of cases, which it linked to detection and response before encryption.

Remote access abuse

A second pattern emerged around initial access. Sixty-five per cent of non-BEC intrusions stemmed from abuse of remote access technologies such as RDP, VPN and RMM tools. The report called this a "dramatic rise" compared with two years ago and said attackers increasingly chose "low-friction entry points" over exploiting vulnerabilities.

That shift aligns with continued reliance on credential-based compromise and legitimate IT pathways. Valenzuela said organisations that invested in visibility, identity security and disciplined remote access controls were more resilient. "Organisations that invested in visibility, identity security, and disciplined remote access controls were far more resilient throughout the year," he said.

Email deception

BEC remained a major source of incident response work, driven primarily by phishing. Phishing accounted for 85% of BEC incidents, which Arctic Wolf linked to more convincing and scalable fraudulent messages created with AI.

While the report highlighted newer social engineering techniques, it also pointed to older software weaknesses that continue to be exploited. All of the top exploited CVEs it observed were from 2024 or earlier, reinforcing the importance of patching and rotating credentials after vulnerability exposure.

Earlier intervention

Arctic Wolf's incident response leadership said earlier detection improved outcomes by interrupting attacks before they escalated. Kerri Shafer-Page, vice president of incident response, linked that to cost and operational impact.

"We continue to see that early detection completely changes the outcome of an attack," Shafer-Page said. "When defenders identify malicious activity before an adversary can detonate ransomware or escalate privileges, the difference in cost, downtime, and business disruption is dramatic. Preparedness allows us to be decisive."

Western Europe recorded the highest levels of ransomware activity, reflecting continued pressure on organisations across the region.

For the UK, the report listed the top 10 threat actors targeting businesses, including Akira, Lynx and Qilin. It also broke down victim organisation size and highlighted sectors facing sustained attention across Europe, including healthcare, manufacturing and retail.

Overall, the report said extortion attempts are evolving as defenders improve backup and recovery, with criminals placing greater emphasis on data theft and access methods that reduce the need for technical exploits.