Ransomware groups are demanding larger payouts, but a growing number of victims are refusing to pay.
That’s what Coalition found in a review of insurance claims filed by customers in 2025, and this is an indication that enterprises have become better at protecting themselves from such attacks, according to Shelley Ma, incident response lead for the San Francisco-based cyber insurance provider.
“While attackers’ ransomware demands have hovered around $1 million, payouts are becoming less likely as defenders have gotten better and more resilient,” Ma told MSSP Alert, noting that while 44% of Coalition policyholders in 2024 paid the ransom when the demand was “reasonable and necessary,” only 14% did so last year. “If policyholders keep investing in backups, response plans, and active security, this ‘more incidents, less economic leverage for ransomware crews’ trend is likely to persist.”
The figures in Coalition’s 2026 Cyber Claims Report, released this month, should bring some relief to enterprises that have been under the gun by ransomware groups for a number of years and cybersecurity firms working to protect them.
Chainalysis’ Own Report
The numbers dovetail with what Chainalysis reported late last month. The blockchain analysis company found in its 2026 Crypto Crime Report that the total on-chain ransomware payments in 2025 decreased by about 8%, to $820 million, despite a 50% increase in the number of claims attacks.
The Chainalysis researchers attributed this to several factors, including improved incident response among victims, increased regulatory scrutiny, international law enforcement action against ransomware groups and their associated networks used to launder payments, and the fragmentation of major ransomware-as-a-service (RaaS) operations, leading to smaller and more independent ransomware actors.
All of this comes as ransomware groups ramp up pressure on the organizations they compromise. They traditionally encrypted the victims’ data and demanded a ransom in exchange for a decryption key. Several years ago, they began double-extortion campaigns, adding data exfiltration to the mix and leaving the threat of leaking the data.
Cranking Up the Pressure
Now they’re increasingly running triple-extortion operations, which include contacting the victim organization’s customers or employees directly and alerting them that their personal data has been stolen because their company refused to pay the ransom, Ma said.
“We’ve even seen quadruple extortion, where attackers use the victim organization’s own regulatory obligations against them,” she said. “For example, some groups have actually filed complaints with the SEC (U.S. Securities and Exchange Commission) against their own victims for failing to disclose the breach within the required reporting window in order to increase the pressure to pay.”
AI Changing the Game
AI is also becoming a factor in the ransomware industry. Threat groups target both large organizations that have significant financial resources and as many smaller companies as possible to bring in the same amount of money, Ma said. AI-based automation enables both a greater number of attacks and an increased speed in their operations.
On the other side are corporate security teams using AI to bolster their defenses.
“Organizations are turning more toward automation and intelligent monitoring to help keep pace with the speed of these growing attacks,” she said. “Security teams are often dealing with enormous volumes of alerts and potential vulnerabilities across their environments. AI is helping them focus on the most important vulnerabilities and security gaps, and identify more anomalous behaviors to stop attackers in their tracks.”
BEC, FTF are Top Threats
While ransomware, with an average loss of $269,000, was the costliest type of claim last year, it was business email compromise (BEC) and funds transfer fraud (FTF) that accounted for the majority – at 58% – of cyber incidents, according to Coalition.
The frequency of BEC claims to Coalition rose 15% year-over-year, with the average loss jumping 28%, to $27,000. In addition, bad actors often use BEC as a stepping stone to more severe cyberattacks, such as FTF, which was the second-most reported attack, at 27%.
“Our claims data shows that old-fashioned email-based crime hasn’t gone anywhere,” Rob Jones, Coalition’s global head of claims, said in a statement. “BEC and FTF are still powered by social engineering, which targets the individual, and those attacks can be just as damaging to businesses.”
Ma said remote access tools are attractive entry points for attackers, noting that they are attractive entry points for ransomware and other attackers. She added that 59% of ransomware incidents started with a VPN, with remote desktop applications making up 14%.
Where MSSPs Come In
These are areas where MSSPs are crucial, she said. They “play a critical role in ensuring these internet-facing applications — which are increasingly common across complex hybrid cloud estates — are continuously monitored, wrapped in strong identity protections, and patched in a timely manner,” Ma said.
In addition, the active management tools they use identify suspicious activity earlier in the attack lifecycle. MSSPs have to monitor not only the network perimeter, but also the behaviors of the users within it.
“Second, the data shows the clear value of incident response providers,” she said, pointing out that negotiators with Coalition Incident Response achieved an average 65% reduction in ransom demands, taking the average initial $873,000 demand down to about $355,000/
“This is where a managed service provider adds resilience after an attack, including leading containment and forensics and helping clients decide when to pay or not by either proving the ability to restore from backups or negotiating and handling transactions to reduce costs and legal and regulatory fallout when payment is unavoidable,” Ma said.
