John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Here’s a number that sounds like good news: ransomware profitability is declining.
Here’s the one that ruins it: 2025 saw record-high victim counts on data leak sites.
Mandiant’s latest threat intelligence report puts both facts side by side. The picture isn’t what optimists or alarmists want. The ecosystem is weakening financially. And it’s more active than ever. Both things are true. That’s the problem.
The profitability drop is real. Better defenses, offline backups, faster recovery, segmented networks. More victims can say no to ransom demands. Law enforcement disruptions against LockBit, ALPHV, BlackBasta, and RansomHub fractured the big RaaS brands. Payment rates are down. Average ransom amounts are down. Defenses are actually working.
But the volume is at a record. When the major groups got disrupted, their affiliates didn’t retire. They scattered. Qilin and Akira absorbed displaced operators and spun up new infrastructure. Leaked builders and playbooks from the busted groups circulated through criminal forums, making it cheaper and faster than ever to start a ransomware operation.
So you get what happens in any criminal economy when the big cartels take a hit: total revenue dips, but the number of operators multiplies. More groups, smaller operations, more targets, lower margins.
Want a concrete example? TridentLocker, a group barely anyone was tracking a month ago, claimed an attack on bpost, Belgium’s national postal service. That’s the proliferation cycle in action. Disrupt one group, two more pop up. Each one needs a splashy debut to attract affiliates, and critical infrastructure is the attention-grabber of choice.
Meanwhile, the budget conversation is broken. The World Economic Forum’s Global Cybersecurity Outlook 2026 found that CEOs now rank cyber-enabled fraud as their top concern, ahead of ransomware. CISOs still rate ransomware as the primary threat. That gap matters. When the CEO and CISO disagree on what the biggest threat is, security programs lose coherence. The CEO reads about declining ransom payments and thinks the problem is fading. The CISO reads about record victim counts and knows it isn’t.
Here’s the thing: “ransomware is getting less profitable” is not the same as “ransomware is getting less dangerous.” Lower margins per attack, spread across more groups hitting more targets, is a net increase in organizational risk. You’re less likely to face a sophisticated, well-resourced group like LockBit at its peak. You’re more likely to face someone less predictable and harder to negotiate with.
If you’re briefing leadership this week: Defenses are working. That’s real and deserves sustained investment. But the risk hasn’t dropped proportionally to the profitability decline. The ecosystem adapted by fragmenting. More groups are operating now than at any previous point. Complacency is the real threat here. If “declining profitability” gets simplified into “solved problem” at the board level, orgs will cut investment right when things are most chaotic.
And fraud and ransomware aren’t competing priorities. They’re concurrent ones. CEOs are right to worry about AI-enabled fraud. CISOs are right to worry about ransomware. The alignment conversation between security leadership and the C-suite needs to happen more often, with better data.