The not-so-fun facts to know about ransomware for 2026

Like a Pokémon with just the right number of experience points, the ransomware industry is expected to evolve in 2026.

That’s according to NetNordic Threat Intelligence Lead Analyst Santeri Anttila, who told IT Brew on the sidelines of the Live! 360 Tech Con in Orlando that the threat is growing more sophisticated as malicious actors gain access to tools like ransomware-as-a-service and initial access brokers, who are threat actors selling unauthorized access to corporate networks.

“Previously, there was only one group, and now there’s maybe more than 10 different specialized types of predators,” Anttila said.

Sami Laiho, chief research officer at IT company Adminize and speaker alongside Anttila at a Nov. 18 keynote on the state of ransomware, added attackers are hurling more double extortion attacks, which is when they encrypt stolen data and threaten to sell it.

“You basically extort it for two different types of attacks now, and usually both are done at the same time,” Laiho said.

Ransomware not-so-fun facts. During the keynote on the state of the ransomware industry, Laiho said many people still believe that ransomware attacks are deployed by “nerds in the basement with two computers and 1,000 SIM cards.” However, the reality is that ransomware groups are far more sophisticated entities.

“They don’t understand that these groups are very big. They’re like companies,” Laiho said during the panel, adding that ransomware groups can employ so many people that they require their own HR departments.

Anttila said ransomware demands today can range anywhere between $20,000 to $80 million.

“They have a really good financial department over there, so they can really estimate the ransom demand in a way that they most likely get paid,” he said.

But fear not: Laiho said malicious actors aren’t above holiday discounts and other seasonal promotions.

“I actually have a customer that got 50% off the ransom because it was Christmas,” Laiho said. “So, that’s really nice. That’s the customer service I know we really value,” he joked.

Avoiding security theater in 2026. With growing ransomware threats, the conversation is no longer about how to avoid breaches, but rather, how to mitigate the impact, according to Laiho.

“What I try to tell everyone that I ever speak about security to [is]...that your job is not to stop the enemy,” Laiho said. “Your job is to slow it down.”

Laiho and Anttila’s tips for organizations to better defend themselves against ransomware attacks in 2026 aren’t anything out of the ordinary. Anttila recommended companies keep users educated on ongoing threats and what to do in the event something goes wrong, and Laiho advised companies to master the principles of least privilege and zero trust.

“If you have an attacker that gets a straight line into the company, it doesn’t look that different,” Laiho said. “But when we make them swim sideways multiple times, then it becomes an anomaly, which is then easier for the reactive side to actually detect because it’s abnormal behavior.”