Ransomware has evolved from a nuisance-level cybercrime into the most economically destructive category of cyber threat facing organizations worldwide. The trajectory from CryptoLocker’s emergence in 2013 to the sophisticated, multi-stage extortion operations of 2026 represents one of the most rapid evolutions in criminal methodology in modern history. As we assess the ransomware landscape heading toward 2028, three defining trends emerge: the continued sophistication of extortion models, the deliberate targeting of critical infrastructure and human safety, and an escalating — if still insufficient — global law enforcement response that is beginning to reshape the risk calculus for operators.
The Economics of Modern Ransomware
The ransomware economy in 2026 is a mature, professionalized industry with estimated annual revenues exceeding $20 billion. The ransomware-as-a-service (RaaS) model, which separates the roles of malware developers, initial access brokers, affiliate operators, and money launderers, has created an ecosystem with the operational characteristics of a legitimate industry — complete with customer service operations, service level agreements, and competitive market dynamics.
The average ransom payment has continued to climb, reaching $2.73 million in 2025 according to cybersecurity industry estimates. But averages obscure the bimodal distribution: attacks against small and medium businesses typically demand $100,000 to $500,000, while attacks against large enterprises, healthcare systems, and critical infrastructure demand $10 million to $70 million. The record single ransom payment — $75 million, reportedly paid by a Fortune 500 company to the Dark Angels group in 2024 — illustrates the upper bound of what sophisticated operators can extract from high-value targets.
The economics are driven by a fundamental asymmetry: the cost of a ransomware attack to the victim vastly exceeds the ransom demand. The average total cost of a ransomware incident — including downtime, recovery expenses, legal fees, regulatory fines, reputational damage, and increased insurance premiums — is estimated at $5.3 million, nearly double the average ransom payment. This asymmetry is precisely what makes ransom payment economically rational for individual victims, even as it fuels the broader criminal ecosystem.
Cyber insurance has become a critical factor in the ransomware economy. Approximately 65 percent of medium and large enterprises now carry cyber insurance policies that cover ransom payments, and insurers have effectively become the largest single payers in the ransomware ecosystem. This has created a perverse dynamic in which the insurance industry subsidizes criminal operations while simultaneously driving up premiums. Several major insurers have responded by imposing stringent security requirements as preconditions for coverage, effectively functioning as de facto regulators of enterprise cybersecurity standards.
From Double to Triple Extortion
The evolution of ransomware extortion models illustrates the criminal ecosystem’s capacity for innovation. The original ransomware model — encrypt data, demand payment for the decryption key — was supplemented in 2019-2020 by “double extortion,” in which attackers also exfiltrate sensitive data and threaten to publish it if the ransom is not paid. Double extortion addressed the primary defensive countermeasure against traditional ransomware: offline backups. Even organizations with robust backup and recovery capabilities face enormous pressure to pay when threatened with the publication of customer data, trade secrets, or other sensitive information.
Triple extortion, which emerged in 2021 and has become standard practice among top-tier ransomware groups, adds a third pressure vector: DDoS attacks against the victim’s remaining infrastructure, harassment of the victim’s customers, patients, or business partners, and — in extreme cases — threats of physical violence against executives. The addition of these pressure vectors makes ransomware incidents simultaneously a data security crisis, a privacy breach, a business continuity emergency, and a personal safety concern.
Some groups have pushed the model even further. The ALPHV/BlackCat operation pioneered the tactic of filing SEC complaints against victims who failed to disclose breaches within the required timeframe, weaponizing regulatory compliance as an additional extortion lever. Others have developed “quadruple extortion” variants that include threats to sell stolen data to competitors, report regulatory violations to authorities, or conduct follow-on attacks using information gathered during the initial compromise.
The most chilling innovation is the targeting of individuals whose personal data was stolen. Several ransomware groups now directly contact patients, students, or employees whose records were compromised, threatening to publish sensitive personal information — medical diagnoses, psychiatric records, financial data — unless the individuals themselves pressure the victim organization to pay. This tactic has been particularly effective against healthcare organizations, where the sensitivity of patient data creates enormous pressure.
Critical Infrastructure: Crossing the Red Line
The ransomware industry’s most consequential evolution has been the systematic targeting of critical infrastructure — hospitals, water utilities, energy systems, transportation, and emergency services. These targets were historically considered off-limits even by criminal standards, but the erosion of informal norms and the enormous financial pressure that critical infrastructure disruption creates have made them increasingly attractive to profit-maximizing criminal enterprises.
Healthcare has been devastated. The 2024 Change Healthcare breach — which disrupted prescription drug distribution, claims processing, and patient records across the entire U.S. healthcare system for weeks — demonstrated the cascading impact of attacking centralized healthcare IT infrastructure. UnitedHealth Group’s decision to pay a reported $22 million ransom to the ALPHV/BlackCat group underscored both the criticality of the systems and the inadequacy of existing resilience mechanisms.
The human cost is not abstract. Research published in the journal Science in 2023 found a statistically significant increase in in-hospital mortality during ransomware attacks, with the effect concentrated among patients with time-sensitive conditions — heart attacks, strokes, and sepsis — where delays in accessing medical records, imaging systems, and laboratory results directly impact outcomes. Each major hospital system ransomware attack is estimated to result in measurable excess patient mortality.
Water and wastewater systems represent another critical target category. These systems are typically operated by small municipal utilities with minimal cybersecurity budgets and aging operational technology. The convergence of IT and OT networks — driven by efficiency gains from remote monitoring and automation — has expanded the attack surface available to ransomware operators. A successful attack on a water treatment facility could contaminate drinking water, disrupt sewage processing, or cause environmental damage.
Energy systems face similar risks. While the Colonial Pipeline attack in 2021 disrupted fuel distribution across the U.S. East Coast, it targeted the company’s IT billing systems rather than the pipeline’s operational technology. The prospect of ransomware operators gaining access to actual OT systems — SCADA controllers, safety instrumented systems, and industrial control networks — represents a qualitatively more dangerous threat that could cause physical damage and endanger human life.
The Law Enforcement Response: Operation Cronos and Beyond
The global law enforcement response to ransomware has accelerated significantly since 2023, driven by the recognition that ransomware has escalated from a criminal nuisance to a national security threat. Operation Cronos, the international takedown of the LockBit ransomware infrastructure in February 2024, demonstrated that law enforcement agencies could disrupt even the most sophisticated RaaS operations.
The LockBit takedown was notable not only for its operational success — seizing servers, obtaining decryption keys, unmasking the group’s administrator — but for its psychological warfare component. Law enforcement agencies used LockBit’s own leak site infrastructure to post taunting messages, release affiliate information, and generally demonstrate that the group’s operational security was not as robust as it claimed. The objective was not merely disruption but deterrence: sending a message to the broader ransomware ecosystem that anonymity is not guaranteed.
Subsequent operations have targeted ALPHV/BlackCat, Hive, Ragnar Locker, and numerous smaller groups. The cumulative effect has been to increase the operational risk and reduce the expected longevity of ransomware brands. Groups now anticipate law enforcement action and build infrastructure with rapid reconstitution in mind — a “whack-a-mole” dynamic that increases costs for both sides but has not fundamentally broken the criminal business model.
The most impactful enforcement development may be the increasing willingness of governments to conduct offensive cyber operations against ransomware infrastructure. U.S. Cyber Command and the FBI’s cyber division have reportedly conducted operations to disrupt ransomware groups’ command-and-control infrastructure, cryptocurrency wallets, and communications channels. This represents a significant escalation in the use of state cyber capabilities against criminal actors.
Sanctions have emerged as a powerful tool. The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has designated multiple ransomware operators and their financial facilitators, making it illegal for U.S. persons — including insurance companies and ransomware negotiation firms — to facilitate payments to sanctioned entities. This creates a legal risk for victims who pay ransoms and has complicated the business model for groups that cannot guarantee their affiliates are not sanctioned.
The 2028 Outlook: Scenarios and Preparations
The ransomware landscape in 2028 will be shaped by the interaction of criminal innovation, defensive improvements, and law enforcement pressure. Several scenarios are plausible.
In the continuation scenario, ransomware remains a persistent, high-volume threat but does not escalate significantly beyond current levels. Improved defenses, insurance requirements, and law enforcement disruptions maintain a rough equilibrium in which ransomware is a manageable — if expensive — cost of doing business.
In the escalation scenario, ransomware operators increasingly target critical infrastructure and human safety, potentially causing mass casualties. AI-powered attack tools reduce the skill barrier for conducting sophisticated operations, expanding the pool of capable actors. A major attack on healthcare, water, or energy infrastructure with significant loss of life triggers a political crisis and a dramatically escalated government response.
In the disruption scenario, a combination of aggressive law enforcement action, cryptocurrency regulation that constrains money laundering, and improved international cooperation substantially degrades the ransomware business model. While ransomware does not disappear, the profitability and scale of operations are significantly reduced.
Organizations preparing for 2028 should plan for the worst while working toward the best. This means treating ransomware as a business continuity crisis, not merely a cybersecurity incident. It means investing in resilience — the ability to maintain operations during and recover quickly from an attack — as aggressively as in prevention. It means engaging with law enforcement before incidents occur, establishing relationships and reporting channels that enable rapid response. And it means honestly assessing whether the organization’s current security posture is adequate for a threat that is growing more sophisticated, more brazen, and more dangerous with each passing year.
The ransomware crisis is not a technology problem alone. It is an economic problem, a governance problem, a geopolitical problem, and increasingly a public safety problem. Solving it will require action across all of these dimensions — and the window for preventive action, before a catastrophic critical infrastructure attack forces reactive policy-making, is closing.