- ExtraHop’s Global Threat Landscape Report shows that 49% of ransomware victims only detected attacks after data theft, up from 31% last year.
- The average length of stay before detection is 2.5 weeks; Attackers take advantage of encrypted channels, valid accounts, and alert fatigue to evade defenses.
- Ransom payments fell from $3.6 million to $2.8 million, but the frequency of payments increased sharply: 83% of victims surveyed paid in 2026 compared to 70% in 2025.
Criminals are getting better at hiding within their victims’ infrastructure, stalking and stealing files without setting off any alarms.
Today, network detection and response experts ExtraHop released the “Global Threat Landscape Report,” based on a survey of more than 1,800 IT and security leaders worldwide. It says that about half (49%) of organizations affected by ransomware did not detect the threat until after data was stolen.
This represents an increase from 31% a year ago, ExtraHop emphasized, showing the improvement offenders made in just 12 months.
Various factors
On average, cybercriminals have 2.5 weeks of quiet time before being detected in ransomware incidents, according to the report. Additionally, 14% of victims were unaware of an attack until they received a ransom demand, also up from 6% a year ago.
“Long dwell times often parallel a highly complex threat environment where critical alerts are hidden,” ExtraHop said in a press release shared with TechRadar Pro. Researchers discovered several factors that led to delays in investigating critical alerts, including attackers using encrypted channels (41%), attacker activity mirroring legitimate workflows and processes (38%), using valid, highly privileged account permissions (34%), and alert fatigue (30%). Undermining basic behavior also allowed anomalous actions to go unnoticed (27%).
The good news is that the average ransom payment decreased year over year, from $3.6 million to $2.8 million. However, the bad news is that the frequency of payments has skyrocketed. While in 2025 70% of respondents paid a ransom, this year 83% have done the same, at least among ExtraHop respondents.
When Chainalysis conducted a similar survey recently, it said that in 2025 the number of successful ransomware attacks grew, while the number of payments remained relatively stable, meaning that, in absolute numbers, there were fewer companies paying ransomware attackers.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
