Research from Arctic Wolf shows that cybercriminals are carrying out more ransomware attacks than ever, but the initial ransom demand in ransomware attacks has nearly halved to $414,000.
Cybercriminals are carrying out more ransomware attacks than ever, but are lowering their initial ransom demands. This is according to Arctic Wolf’s 2026 Threat Report, which states that the average initial demand has dropped to $414,000, nearly half as much as last year.
According to the report, this is the first drop in initial ransom demands in four years. Researchers suggest that attackers are deliberately asking for lower amounts to increase the likelihood of actual payment. However, the total impact of ransomware remains significant.
Ransomware remains dominant
Ransomware accounted for 44% of all incidents handled by Arctic Wolf in 2025. As such, it remains the most common form of cyberattack. Other frequently reported incidents included Business Email Compromise (26%) and data breaches without ransomware or the involvement of a malicious insider (22%).
In the ransomware incidents involving Arctic Wolf, criminals collectively demanded more than $302 million in ransom. Ultimately, victims paid nearly $16.5 million. In 77% of cases, organizations decided not to comply with the demand.
When negotiations did take place, the incident response team often succeeded in significantly reducing the amount. In 23% of the cases, an average of 67% of the original demand was waived. Due to these reductions and the high number of refusals, criminals ultimately received only about 5% of the total amount demanded. In other words, 95% of the requested sums were not paid out.
Targeted pricing
“A ransom demand is not set at random. Cybercriminals tailor their request precisely to the victim, the sector, the expected impact of downtime, and even whether the victim has cyber insurance,” says Christopher Fielder, Field CTO at Arctic Wolf. Lower initial amounts are intended to lower the barrier to payment. At the same time, large, publicly known payments ensure that some groups continue to demand higher amounts.
Multi-factor authentication, reliable backups, and timely patching remain essential to staying ahead of such ransomware attacks. Limiting access rights and regularly testing an incident response plan also help to mitigate damage.