S‑RM’s 2026 Cyber Incident Insights Report offers one of the clearest indicators yet of how rapidly the global threat landscape is shifting. Drawing on more than 800 incidents handled throughout 2025, the report reveals a ransomware ecosystem that is expanding, fragmenting and becoming less predictable, while AI adoption(on both sides of the divide) introduces new operational and governance pressures for organisations.
For cybersecurity lawyers and risk leaders, the findings matter because they speak directly to evolving regulatory expectations, heightened stakeholder scrutiny and the emerging contours of what “appropriate security” means in 2026.
A threat landscape defined by fragmentation and acceleration
Ransomware remains the dominant threat, but the ecosystem behind it is structurally unstable. S‑RM responded to attacks involving 67 distinct ransomware groups, up from 58 the previous year. That explosion of actors has made attribution harder and outcomes less predictable.
Established RaaS operations such as Akira and Qilin remain prolific, together accounting for almost half of the ransomware incidents S‑RM handled. But beyond these incumbents lies an increasingly chaotic field of new operators, many of which are short‑lived, poorly coordinated or internally fractured. Some of the most illustrative examples include:
- BlackCard, which inadvertently wiped servers during data exfiltration; and
- VanHelsing, which collapsed after a developer absconded with funds and decryption keys.
This instability has made live incident response more challenging. Organisations cannot assume that threat‑actor playbooks will be consistent or even rational.
Ransomware actors are getting closer: linguistically, geographically and tactically
A striking trend in 2025 was the proximity of certain threat actors to their victims. English‑speaking groups such as Scattered Spider dominated headlines, but S‑RM observed something deeper: better‑calibrated communications, more deliberate negotiation tactics, and more coherent messaging.
Large language models (LLMs) appear to be driving this shift. Communications from established RaaS groups were noticeably more polished and psychologically attuned, improving their ability to pressure victims and shape narratives. At the same time, affiliates operating outside traditional Russia/CIS geographies broadened reach and improved cultural fluency, enabling more credible social engineering attacks.
Meanwhile, inexperienced groups deviated wildly from expected norms, such as issuing unrealistic deadlines or publishing data prematurely, which further complicates negotiation strategies.
The net effect: threat actors are more empowered, more geographically diffuse and more capable of operating across borders, aided heavily by AI‑enhanced communication.
AI is no longer an abstract threat and is expanding attack surfaces today
AI occupies a prominent place in the report, but not for the reasons most headline narratives suggest. S‑RM’s analysis emphasises that the more pressing risk lies not in fully autonomous AI‑driven cyberattacks, but in insecure enterprise adoption of AI agents.
Organisations are rapidly introducing non‑human identities: AI systems with privileged access and broad autonomy. These agents can read emails, execute workflows, interact with APIs, and make decisions with limited oversight.
This has created new attack pathways, including:
- prompt injection attacks, where malicious instructions are hidden within data the AI is asked to process;
- agent impersonation, exploiting agents’ broad access and lack of robust guardrails;
- misuse of developer‑linked AI tools being repurposed for reconnaissance, credential harvesting and vulnerability exploitation.
Real‑world cases underline the risks. The January 2026 release of an autonomous AI agent demonstrated how quickly insecure implementations can proliferate. Despite widely publicised vulnerabilities, the tool was downloaded hundreds of thousands of times, enabling attackers to steal credentials, API keys and sensitive data.
For boards, the message is clear: AI adoption without corresponding identity, privilege and monitoring discipline risks creating opaque, highly‑privileged intermediaries that are easier to manipulate than human users.
Attacks in Asia-Pacific surged more sharply than anywhere else
The most significant regional shift documented in the report is the dramatic rise in ransomware across Asia-Pacific. Over 760 organisations were named on leak sites, which was a 59% increase year‑on‑year. East and Southeast Asia saw a staggering 71% rise.
Ransomware accounted for 64% of incidents S‑RM responded to in the region, far above the global average. The drivers of this shift include:
- rapid digitisation across businesses of all sizes;
- widespread adoption of cloud services without commensurate security maturity;
- new and stricter privacy regulations that increase the leverage of data‑exfiltration‑based extortion;
- a disproportionate focus on the region by newer ransomware groups seeking less mature markets.
Notably, Australia remained a significant outlier, with a 27% annual increase in ransomware cases and mandatory ransom‑payment reporting introduced under the new Cyber Security Act: the first regime of its kind globally.
US organisations remain the prime target and by a significant margin
Over 60% of all incidents S‑RM handled involved US‑based companies. The reasons are familiar: large corporate footprints, low tolerance for disruption, and a regulatory environment that incentivises early detection and formal reporting.
This concentration is expected to continue into 2026, even as threat actors expand eastward.
Entry vectors remain depressingly predictable
Despite the complexity of the threat landscape, many compromises still stem from well‑known, preventable weaknesses:
- Single‑factor remote access remains the dominant entry vector.
- Vulnerabilities in public‑facing infrastructure remain heavily exploited.
- VPN devices accounted for 68% of remote‑access exploit cases, and almost 70% of associated incidents were linked to Akira campaigns.
- For BEC, credential phishing accounted for 80% of cases, with MFA misconfiguration widespread. Even where MFA existed, session‑token theft frequently bypassed it.
These patterns demonstrate that basic security controls remain unevenly implemented, and misconfiguration is still a primary facilitator of compromise.
Ransom payments rose after two years of decline
After years of downward pressure, S‑RM observed a notable rise in ransom‑payment rates back toward 2022 levels. 24% of victims paid in 2025 (up from 14% in 2024), and the average ransom was USD 296,000.
Despite this uptick, the vast majority of victims had viable backups. 69% had mostly viable restoration capabilities. But data exfiltration has become the primary lever of extortion, with 80% of ransomware incidents involving confirmed data theft.
The interplay of reputational risk, sanctions risk and operational downtime continues to shape these decisions, alongside the increasing importance of communications governance in determining whether payment is considered.
Sector‑specific insights
Five sectors dominated incident volumes in 2025:
- Financial services – the highest rate of missing EDR coverage (56%).
- Professional services – law firms saw disproportionately high BEC exposure (49%).
- Construction & real estate – elevated VPN‑related compromise (87%).
- Healthcare – targeted by the highest number of unique threat actors (21).
- Industrials and manufacturing – highest ransom‑payment rate (37%), driven by business‑interruption impacts.
These disparities underline the fact that sector‑specific operating models shape riskand regulatory expectations increasingly reflect that nuance.
What organisations may wish to consider in light of the report’s findings
Reflecting the report’s insights, organisations may wish to evaluate – in line with their size, risk appetite, regulatory exposure and technical architecture – whether the following areas merit enhanced attention in 2026:
- Identity security: Adoption of phishing‑resistant MFA, enforcement of MFA across remote access, and review of session‑token lifecycles to mitigate AiTM‑enabled BEC.
- Detection and response maturity: Assessing the completeness of EDR deployment, ensuring active monitoring, auditing configuration drift and verifying anti‑tamper coverage.
- Remote access resilience: Hardening or retiring vulnerable VPN and RDP pathways; reviewing patch cadences for public‑facing infrastructure.
- Backup and restoration assurance: Regularly testing restoration procedures for critical business functions; validating assumptions around recovery time and data integrity.
- Incident‑response readiness: Running exercises that reflect fragmented, unpredictable adversaries rather than single‑actor scenarios; integrating technical and stakeholder‑communications planning.
- Extortion governance: Reviewing decision frameworks, considering sanctions constraints and preparing for scenarios where payment is unavailable or ineffective.
Each of these areas should be calibrated to organisational context – the report provides useful empirical signals, but not universal prescriptions.
Credit: This summary is based on the S-RM Cyber Incident Insights Report 2026. For the full report visit S-RM | Cyber Incident Insights Report 2026.