Nearly half of ransomware victims have data stolen before they can even detect an intrusion

ExtraHop’s Global Threat Landscape report shows that 49% of ransomware victims only detected attacks after data theft, up from 31% last year.
The average residence time before detection is 2.5 weeks; Attackers exploit encrypted channels, valid accounts and alert fatigue to evade defenses
Ransom payments fell from $3.6 million to $2.8 million, but the frequency of payments increased sharply, with 83% of victims surveyed paying in 2026 compared to 70% in 2025.

Criminals are getting better and better at hiding in their victims’ infrastructure, hiding and stealing files without setting off any alarms.

Earlier today, network detection and response experts ExtraHop released the “Global Threat Landscape Report,” based on a survey of more than 1,800 IT and security leaders worldwide. It states that about half (49%) of organizations hit by ransomware did not detect the threat until after the data was stolen.

That’s an increase from 31% a year ago, ExtraHop noted, demonstrating the progress criminals have made in just 12 months.

Several factors

On average, cybercriminals have 2.5 weeks of silence before being spotted in ransomware incidents, the report said. Additionally, 14% of victims were unaware of an attack until they received a ransom demand, which is also up from 6% a year ago.

“Extended downtime often corresponds to a highly complex threat environment in which critical alerts are obscured,” ExtraHop said in a press release shared with TechRadar Pro. Researchers found several factors that led to delays in investigating critical alerts, including attackers using encrypted channels (41%), attacker activity reflecting legitimate workflows and processes (38%), use of valid high-privilege account permissions (34%), and alert fatigue (30%). Compromised basic behavior also allowed abnormal actions to go unnoticed (27%).

The good news is that the average ransom amount has fallen year over year, from $3.6 million to $2.8 million. However, the bad news is that payment frequency has increased. While in 2025 70% of respondents paid a ransom, this year 83% did the same, at least among those surveyed by ExtraHop.

When Chainalysis recently conducted a similar survey, it said that by 2025, the number of successful ransomware attacks had increased, while the number of payments remained relatively stable, meaning that in absolute numbers fewer companies were paying ransomware attackers.