Analysis April 21, 2026 • 15 min read • By Security News

The ransomware economics shift — and the uncomfortable question about victims

Attacks keep climbing. Payments keep falling. Most of the story is straightforward — better backups, harder sanctions, smarter refusals. But a newer strand running through recent DOJ filings is harder to talk about: sometimes the "victim" is part of the operation.

Short answer

Volumes are up, but payment rates have collapsed. In 2022, 79% of identified ransomware victims paid. In 2025, only 28% did. Chainalysis recorded the first-ever year-over-year drop in ransom revenue in 2024 ($813M, down 35% from $1.25B in 2023).

Ransomware has also become a money-laundering infrastructure. North Korea stole $2.02B in crypto in 2025 (≈13% of its GDP). Russian exchange Garantex processed $100M+ in illicit flows before OFAC re-sanctioned it and seized its successor Grinex in August 2025.

The angle most coverage misses: victims and perpetrators are no longer cleanly separable. In November 2025, ransomware negotiators at DigitalMint and Sygnia — two of the most trusted US incident-response firms — were indicted for working both sides of attacks they were hired to resolve.

AI is part of the picture, but not yet decisive. FunkSec became the most active ransomware group of December 2024 using AI-assisted code, and jailbroken models like WormGPT 4 sell for $220 lifetime. The practical effect so far is democratisation — more amateurs shipping functional ransomware — not more sophisticated attacks. See the AI dimension section for detail, and our companion article Is AI speeding up cyber attacks? for the phishing and access-side picture.

If you read nothing else

Most Icelandic organisations will never face a corrupt ransomware negotiator or a state-sponsored laundering operation. They will face a stolen credential, an unpatched service, and a Tuesday morning. Three controls defeat most of that — and they are cheap:

Phishing-resistant MFA (FIDO2 hardware keys) on every admin, email and finance account. Not SMS.
Offline, immutable backups, restore-tested monthly — not annually, not "we have a backup somewhere."
A written ransomware-payment policy approved by the board before an incident, not during.

The rest of this article explains why those three defences are correct and what the global picture looks like. If you already have them in place, you are doing better than most.

Dataset 1 — Our live data

Ransomware victim disclosures tracked here

We ingest ransomware leak-site postings from ransomware.live every 30 minutes. The numbers below reflect our own stored observations since February 2026.

Most active groups

Targeted sectors

Monthly disclosures

What it shows

Qilin and TheGentlemen dominate current operations. Manufacturing and Technology are the top targets — sectors with the highest cost-per-hour of downtime and the most pressure to pay quickly. Our data does not cover Iceland well because ransomware.live relies on the groups' own leak sites; Icelandic victims who negotiate privately or have data withheld never appear in these counts.

Dataset 2 — Chainalysis on-chain tracking

Total ransom paid per year (global)

Chainalysis tracks cryptocurrency flows to known ransomware wallets. Figures are revised upward over time as more incidents are attributed.

What it shows

2023 was the record year at $1.25B. 2024 saw the first-ever year-over-year drop — down 35% to $813M. 2025 is tracking around $820–900M. Much of the 2024 decline happened after July, following the LockBit disruption (H2 LockBit payments fell ≈79%), the Chipmixer and Sinbad mixer seizures, and international law-enforcement pressure on affiliate programs.

Dataset 3 — Coveware incident-response telemetry

Percentage of victims who actually pay

Coveware (acquired by Veeam) reports quarterly data from real ransomware engagements.

What it shows

The collapse from 78.9% paying (2022) to 28% (2025) is the most consequential shift of the decade. Better backups, board-level refusal, OFAC sanctions deterrence, and the growing assumption that paying doesn't prevent a leak — all of these push the rate down. When victims do pay, the average payment has climbed: $1.13M average in Q2 2025 (+104% from Q1). Attackers compensate by targeting fewer, richer victims.

The supply side

The $500 problem: Initial Access Brokers

You rarely need to "hack" anything to run ransomware in 2026. You buy the access, pre-authenticated, on a dark-web forum.

SMB RDP access

$500

base listing on Russian Market / XSS

Corporate VPN credentials

$2,871

average selling price (2024 survey)

Domain admin account

$8,167

average

RDP admin access

$9,800

average

Fortune 500 domain admin

$50,000+

high-value listing

Average bundle victim size

$2.2B

in annual revenue

The economics

For the price of a dinner, an attacker can buy an RDP session into a small Icelandic business. For the price of a used car, they can buy domain administrator access to a mid-market enterprise. The ransomware actor is no longer a skilled intruder — they are a renter of other people's intrusions. This is why segmentation, MFA on every exposed service, and continuous credential-leak monitoring matter far more than any single patch.

Supply-side commoditization, part two

The AI dimension — concrete, but not yet decisive

If 2022–2024 was the era when network access became a commodity, 2024–2025 is when ransomware code itself did. This is not the AI-hype version of the story. The measurable impact is smaller than the headlines suggest, but it is real, and it points in a specific direction.

FunkSec: the first credible AI-assisted ransomware group

In December 2024, a new group called FunkSec published 85 victims on its leak site — briefly making it the most prolific ransomware actor that month. Check Point Research identified the FunkSec encryptor as AI-assisted: written in Rust, with telltale artefacts in the build environment (paths referencing C:\Users\Abdellah\) that a seasoned malware author would have sanitised. The supposed author appears to be an Algerian amateur rather than an established crew. Ransom demands were unusually low — often $10,000 — and a significant portion of the "leaked" data turned out to be recycled hacktivism material. The group's growth was real; its technical sophistication was not.

Malicious-LLM-as-a-service

A parallel ecosystem of jailbroken models is now sold openly on underground forums. WormGPT 4 is the most visible, priced at $50/month or $220 for lifetime access. Variants include FraudGPT, WolfGPT and KawaiiGPT, largely built on top of open-weight base models (Mixtral, Grok-adjacent forks) with the safety layers removed. Operationally they produce ransomware skeletons, phishing copy, and lateral-movement snippets without guardrails. What they do not do, realistically, is outperform what a competent engineer could fine-tune themselves in an evening. The novelty is the distribution, not the capability.

The first fully documented AI-driven attack chain

In November 2025, Anthropic disclosed that a China-linked threat actor had used its Claude models to autonomously run end-to-end attacks against approximately 30 organisations — from reconnaissance through data exfiltration, with minimal human direction. The incidents were not all ransomware, but the pattern matters: mainstream, well-defended AI platforms have already been turned into attacker infrastructure at least once.

What AI has not done

The payment-rate collapse from 78.9% (2022) to 28% (2025) happened before AI could plausibly have driven it. The drivers were defender-side: better offline backups, OFAC deterrence, insurance pressure, board-level refusal policies. Attackers adopting AI have not reversed those trends, and there is no credible evidence that AI has meaningfully increased ransomware volume or average payment size. It has, so far, done one specific thing: lowered the technical threshold to ship a functional ransomware operation.

The actual shift: democratisation, not sophistication

An amateur with $500 of IAB credentials and a $220 WormGPT subscription can now assemble a working ransomware operation. FunkSec is proof of the model. The strategic implication for defenders is that the volume of low-skill attackers will increase while the quality of the malware in each attack may actually decline. Traditional signature-based detection will struggle with AI-generated variants that look different in every compile. Behavioural EDR and segmentation will still catch them — they still have to move laterally and encrypt files — but the filter-by-reputation assumption ("this is obviously amateur-hour, not a real threat") no longer holds. See our companion article Is AI speeding up cyber attacks? for the phishing and access-side picture.

The specific thing to watch for in Iceland

The defence that worked best against past ransomware in Iceland was language: most ransom notes were in broken English, most phishing was obviously foreign. AI has ended that defence. Expect ransom notes, extortion emails and negotiation chat in fluent, culturally aware Icelandic from 2026 onward. Staff training built on "the grammar gives it away" is no longer a control — it is a liability.

The laundering layer

Ransomware as money-laundering infrastructure

Ransomware is also how sanctioned states move money. This isn't a hypothesis — OFAC has documented the flows and sanctioned both groups and the exchanges that service them.

North Korea: ransomware as national revenue

Feb 2025 Bybit hack — $1.5B single theft The Lazarus Group drained $1.5B in Ethereum from Bybit by exploiting third-party wallet software. $160M was laundered through DeFi protocols, cross-chain bridges and dozens of wallets within 48 hours. Largest single cryptocurrency theft on record.
2025 total $2.02B in crypto stolen by North Korea 51% increase over 2024 ($1.3B). UN monitors estimate crypto crime now represents about 13% of North Korea's GDP and is funding the nuclear weapons programme.
Nov 2025 Lazarus deploys Medusa ransomware Observed operations against US healthcare and non-profit organisations. State-sponsored ransomware is no longer an anomaly.
Nov 2025 OFAC sanctions 8 individuals and 2 DPRK entities Including Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company — laundering cybercrime proceeds for the regime.

Russia: Garantex and its successors

Aug 2025 OFAC re-designates Garantex; sanctions successor Grinex Garantex processed over $100M in illicit transactions since 2019, including proceeds from Conti, Black Basta, LockBit, NetWalker and Phoenix Cryptolocker. Three executives and six shell companies in Russia and Kyrgyzstan also designated.
Mar 2025 Secret Service + German + Finnish law enforcement freeze $26M Coordinated action against Garantex infrastructure. DOJ unseals indictments against Aleksandr Mira Serda and Aleksej Besciokov.
Feb 2025 OFAC sanctions Zservers (LockBit hosting) Russian bulletproof-hosting provider used by LockBit affiliates. Chainalysis traced over $5M in direct ransomware proceeds flowing to Zservers wallets.

The mixer crackdown and what replaced it

Historically 10–15% of ransomware-laundering flows went through anonymising mixers. After OFAC/FBI actions against Tornado Cash, Sinbad.io and Chipmixer, that share collapsed. The 2025 replacement stack: centralised exchanges (often ones the attackers control or have captured staff at), cross-chain bridges to hop between blockchains, DeFi protocols for fragmentation, and personal wallets held for long cooldown periods before cashing out.

Why this matters for Icelandic organisations

Paying a ransom to a sanctioned group or through a sanctioned exchange is a potential OFAC violation. US sanctions attach to any USD-denominated transaction, including SWIFT transfers originating from Icelandic banks. FinCEN's revised 2021 advisory (FIN-2021-A004, re-issued 2025) explicitly warns that financial institutions facilitating ransomware payments may themselves face sanctions exposure. A compliant response requires real-time sanctions screening of the payment destination — most Icelandic firms do not have that capability in-house, and neither do most insurance brokers.

The uncomfortable part

When the "victim" is part of the operation

Read this as an industry-level risk, not a direct one. The cases below are US-documented and involve IR firms at the scale of DigitalMint and Sygnia. The direct threat to most Icelandic organisations is not a corrupt negotiator — it is an automated attacker using a purchased credential. This section matters because it shapes how insurers, auditors and regulators will increasingly treat all ransomware cases, including yours, even if no single Icelandic organisation faces an insider-run attack today.

This is the story most ransomware coverage avoids, but it matters for how boards, insurers and regulators should treat reported incidents. In 2025 the DOJ filed a series of indictments that confirm what investigators had suspected for years: the line between victim, responder and attacker is blurred, and sometimes the same person sits on all three sides.

Documented cases

Nov 2025 DigitalMint + Sygnia negotiators indicted Kevin Tyler Martin (DigitalMint) and Ryan Clifford Goldberg (Sygnia Cybersecurity) — senior ransomware negotiators at two of the most recognised US IR firms — charged with orchestrating attacks they were then paid to negotiate. They collaborated with BlackCat/ALPHV operators, leaked client information to maximise ransom demands, and worked as negotiators on at least five victims they had themselves targeted.
2023 Florida ransomware negotiator pleads guilty Employee of a US incident-response firm pleaded guilty to conspiring with BlackCat/ALPHV operators to deploy ransomware and extort the very clients he was contracted to defend.
2025 BlackCat "cybersecurity experts" arrested A group marketing themselves as breach-response professionals was, in fact, running BlackCat itself — showing up as rescuers after attacks they had staged.
Ongoing Medusa triple-extortion pattern After a victim pays, a separate actor claims the first negotiator stole the money and demands half the ransom a second time. The pattern implies coordination across supposedly adversarial parties — negotiator and attacker splitting the uplift.
ProPublica investigation "Ransomware recovery" firms that just pay attackers Multiple US firms advertising proprietary decryption technology were in practice paying the attackers and taking a margin. A shorter path from this practice to staging an attack for commercial purposes is easy to imagine, and FATF's 2023 ransomware-financing report flags exactly that risk.

A taxonomy of "victim as perpetrator"

Pattern	Who is the hidden actor?	Evidence level
Insider leaks credentials for a cut	An employee of the victim	Documented across DOJ filings
Compromised IR / negotiation firm	Negotiator working both sides	DigitalMint + Sygnia, Nov 2025
Staged attack for insurance or tax deduction	Victim's own finance or IT leadership	FinCEN 2025 FTA flags the risk; public cases are scarce but investigations are ongoing
Shell "IR firm" run by the attacker	The attacker, wearing a white-hat costume	BlackCat cybersecurity-expert arrests
Paid "ransomware-as-a-service" on yourself to launder funds	Victim and attacker share the outcome	Theoretical but flagged by FATF (March 2023) and FinCEN (December 2025)
Double-charge / triple-extortion collusion	Several actors splitting uplift	FBI on Medusa; CISA StopRansomware advisory

Why this changes your incident-response plan

Single-vendor trust is no longer safe. Any ransomware response that involves a payment should include: (1) an independent secondary adviser unaffiliated with the primary negotiator, (2) OFAC sanctions screening of the destination wallet, documented before funds move, (3) chain-of-custody documentation of who controls the payment wallet at every step, and (4) a legal review explicitly covering the possibility that the attack was staged or facilitated by an insider. Auditors and insurers should treat any payment from a wallet with no prior transaction history, or to an exchange recently added to the OFAC list, as evidence requiring further investigation rather than routine loss.

The local view

Iceland in the ransomware crosshairs

2024 Akira hits Reykjavík University Akira, a Russian-linked ransomware group, compromised Reykjavík University in 2024. First publicly attributed ransomware attack on a major Icelandic institution.
2021 → 2024 Cyber incidents reported to CERT-IS grew from 598 to 2,312 A 287% increase across three years (2021–2024 spans three year-on-year transitions). Icelandic security officials publicly noted, separately, that ransomware-specific cases have doubled for four consecutive years.
2026 NIS2 scope expands from ~350 to 3,000–4,000 entities Mid-sized manufacturers, healthcare providers, and municipalities of 50,000+ come under regulatory coverage with the amendment to lög 78/2019. Mandatory 24-hour early warning + 72-hour formal report on every significant incident. Mechanics, supervisory authorities and 2026 transposition status are in the defender handbook.
2023 onward Eyvör — National Cybersecurity Coordination Centre (NCC-IS) Hosted by the University of Iceland, funded by EU's Digital Europe Programme. Coordinates national cyber-resilience across public and private sectors.

Why so few Icelandic victims appear in leak-site data: most ransomware groups target by language, revenue and internet exposure — not nationality. Icelandic organisations that do get hit tend to be smaller, so any payment is below the thresholds the big leak sites bother publishing, and many attacks are resolved through quiet negotiation without public disclosure. This is about to change under NIS2: mandatory 24-hour reporting will make incidents visible whether the group publishes them or not.

What works

Defensive priorities that actually move the needle

Tested offline backups (still the #1 defence) Sophos 2025: 97% of organisations recover data, but backup restore is at a six-year low (54%) because ransomware groups now specifically target backup infrastructure. Keep one copy offline, immutable, and restore-tested monthly — not annually.
MFA that cannot be phished Since Initial Access Brokers typically sell stolen credentials, the single highest-leverage control is phishing-resistant MFA (FIDO2 hardware keys, Windows Hello for Business with attestation) on every administrative or remote-access account. SMS-based MFA is worse than nothing because it provides false assurance.
Segmentation — start small, not with a "Zero Trust" programme Full Zero Trust Architecture (NIST SP 800-207) typically takes 3–5 years to implement even for well-resourced organisations. It is not a quick fix. The practical starting point is measured in weeks: (a) disable lateral SMB/RDP between workstation subnets this quarter, (b) put every internet-facing service behind a proper WAF or ZTNA, (c) isolate backup infrastructure from production authentication. Ransomware groups average 9 days of dwell time before detonation — these three changes decide whether that dwell time ends with one server encrypted or the whole estate. The full Zero Trust programme can follow.
Credential-leak monitoring Continuously scan HIBP, stealer-log aggregators, and dark-market listings for your own domains. If your credentials are being sold on Russian Market, you want to know before the IAB sells them to a ransomware affiliate.
Pre-arranged IR retainer — with independent oversight After the DigitalMint/Sygnia indictments, best practice for large US organisations has shifted to dual-vendor IR: primary responder plus independent observer. For most Icelandic organisations, dual-vendor IR is not affordable or necessary. The proportional equivalent is: a single retained IR firm plus an independent external counsel or auditor who reviews any payment before funds move. The goal is a second pair of eyes, not duplicate infrastructure — and the negotiator should never control the payment wallet alone.
A decision document made before you are attacked Write down — board-approved, in advance — the conditions under which you would or would not pay. Include OFAC screening, backup recovery RTO, and reputation analysis. In the middle of an attack is the worst time to debate this.

Executive checklist

Next steps by role

For the board / C-suite

Start with the three that matter most Hardware MFA on every admin account, restore-tested offline backups, and a board-approved payment policy. If you do not have all three, nothing else in this list is your biggest problem. Everything else is optimisation.
Know your NIS2 status Confirm whether the amended Act 78/2019 applies to you. If yes, approve a cyber risk-management framework and schedule an annual board review. Personal liability for senior management is new in Icelandic law.
Read your cyber insurance policy Specifically check coverage for ransomware payments (many policies now exclude or sub-limit these), deepfake-enabled fraud, and OFAC-triggered claim denials. Make sure the insurer does not control the choice of IR firm — that's how conflicts of interest start.
Have you decided — today — whether you would pay? Document the criteria. Include the OFAC screening requirement, maximum authorised amount, and who signs off. If these are not decided in advance, the negotiator decides.

For IT / security leadership

Run a ransomware tabletop that includes the payment-refusal path Most tabletops exercise the response. Few exercise the decision. Practise both.
Retain two IR firms, not one Primary responder plus independent observer. Both sign OFAC-screening commitments. Neither controls the payment wallet alone.
Immutable backups + monthly restore tests Whatever you have, prove it works this month — not last year.
Replace SMS MFA with hardware keys on admin, mail, and finance accounts Phishing-resistant MFA is now the single highest ROI control. Everything else follows from the attacker not having a valid login.
Inventory every exposed service and put it behind a ZTNA or remove it Mandiant 2025 IR data: edge devices without EDR telemetry are the #1 initial access vector. Don't be that entry.

For finance / legal / audit

Pre-authorise counsel familiar with OFAC and NIS2 The sanctions-screening question has to be answered in hours, not weeks. Have a named external counsel on standby.
Document every ransomware-related payment end-to-end Wallet ownership, negotiator identity, sanctions-screening artefacts, insurance communications. If your payment later turns out to have been to a staged attack or sanctioned entity, the documentation is what protects the directors.
Audit any past "recovery" expenses for the victim-as-perpetrator pattern If a past incident has unusual wallet behaviour, negotiators without independent oversight, or a suspiciously quick resolution — revisit it now, before a regulator does.

Methodology & sources

Dataset 1 (our live data): ransomware.live leak-site feed, ingested every 30 minutes into our own database since February 2026. Counts exclude Icelandic victims not published by the groups themselves — which is most of them.

Dataset 2 (Chainalysis): on-chain tracking of known ransomware wallets. Figures are always revised upward over time as additional incidents are attributed; the 2025 total of ~$820M is expected to climb toward $900M once late attributions are applied.

Dataset 3 (Coveware): quarterly reports based on real IR engagements where Coveware acted as the negotiator. Payment-rate figures are representative of mid-market victims; very small businesses and very large enterprises are underrepresented in both directions.

Victim-as-perpetrator section: based on DOJ indictments and press releases, ProPublica investigative reporting, CISA advisories, the FATF March 2023 report on countering ransomware financing, and FinCEN's December 2025 Financial Trend Analysis. Cases listed are those that are publicly charged or plea-completed; ongoing investigations are not named.

What we did not do: assign attribution to any individual Icelandic incident, name any victim still under NDA, or suggest that any specific IR firm is compromised. The DigitalMint/Sygnia indictments are public facts — the pattern they represent is an industry-wide risk, not an accusation against any other party.

← All analysis Related: Is AI speeding up cyber attacks? Back to News Email the author