Three numbers that frame the year
Recorded Future's 2026 State of Security (CTA-2026-0212) is the kind of report that rewards reading the data, not just the narrative. On ransomware specifically:
- 289 new ransomware variants identified in 2025 — a 33% year-over-year jump.
- 3,617 extortion claims against US victims alone (the US was the #1 targeted country; Canada sits in the heavily-targeted tier just behind, alongside the UK, Germany, and France).
- Average ransomware payments down ~23% in Q3 2025.
Those numbers tell a contradictory story on first read: more variants, but less money? It only makes sense once you understand the structural shift the report describes.
The criminal market is fragmenting
The big takedowns of 2024 — LockBit and ALPHV — left a market gap. Instead of one or two dominant Ransomware-as-a-Service (RaaS) brands, 2025 produced a long tail of smaller affiliates competing for the same affiliates. Recorded Future highlights several new business-model innovations from that competition:
- Qilin's “call lawyer” option — affiliates can request a legal assessment of compromised data, potential lawsuits, regulatory exposure, and recommendations on how to threaten maximum damage to non-paying victims. Ransomware-as-a-Service has become more of a service.
- “Greater flexibility” offerings — affiliates can now choose between deploying ransomware, exfiltrating data only, or providing “extortion only” services. Same access, different monetization.
- Shared tooling — one shared antivirus-killer tool is now deployed across at least eight different ransomware groups. The boundary between groups is blurring.
AI is starting to show up — modestly
The hype around AI-powered ransomware in 2025 outran the reality. The report is refreshingly measured here, but identifies real signal:
- PromptLock — discovered in August 2025, marks the first known AI-powered ransomware. It uses an LLM to generate malicious scripts in real time during execution. The capability is early-stage but the architecture is new.
- ClickFix in AI summarization tools — researchers identified attackers weaponizing legitimate AI services (Copilot-style summarizers) to deliver ransomware payloads. Your AI productivity stack is now an initial-access vector.
- Skitnet malware — an all-in-one utility used by multiple ransomware groups across phishing, loader, persistence, and execution stages. Modular tradecraft built for the new RaaS market.
Why payments are dropping even as variants explode
This is the most operationally important insight in the report. Ransom payments declined for two reasons:
- Better backups and IR readiness. Organizations that paid in 2022-2024 learned. Many now have immutable backups, tested restore procedures, and IR retainers — so they negotiate or refuse outright.
- Cyber insurance has gotten stricter. Insurers now require demonstrable controls before paying out for ransom or recovery. That structural pressure pushes the average payment down.
For 2026, Recorded Future forecasts payments “likely to decline further” — which is exactly why operators are getting more creative with extortion, data threats, and legal-pressure tactics. Less money per victim means they need more victims and more pressure per victim.
What this means for Canadian organizations
Three things shift for defenders:
- Detection has to assume modular tools. If you're tuning to detect specific ransomware family signatures, you're a year behind. The same loader/AV-killer/exfil tool now shows up across multiple unrelated groups. Behavioural detection (suspicious encryption operations, mass file modifications, anomalous PowerShell) is the only durable layer.
- Plan for double and triple extortion, not just encryption. The “extortion only” option some affiliates now offer means attackers may never deploy encryption at all — they just take your data and threaten you with it. Your DLP and data classification matter as much as your endpoint protection.
- Test your ability to refuse payment. If immutable backups, tested restores, IR retainer, and a clear non-pay decision framework aren't already documented and rehearsed, do it before you're being asked to wire crypto at 2am.
How CyberSafe helps
Our Managed Security service provides 24/7 monitoring tuned for the modular, behavioural-detection world ransomware now lives in. Our Cyber Defense Services add proactive threat hunting and IR retainers so you don't negotiate scope during a crisis. And our earlier coverage of Canada's #2 global ransomware ranking in Fortinet's 2026 report gives the Canadian-specific context this story sits inside.