Ransomware victims spot attacks only after data theft

ExtraHop has released its 2026 Global Threat Landscape Report, which found that 49% of ransomware victims detected attacks only after data had been stolen.

The survey of more than 1,800 security and IT leaders at organisations with more than 1,000 employees also found that 14% did not know an attack had occurred until a ransom demand arrived, up from 6% a year earlier.

On average, attackers remained inside enterprise networks for nearly two and a half weeks before being detected in ransomware incidents. The findings point to persistent delays in identifying breaches even as companies adopt more AI tools across their security operations.

AI systems emerged as a major concern. More than half of respondents, 55%, said AI agents, agentic infrastructure and generative AI applications represented the biggest cybersecurity risk to their organisation.

A larger share, 85%, said they had already seen a security incident, data exposure or near miss in which the root cause was an AI system. These incidents included AI-enhanced external attacks, compromised AI identity and session theft, supply chain breaches involving integrated AI, shadow AI exposure, and failures in agentic or API logic.

Threat trends

The report ranked LockBit and RansomHub as the two most detected threat groups inside enterprise networks for the second consecutive year. Lazarus Group, DarkSpectre and Midnight Blizzard completed the top five, while detections linked to APT41 fell 50% year on year.

The pattern suggests criminal groups are sustaining a high level of activity while some state-backed actors take a different approach. The data also reflects a broader shift in attacker methods, with organisations reporting more encrypted traffic, greater misuse of valid credentials and more activity that resembles authorised workflows.

Asked why a critical alert was delayed or not investigated quickly, 41% of respondents cited attackers using encrypted channels to evade detection. Another 38% said malicious activity looked like legitimate processes, 34% pointed to abuse of high-privilege accounts, 30% blamed alert fatigue, and 27% said weak baseline behaviour monitoring let anomalies slip through.

Ransom payments

Ransom payments became more common even as the average amount fell. According to respondents, 83% of victims paid a ransom, up from 70%, while the average payment declined to USD $2.8 million from USD $3.6 million.

Downtime per incident averaged almost 30 hours. The combination of operational disruption and financial pressure remains a central factor in decisions to pay attackers.

The report also examined how far AI-based security tools have changed day-to-day work in security operations centres. Despite wider adoption of AI and automated workflows, many respondents said they still needed substantial manual intervention throughout the threat lifecycle.

Manual work remained common across detection, alert triage, investigation and response: 42% for detection, 43% for triage, 49% for investigation and 47% for response.

That workload appears to be limiting time for proactive tasks. Respondents said analysts spend just 44% of their time on activities such as threat hunting and detection engineering, leaving most of their working hours focused on reactive triage and manual data gathering.

Alert burden

AI-generated alerts were also cited as a source of delay rather than a solution in some cases. Nearly a third of respondents, 30%, said false positives from AI-generated alerts had harmed overall investigation timelines.

The findings add to a broader debate in the cybersecurity market over whether AI is reducing pressure on overstretched teams or simply creating a new set of operational problems. Businesses are adding AI systems to products, workflows and infrastructure at the same time as threat actors experiment with the technology in phishing, credential theft and ransomware campaigns.

The research covered organisations in the US, UK, France, Germany, Singapore, Australia and the UAE. All respondents were security and IT leaders at Director level or above.

Raja Mukerji, Co-founder and Chief Scientist at ExtraHop, linked the findings to a broader problem in cyber defence.

"When you look at the big picture of modern cyber risk, the thread connecting every major challenge, from missed detections and prolonged dwell times to AI false positives, is a fundamental lack of situational awareness, or ground truth," said Mukerji.

"As threat actors leverage AI to scale their operations, defenders are countering with automated operations that don't have the context required to make definitive decisions. The network bridges this critical gap, revealing exactly how threats are moving and communicating so security teams have the full picture. Until we enrich our security tooling and AI agents with deep, real-time network context, attackers will continue to have the upper hand."