Ransomware in 2026: What Boards Actually Need to Know

• Ransomware is now a routine operating risk rather than a rare IT event, so boards need to treat it as a core resilience and governance issue.

• Attacks have become more sophisticated, with data theft, extortion and AI-enabled phishing increasing both the pressure on organisations and the speed of attacks.

• The biggest weaknesses are often not just technical gaps but failures in governance, recovery planning, supplier oversight and crisis decision-making.

• Boards that test their preparedness, harden backups, clarify decision rights and rehearse realistic scenarios are far more likely to reduce impact and recover faster.
  

Globally, ransomware is now responsible for 44% of all breaches a 37% increase compared to 2024, underlining that it is now part of routine operating risk rather than a rare incident. In larger organisations, ransomware was a component of 39% of breaches, while for small and midsize businesses, ransomware was involved in 88% of breaches. [Source: Verizon 2025 Data Breach Investigations Report (DBIR).]

Recent UK cyber security survey data shows that around half of UK businesses report some kind of cyber breach or attack in a typical year – about 50% in 2024 [Source: Sophos – State of Ransomware 2024 (government sector breakdown).]

For boards, the question is no longer if you will be hit, but how ready you will be when it happens.

From Disturbing Headlines to Everyday Risk

Ransomware can now:

• Halt factories and logistics chains.
• Disrupt hospitals, pharmacies, and clinical systems.
• Lock up municipal and education services.
• Trigger regulatory investigations and investor scrutiny within days.

A major ransomware event has become a board‑defining moment: how quickly the chair and non‑executives understand the situation, how clearly they set expectations, and how credibly they engage regulators, customers and investors.

Ransomware is Now a Professionalised Ecosystem, Not Lone Hackers

Ransomware is now a structured industry. ITPro’s analysis of the market in 2025 ('Rocketing number of ransomware groups as new smaller players emerge') counted more than 70 active groups, up sharply year‑on‑year. Many operate with:

• Ransomware‑as‑a‑Service (RaaS) – renting out tools and infrastructure to affiliates in exchange for a share of proceeds.
• Negotiation teams – specialists who handle communications with victims using structured playbooks.
• Data leak operations – dedicated sites and staged disclosure campaigns to maximise reputational pressure.

Motivation, capability and persistence on the attacker side are all increasing.

Double and Triple Extortion Have Become the Normal

The simple 'encrypt files, demand payment' model has largely given way to more complex campaigns.

DigitalXRAID’s Annual Threat Pulse 2024 reports that over 80% of ransomware attacks now involve data theft as well as encryption. Many also add further elements such as DDoS attacks or direct harassment of staff and customers – so‑called triple extortion.

In practice, attackers often enter quietly, explore your network, exfiltrate sensitive data and only then reveal themselves, already in a position of leverage.

AI is Driving Scale, Speed and Adaptation

With a ransomware attack, first they need to get through the door. In 2026, phishing is still the primary way in – in recent UK surveys, around 85% of organisations that suffered a breach cited phishing as the main attack vector.

Those attacks are becoming increasingly effective as AI rapidly updates the ransomware toolkit. A KnowBe4 report highlights a double‑digit rise in phishing volumes, with more than 80% of recent campaigns using AI‑powered polymorphic techniques – attackers generate fast‑changing variants of the same scam so it is harder for filters and analysts to spot a repeating pattern.

For boards, this shows up as:

• Highly convincing phishing and social engineering – emails and messages that look and read like genuine internal correspondence, tailored to your sector and even to your executives.
• Faster exploitation of vulnerabilities – AI‑assisted tools that scan for weaknesses and help weaponise them at scale.
• Automation of attack stages – semi‑automated lateral movement, credential theft, and data exfiltration once inside the network.

The net effect of AI is more attempts, better‑crafted communications and a higher probability that attackers will eventually find a way through.

Board Insight: ransomware is now as much about privacy, trust, safety, and continuity of service as it is about IT systems availability.

At the same time, AI and automation are also changing the defence side. IBM’s breach research shows that organisations using security AI and automation can cut the breach lifecycle by around 108 days, with materially lower overall costs. [Source: IBM Cost of a Data Breach – ransomware & AI analysis (2023–24 coverage)]

Boards should be asking management how they are using AI defensively, not just preparing for attackers who use it offensively.

Where Are Your Weak Spots?

When boards review real incidents, their own or peers’, we see the same patterns of vulnerability in both systems and culture.

On the Technical Side

• For complex enterprises, whether financial services, manufacturing, telecoms, retail or critical infrastructure operators, the attack surface has grown with every merger, new platform and outsourcing deal.
• Legacy systems and flat, poorly segmented networks turn a small foothold in one business unit into an enterprise‑wide outage across plants, trading floors, shared services and customer‑facing channels.
• Weak identity and access controls (incomplete MFA, shared or orphaned accounts, poor privileged‑access management) give attackers too many keys into high‑value systems.
• Complex webs of strategic outsourcers, SaaS platforms, cloud providers and key suppliers create hidden concentration risk; a single payments processor, logistics partner or IT service provider can become a single point of failure for the whole group.
• Backups are not as robust as assumed – distributed across data centres and clouds, but still stored on connected systems, not immutable, or never tested end‑to‑end.

UK data shows that while attackers increasingly try to compromise backups, most organisations that recover do so from their own backup and resilience measures rather than by paying. The proportion of UK enterprises paying ransoms has dropped from almost half in 2023 to under a fifth in 2025, as more boards push for robust, tested backup strategies.

That turns backups from a comfort blanket into a potential liability if they are not properly segmented, hardened and exercised under realistic scenarios.

On the Governance and Culture Side

There is no rehearsed ransomware playbook that reflects how the enterprise actually operates across regions, business lines and shared services; roles, decisions and communication paths are improvised under pressure.

• Decision rights – for system shutdowns, restoration priorities, ransom‑related choices and regulator notifications – are unclear, particularly in matrixed organisations with group, regional and business‑unit leadership.
• Crisis communications are under‑prepared; spokespeople, stakeholder maps and holding statements are created on the fly for customers, partners, regulators, investors and staff.
• Board reporting has focused on tools, projects and technical indicators rather than resilience outcomes, business impact and time‑to‑recover for critical services.
• These are not purely technical failings; they are symptoms of how seriously ransomware has (or has not) been treated as an enterprise risk at board level.

Board Questions to Put on the Agenda

Rather than delving into technical details, effective boards focus on clear, practical questions.

You can use the following as a standing agenda aide‑mémoire:

Threat and Exposure

• Which services, geographies, and customer segments would hurt most if hit by ransomware?
• How are we monitoring ransomware trends relevant to our sector and adjusting our controls accordingly (for example, insights from ENISA, sector regulators, and major incidents in our industry)?
• What do recent statistics (for example, Sophos, Verizon DBIR) imply about how often organisations like ours are being tested?

Preparedness and Resilience

• Do we have a documented, rehearsed ransomware playbook covering IT, operations, finance, legal, and communications?
• When was it last tested with ExCo and the board present? What changed as a result?
• How quickly can we detect, contain and recover from an attack on our most important services? What evidence do we have – including realistic exercise results?
• Are our backups segmented, immutable, and regularly tested in realistic scenarios, given how frequently attackers now target them?

Third‑party and Supply‑chain Risk

• Which critical suppliers or partners, if compromised, could be an entry point or amplification path for ransomware?
• How do we assess, contract, and monitor cyber resilience in key suppliers and cloud providers – and how does this align with NIS2, DORA, and other relevant frameworks?

People, Culture and Training

• How are we equipping staff in high‑risk roles (finance, HR, senior executives) to recognise and handle phishing and social‑engineering attempts?
• Is ransomware risk embedded in our broader risk culture and leadership behaviours, or treated as an annual awareness exercise?

When the Worst Happens: A 72‑Hour Board Checklist

No set of controls is perfect. When a serious incident lands, the board’s role is to ensure the response is being run well, not to run it themselves. In the first 72 hours, boards should look for:

Governance and Roles

• A pre‑defined major incident structure, typically chaired by the CEO or COO, with clear workstreams for technical response, operations, legal, communications and customer support.
• Clarity on the board’s role: oversight, major risk appetite decisions (for example, extended shutdown vs partial restart), regulatory posture, and stakeholder expectations.
• A single source of truth for updates, with an agreed cadence, so directors are not relying on conflicting informal channels.

Regulatory and Legal Posture

• A clear view of which regulators and authorities may need to be notified, and on what timelines (for example, data protection regulators, sector regulators, stock exchanges, law‑enforcement bodies).
• Legal advice on ransom‑related decisions, including sanctions, money‑laundering and law‑enforcement considerations.

Stakeholder Communications

• Prepared holding statements and trained spokespeople, updated as facts evolve.
• Joined‑up messaging to customers, employees, suppliers, investors, and the media – avoiding both premature reassurance and damaging silence.

Decisions taken in these first few days – particularly on disclosure, negotiations, and service restoration – will shape regulatory, legal, and reputational outcomes for years.

Conclusion: Turning Statistics into Better Decisions

ENISA continues to place ransomware among the prime threats in Europe’s threat landscape, with significant impact across sectors. Sophos and Verizon’s latest numbers reinforce that ransomware is both common and costly – but they also show that organisations which invest in preparation and resilience are recovering faster and at lower cost.

Boards that deal well with ransomware typically:

• Treat it as a standing agenda item within operational resilience and risk, not an annual technical presentation.
• Set clear expectations of ExCo on preparedness, testing, and third‑party resilience.
• Invest in regular crisis simulations involving both executives and non‑executive directors.
• Use real incidents – their own or others’ – and fresh data as catalysts to lift maturity, not simply as reasons to "move on" once systems are restored.

Frameworks such as NIST’s Cybersecurity Framework 2.0 and EU regulations like NIS2 and DORA reinforce this direction by making governance, resilience testing, and third‑party oversight explicit board responsibilities.

The message for boards in 2026 is straightforward: you cannot eliminate the ransomware threat, but you can materially change the outcome when it arrives.

How Cambridge MC Can Help

Cambridge Management Consulting supports boards and executive teams to move from concern to confidence with practical, senior‑led work that strengthens readiness quickly:

• Cyber Stress Tests – clarifying your "crown jewel" services and stress‑testing how cyber, technology and operations work together under real disruption.
• Ransomware readiness health checks – focusing on identity, segmentation, backups, recovery, and third‑party exposure – with a prioritised remediation plan.
• Board and ExCo simulations – realistic 72‑hour scenarios that sharpen decision‑making, governance, and communications under pressure.

If you’d like a clear view of your readiness – and a practical plan to improve it – Cambridge MC’s Digital Transformation and Cyber Security teams can run a rapid ransomware resilience assessment and board‑level simulation to identify gaps, agree priorities, and build confidence before the next test arrives.

Key References

• Verizon 2025 Data Breach Investigations Report (DBIR)
• UK Government Cyber Security Breaches Survey (via DCMS, 2024 and 2025)
• Trustwave 2025 analysis of UK ransomware trends
• ITPro 2025 coverage of falling ransom payments in UK enterprises
• UK-focused cyber statistics round-ups and sector-specific analysis