Almost half of ransomware victims have their data stolen before they can even detect an intrusion

ExtraHop’s Global Threat Landscape Report shows that 49% of ransomware victims only discovered attacks after data theft, up from 31% last year
Average length of stay before detection is 2.5 weeks; attackers exploit encrypted channels, valid accounts and alert fatigue to avoid defenses
Ransom payments fell from $3.6 million to $2.8 million, but payment rates rose sharply, with 83% of surveyed victims paying in 2026 versus 70% in 2025

Criminals are getting better at hiding in their victims’ infrastructure, lurking and stealing files without triggering any alarms.

Earlier today, network detection and response experts ExtraHop released the “Global Threat Landscape Report,” based on a survey of more than 1,800 IT and security leaders worldwide. It said that around half (49%) of organizations hit by ransomware did not discover the threat until after the data was stolen.

This is up from 31% a year ago, ExtraHop stressed, and shows the improvement criminals have achieved in just 12 months.

Several factors

On average, cybercriminals have 2.5 weeks of downtime before being detected in ransomware incidents, the report said. Additionally, 14% of victims were unaware of an attack before receiving a ransom demand, also up from 6% a year ago.

“Longer dwell times often parallel a highly complex threat environment where critical alerts are hidden,” ExtraHop said in a press release shared with TechRadar Pro. The researchers revealed several factors that led to delays in investigating critical alerts, including attackers using encrypted channels (41%), attacker activity reflecting legitimate workflows and processes (38%), use of valid high-privilege account permissions (34%), and alert fatigue (30%). Undermined baseline behavior also allowed abnormal actions to fly under the radar (27%).

The good news is that the average ransom payment fell year-over-year, from $3.6 million down to $2.8 million. The bad news, however, is that the payment rate increased. While 70% of respondents in 2025 paid the ransom, this year 83% have done the same, at least among ExtraHop’s respondents.

When Chainalysis recently ran a similar study, it said that by 2025 the number of successful ransomware attacks grew while the number of payments remained relatively flat, meaning that in absolute terms – there were fewer companies paying ransomware attackers.