The ransomware economy paid out around USD 820 million on-chain in 2025, down 8% from the year before. Attacks rose roughly 50% across the same period. Coveware reports that fewer than one in four victims now pay. Read those three numbers together and the shape of the change becomes legible: the population of victims who can be coerced into paying has thinned, while the population of victims being attacked has expanded. The extortion industry has had to work harder for less.
The response to that pressure is visible, in plain text, in the ransom notes themselves. Read across actors, the operating model is not what it was three years ago. The notes are no longer encryption demands. They are pricing letters anchored to the victim’s own financial documents, post-incident consulting pitches, anti-counsel arguments, and publication threats — all four at once. Each function corresponds to a service tier the actor has built or borrowed. Each has implications for the surface a corporate audit needs to map.
This piece reads four current ransom notes — from DragonForce, Cl0p, RansomHub, and Warlock Group — alongside the public extortion infrastructure of ShinyHunters. Quoted text below has been redacted of all operational addresses, contact identifiers, unique negotiation tokens, and verification artefacts. What remains is the language.
The economic forcing function
Three sources triangulate the same shift. Chainalysis’s 2026 Crypto Crime Report recorded ransomware payments of approximately USD 820 million for 2025, down from roughly USD 892 million the year before. The same data set shows attack volume up around 50% year on year, with 2025 the most active year on record. Median ransom payments rose from USD 12,738 in 2024 to USD 59,565 in 2025 — gangs are concentrating effort on larger targets.
Coveware’s quarterly tracking shows the payment rate falling to 23% in Q3 2025 and approximately 20% in Q4. Both are record lows.
The implication is structural. With fewer victims paying and more victims being hit, an actor’s revenue per attack must come from somewhere. It comes from two adjustments: bigger targets, and more pressure per victim. Europol’s IOCTA 2026 describes the pressure adjustment in operational terms: “Most ransomware groups still deploy multi-layered extortion tactics, with data exfiltration as a key element of coercion. Many victims are more willing to pay for their data not to be released (publicly leaked), in contrast to the early days of ransomware, when the extortion focused on the need of the victim for the data to be released (i.e. decrypted) back to them.”
That last clause inverts the original ransomware model. The note has become an instrument of disclosure, not an instrument of recovery.
Reading the new ransom note
Read across actors, the modern ransom note has four functions that an earlier generation of notes did not have, or had only in rudimentary form. The first is pricing logic anchored to the victim’s own data.
A note from DragonForce states it directly:
At the conclusion of our negotiations we agree on a price, we set the price ourselves based on your income/your insurance. We scrutinize your documents and are well aware of how much income your company has per year.
A Cl0p note from the Cleo Harmony exploitation campaign frames the same logic in shorter form:
How much to pay? % of you revenues and how much data we take. Speak on chat. Fast reply will receive discount.
These are not opportunistic numbers. The price is computed from material the actor has already exfiltrated and read. IOCTA describes a service tier launched by DragonForce in August 2025 that productises this analysis: affiliates pay over 20% of the ransom for exfiltrated data analysis and the creation of tailored extortion materials — including call scripts, draft letters, and advice reports. The pricing-letter function is therefore not just a tone choice. It is an inputs-to-outputs service. The victim’s own financial records become the price model.
Earlier in 2025, DragonForce had restructured into a platform model: in March it announced a partner programme inviting other ransomware operations to operate under their own branding on DragonForce infrastructure, and by May had publicly claimed RansomHub — which had gone dark on 1 April amid reported affiliate conflict — as one such participant (Cyber Daily, May 2025). The pricing tier and the coalition tier are facets of the same shift: ransomware operators are increasingly platform operators, and the line between brand, affiliate, and service-customer is less stable than the older RaaS model implied.
The second function is a post-payment remediation tier. DragonForce, in a separate note, lists a six-step process that closes with:
We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future.
RansomHub offers the same proposition in different language:
after data decryption and system restoration, we will delete all of your data from our servers forever; provide valuable advising on your company IT protection so no one can attack your again.
Warlock Group formalises it further:
Professional Support: Our technical team will assist you throughout the recovery process to ensure your systems are fully restored. Confidentiality: After the transaction, we will maintain strict confidentiality regarding this incident, ensuring no information is disclosed.
Cl0p, in the Cleo campaign note, lists guarantees in a similar register: data deletion with video proof, backdoor disclosure, “never attack you again”. Four actors, four versions of the same architecture: the same group that breached the network now positions itself as the post-incident vendor, with explicit promises of confidentiality and threat-actor non-recurrence. The structural similarity is unlikely to be coincidence. It is what the market — including the customers, who are themselves criminal affiliates — appears to want.
The third function is a publication threat that is the centre of gravity rather than a fallback. A Cl0p note from a pure-exfiltration intrusion (no encryption performed) does not promise decryption at all:
We are the ones who hacked you and DOWNLOAD yor data! We DOWNLOADED - 1,65 Tb. We DOWNLOADED - Your financial documentation, HR Documents, Accounting, your mails, Databases, private correspondence about transactions, employee documents, company documents, Internal manuals, production data, and much more. If necessary, we are ready to provide all the evidence.
The encryption step has been retired in this variant. The note exists only to communicate that publication is possible and imminent.
The fourth function is the rhetorical work the note performs to keep the victim away from outside help.
The anti-counsel layer
Open one of the more elaborate ransom notes in current circulation and you will find paragraphs whose only purpose is to argue against the victim engaging law enforcement, regulators, recovery firms, or third-party counsel. RansomHub’s note carries the most explicit version:
Want to go to authorities for protection? Seeking their help will only make the situation worse, they will try to prevent you from negotiating with us, because the negotiations will make them look incompetent. After the incident report is handed over to the government department, you will be fined — this will be a huge amount. Read more about the GDRP legislation [link to Wikipedia GDPR article]. The government uses your fine to reward them.
Don’t go to recovery companies, they are essentially just middlemen who will make money off you and cheat you.
The argument inverts the standard breach-response playbook step by step. Notification triggers fines; therefore notification is harmful. Recovery firms are intermediaries who skim; therefore direct negotiation is cheaper. Decryption from third parties corrupts data; therefore only the actor’s tooling will work.
ShinyHunters’ public-facing FAQ, hosted on their leak site, makes the same argument in a different idiom:
Is law enforcement involvement effective? Organizations may choose any path, however we always highly advise you to work with us instead. Historically, outside involvement seldom affects availability and can add delay and exposure.
Can legal action force removal? No. Historically, many western countries have sent us court injunctions to prevent or censor the publication of their data. This does not stop us. Nothing will. We are not within your jurisdiction. Stop being naive.
This is not improvisation. It is a consistent rhetorical layer designed to isolate the victim — from the regulator who would be told under GDPR Article 33, from the data subjects who would be told under Article 34, from the incident response firm that would price the breach honestly, from the law enforcement agency that would advise against payment. A corporate audit that treats breach response as a process diagram understates the social engineering pressure that will surround that diagram in the moment it has to be executed.
The supply-chain dimension: when the breach is not in your network
If the new ransom note is the operating manual, the ShinyHunters / Salesforce campaign of 2025 is the case study. It also makes the supply-chain dimension concrete.
Beginning in mid-2025, the FBI and CISA issued a joint advisory describing two clusters they tracked as UNC6040 and UNC6395. The pattern: voice-phishing attacks against employees of large enterprises, persuading them to authorise a malicious OAuth-connected application against their company’s Salesforce instance. Once authorised, the attacker exfiltrated customer relationship records using Salesforce’s standard Data Loader tooling. There was no exploitation of a Salesforce vulnerability. The compromise was authentication, not infrastructure.
ShinyHunters subsequently launched a public leak site listing 39 victim companies, reported by Help Net Security in October 2025 and corroborated by BleepingComputer and SecurityWeek. The named list includes FedEx, Disney/Hulu, Google, Cisco, Toyota, Marriott, Home Depot, Adidas, the LVMH luxury brands (Louis Vuitton, Dior, Tiffany & Co.), Chanel, Pandora, Workday, Qantas (5.7 million customer records), and Jaguar Land Rover. The total volume claimed across the campaign is approximately one billion records.
Two artefacts from the leak site illustrate how the public-extortion model functions in practice.
For Aman Resorts, the entry reads:
Over 250k+ Salesforce records containing PII was compromised. The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don’t care.
This is a completed extortion that resolved in publication.
For Cushman & Wakefield, the entry, dated 3 May 2026, reads:
Over 500k Salesforce records containing PII and other internal corporate data have been compromised. This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline. FINAL WARNING PAY OR LEAK.
This is a live extortion in progress at the time of writing, with a three-day countdown.
The ShinyHunters welcome page reduces the entire model to one sentence:
It’s very simple. When you pay us, your data is deleted, and you move on with your life. When you don’t pay us, you get posted here, among other things.
For an executive whose personal details, transaction history, contact information, or family records sit inside the customer relationship management system of a hotel, an airline, a luxury house, an insurance broker, or a real estate firm, the breach is not in their organisation’s network. It is in a third party’s SaaS, accessed via someone else’s authenticated employee, exfiltrated under standard administrative tooling, then weaponised against the named individuals whose details happen to be in the dataset. Their employer’s incident response plan will not be triggered, because their employer was not breached. The exposure surface that matters is one the corporate audit framework, in its standard form, does not look at.
If your principals’ personal information sits in third-party platforms you do not control, a Corporate Audit maps where that exposure lives.
Talk to an AnalystThe named individual is the lever
The ransom note pricing tier and the SaaS-vector campaign meet at a single point: the named individual. Once a dataset of customer or employee records has been exfiltrated, it can be mined for the contact details of executives, board members, in-house counsel, and family members. What follows is documented across multiple sources.
Sophos’s 2024 reporting recorded the weaponisation of stolen data against named individuals — doxing of executives’ families, threats to report tax or regulatory irregularities found in the stolen documents to authorities, and cold-call campaigns directed at executives’ personal phones. The Register reported in May 2024 that ransomware operators have SIM-swapped the phones of executives’ children in order to call the parent from the child’s number. Halcyon’s incident tracking corroborates the same pattern. Cybersecurity Dive reported in 2025 on a wide extortion campaign by actors claiming Cl0p ties that contacted executives directly rather than the breached organisation’s incident response channel.
This pressure converges with a legal-framework asymmetry. Under the EDPB’s Guidelines 9/2022 v2.0, a personal data breach likely to result in high risk to the rights and freedoms of natural persons must be communicated to the affected data subjects “without undue delay” — a standard that is deliberately less specific than the 72-hour clock for regulator notification under Article 33. Ransomware actors have observed the gap. By contacting data subjects directly before the controller’s Article 34 communication has been finalised, the actor frames the disclosure narrative first. The data subject hears about their exposure from the attacker, not from the company that lost control of their data. The implications for trust, for litigation posture, and for press handling do not need to be argued. They are the point.
For corporate audits, the named-individual lever changes which assets matter. The principal’s personal exposure surface — the brokerage records, the property filings, the family member listings, the historical breach corpora that contain any of those — is no longer adjacent to the corporate breach risk. It is the same surface, mapped from the other side.
What this changes for corporate audit
The conventional model of corporate breach risk treats the perimeter as the unit of analysis. A 2026 audit that holds to that model will fail to see what the four notes above describe in plain text.
It will not price the third-party SaaS surface where the principal’s data actually lives — the customer relationship platforms, the loyalty databases, the broker records, the airline frequent-traveller systems, the marketing automation tools — most of which the principal’s own organisation did not authorise, did not provision, and has no visibility into. The ShinyHunters / Salesforce campaign is one cluster of one vector. There will be others.
It will not map the personal exposure surface of named principals from the attacker’s side. What is in the public-record stack, the breach-corpora stack, the people-search platforms, the family-member layer. That is precisely the stack from which call scripts, draft letters, and advice reports are now written, sold, and deployed at 20% of ransom value.
It will not stress-test the breach-response process against the social engineering layer that will surround it. The anti-counsel rhetoric in the ransom note is not incidental. It is the actor’s attempt to interfere with the audit’s own remediation pathway in real time.
The 2026 ransom note tells you what the audit needs to cover. The audit needs to read it.
Sources
IOCTA 2026 (primary)
Payment economics
- Chainalysis — Crypto Ransomware: 2026 Crypto Crime Report.
- Chainalysis — 35.82% YoY decrease in ransomware payments (2025).
- Coveware — Targeted social engineering is en vogue as ransom payment sizes increase (July 2025).
- The Record — Ransomware payments dropped in 2025 as attacks reached record levels.
ShinyHunters / Salesforce campaign
- FBI / CISA joint advisory on UNC6040 and UNC6395 (12 September 2025).
- Help Net Security — Hackers launch data leak site to extort 39 victims of Salesforce.
- BleepingComputer — ShinyHunters claims ongoing Salesforce Aura data theft attacks.
- SecurityWeek — Hundreds of Salesforce customers allegedly targeted in new data theft campaign.
- Salesforce Ben — Salesforce data theft roundup 2025.
Ransomware actor consolidation
Named-individual targeting and family pressure
- Sophos — Ransomware groups weaponize stolen data to increase pressure on targets.
- The Register — Ransomware crooks SIM swap kids to pressure parents.
- Halcyon — Ransomware operators targeting children of corporate executives.
- Cybersecurity Dive — Hackers claiming ties to Clop launch wide extortion campaign targeting corporate executives.
GDPR notification framework
- European Data Protection Board — Guidelines 9/2022 on personal data breach notification under GDPR (v2.0, April 2023).
- GDPR Article 33 — Notification of a personal data breach to the supervisory authority.
- GDPR Article 34 — Communication of a personal data breach to the data subject.
Editorial note on actor artefacts. The DragonForce, Cl0p, RansomHub, Warlock Group, and ShinyHunters quotations above are reproduced from publicly distributed ransom notes and from the ShinyHunters public leak site. The artefacts span a multi-year window: the DragonForce notes carry internal deadline markers of 26 April 2025 and 21 January 2024 respectively; the Cl0p Cleo Harmony note dates to the late-2024 exploitation campaign; the Cl0p classic-encryption and pure-exfiltration variants are undated; the RansomHub note dates to RansomHub’s active operational window (February 2024 through approximately 1 April 2025, when the group’s negotiation infrastructure went offline amid reported affiliate conflict and a subsequent claim of partnership with DragonForce); the Warlock Group note is undated; the ShinyHunters FAQ and leak entries cited are dated April–May 2026 per leak-site timestamps. Onion-service URLs, contact identifiers, unique negotiation tokens, PGP fingerprints, file checksums, and binary signatures have been redacted. No links to active criminal infrastructure are provided.