Ransomware Evolves: Stealthier Attacks Drive Higher Costs and Prolonged Downtime A new report highlights a shift in ransomware tactics, with threat actors moving away from high-volume, opportunistic attacks to slower, more targeted campaigns designed to evade detection and maximize financial gain. While the frequency of ransomware incidents has declined dropping from eight to five or six per organization annually the average ransom payment has surged from $2.5 million to $3.6 million over the past year. Attackers now spend an average of nearly two weeks inside a network before launching an attack, with nearly a third of organizations only discovering breaches after data exfiltration has begun. This delay in detection contributes to prolonged downtime, averaging 37 hours per incident, as organizations take over two weeks to respond and contain threats. Critical infrastructure and government sectors remain prime targets, with RansomHub (26.8%), LockBit (26.5%), Darkside (25.7%), APT41 (24%), and Black Basta (23.4%) among the most active groups. In government environments, LockBit, Darkside, and Black Basta each accounted for 33.3% of detected threats, while RansomHub was linked to 25.6% of incidents. Despite advancements in security, phishing and social engineering (33.65%) remain the most common attack vectors, followed by software vulnerabilities (19.43%), supply chain compromises (13.4%), and stolen credentials (12.2%). Expanding attack surfaces particularly public cloud (53.8%), third-party services (43.7%), and Generative AI applications (41.87%) are amplifying risks. Visibility gaps continue to hinder response efforts, with 41% of organizations citing limited network visibility as a key challenge. Other barriers include alert overload (34%), poorly integrated security tools (34%), and manual SOC workflows (34%), with critical sectors like telecoms, finance, and education facing the greatest difficulties. The findings underscore how attackers exploit blind spots to move laterally, escalate privileges, and exfiltrate data before detection. Without comprehensive network monitoring and contextual threat analysis, organizations remain vulnerable to prolonged breaches and costly disruptions.