The Extortion Market Has Matured, And the Response Industry Is Part of It

In May, a criminal extortion group told 9,000 schools to hire breach coaches and negotiate ransom payments individually. A week later, the ed-tech vendor covering those schools called the ransom it paid an "agreement" and presented "shred logs" from the criminals as proof of data destruction. Both sides used professional language and treated the whole thing like a transaction between counterparties. That moment stuck with me. It made something click that I have been sensing all year. We are not watching a crime wave play out anymore. We are watching a market function.

This piece is not another "ransomware is getting worse" article. The numbers tell that story well enough. What I want to talk about is what happens when both the attack side and the defense side of the extortion economy professionalize simultaneously, and whether the response industry that grew up around this problem has inadvertently become part of what keeps it running smoothly.

The Market Economics

Let me start with the economics, because you cannot understand the maturation without the numbers.

Chainalysis tracked $820 million in on-chain ransomware payments in 2025. The Verizon DBIR found that 48 percent of all confirmed breaches last year involved ransomware, up from 44 percent the year before. NCC Group counted 7,874 victims on leak sites, a record and a 50 percent year-over-year increase. By every volume metric, the extortion economy is expanding.

But here is where it gets interesting. The percentage of victims who actually pay has been falling for four consecutive years. It hit 28 percent in 2025 according to Chainalysis, and Coveware's incident response data shows it dropping to roughly 20 percent by Q4. That is a historic low. Fewer organizations are paying. And yet the total revenue barely moved, because the organizations that do pay are paying significantly more. The median on-chain payment grew 368 percent year-over-year to nearly $60,000. Coveware's average payment in Q4 reached $591,988.

Fewer are paying, but those who pay are paying bigger. The market is concentrating. Honestly, that is an industry optimizing its unit economics. It just happens to be a criminal one.

The Supply Side Has Industrialized

The supply side of this market looks nothing like it did five years ago. It has industrialized into specialized roles with their own economics. Initial access brokers sell network access to ransomware operators the way wholesalers sell to retailers. The average price for basic network access has dropped from $1,427 in early 2023 to $439 by Q1 of this year. The market is saturated with credentials from infostealers, automation, and AI-assisted tooling. Supply is cheap and abundant.

But enterprise admin access, MSP pivot points, supply chain positions that open the door to hundreds of downstream targets, those are going for $50,000 to over $100,000. Rapid7 found that IAB asking prices on certain forums increased over 4,000 percent in the second half of 2025 as brokers shifted from volume to high-value targets. The market bifurcated into commodity and premium tiers, the same way any maturing market does.

And the operators themselves have professionalized their engagement with victims. Multiple operations now deploy AI-powered tools, such as chatbots to conduct initial victim negotiations. Qilin has added multiple features as outlined in GuidePoint Security's 2026 GRIT report which documented how the ransomware operation added a "Call Lawyer" feature for its affiliates, specifically designed to increase pressure during negotiations. It is believed to be an AI tool that parses stolen data for regulatory violations and legal exposure, then generates talking points affiliates can use to make threats more specific. "We found unencrypted PII for 2 million EU residents" hits different than a generic ransom note. They also offer "in-house journalists" to write blog posts for their leak site, essentially a content service that helps affiliates craft professional, damaging public write-ups about victims to amplify reputational pressure. The attackers are running a customer-facing business at this point. They are investing in their "customer experience" the same way a legitimate SaaS company would.

We Watched This Happen in Real Time

We watched this firsthand this year. Remember those 9,000 schools from the opening of this piece? Well, when ShinyHunters breached Instructure and the company did not immediately engage, they defaced 330 school login portals with a message telling individual institutions to "consult with a cyber advisory firm and contact us privately to negotiate a settlement." Think about that. They were directing victims into the professional negotiation pipeline. Coaching schools on how to be extorted efficiently.

Compare that to what this market looked like five or six years ago. Early ransomware negotiations were chaos. No established protocols, no guarantee the attacker would actually hand over a decryption key, no way to verify anything. Companies paid and got nothing back. The whole interaction was adversarial and unpredictable, which is part of why payment rates were so low early on. What ShinyHunters has built, and what other groups are now copying, is the opposite of that. They honor deals. When Wynn reached a settlement earlier this year, the listing came down. AT&T paid, the data was confirmed deleted. Panera did not pay, and ShinyHunters published. Either way, they followed through. ShinyHunters has built a reputation for consistency on both sides of the transaction, and that reputation is a business asset. It builds trust in the process, which makes future victims more likely to engage, which makes the whole model more profitable. They are literally investing in customer service for their extortion operation.

And the response side went through the same transformation. Early incident response for ransomware was ad hoc. A panicked CEO calling their outside counsel at 2am, who maybe knew a guy who knew a guy who had dealt with this before. No playbook, no established processes, no market. Today it is an industry. Both sides went from chaotic to professional on roughly the same timeline.

 The Defense Side Professionalized in Parallel

Now here is the part that should make the industry uncomfortable.

The ransomware negotiation services market was valued at $1.2 billion in 2025, with projections reaching $4.6 billion by 2034. That is a 14.8 percent compound annual growth rate. Palo Alto Networks, Sophos, GuidePoint Security, and Arctic Wolf all maintain dedicated negotiation practices. Breach coaching has been described as "one of the fastest growing areas of law, and incredibly lucrative" for the firms that practice it. One industry profile noted that the fastest-growing job in cybersecurity "requires no certifications, no specific academic background, and no single agreed-upon career path." What it requires is the ability to negotiate with criminals.

I am not condemning these firms. They exist because organizations genuinely need help navigating what is an agonizing situation. When your systems are down, your data is being held hostage, and you have 48 hours before it gets published, you need someone who has done this before. GuidePoint's data shows that negotiations consistently reduce payments by 44 to 80 percent from initial demands. That represents real value for victims. And for the organizations making the payment decision, the calculus is often straightforward. You have a fiduciary responsibility to shareholders, a duty of care to customers, and employees who cannot do their jobs while systems are down. When the cost of prolonged disruption exceeds the cost of settlement, the decision stops being ideological and starts being economic. That is exactly the dynamic that makes this market function.

The Symbiosis Problem

But you have to be honest about the dynamic this creates. Attackers get more professional. Victims need more professional help. A response industry grows to meet that need. That industry makes the process smoother and more predictable. Which makes attacking more predictable and profitable. Which attracts more attackers. Both ecosystems are co-evolving, and the friction that used to make extortion messy and unreliable has been engineered out of the system by both sides.

So let's look at how the Instructure deal actually played out. Instructure initially tried to ignore ShinyHunters. They patched their systems and let the first deadline pass. ShinyHunters responded by going around them, directly to the schools, creating enough downstream pressure that Instructure reversed course within days. Once both sides entered the negotiation, it resolved in under a week. Shred logs provided, listing removed, blanket settlement. If I described that sequence without naming the parties, it would sound like a business dispute where one side played hardball and the other brought a bigger bat to the negotiation. Both were forced to come to an understanding. It's all just business now.

The Supply Chain Is the Target

The Verizon DBIR found that third-party involvement in breaches increased 60 percent year-over-year in 2025, now accounting for 48 percent of all breaches. The extortion playbook has converged on the supply chain, and specifically on SaaS platforms that aggregate commercially sensitive data from hundreds of organizations at once. ShinyHunters proved it works at scale with Instructure. Icarus proved it is replicable with Klue. Both targeted platforms where a single point of compromise opens the door to hundreds of downstream victims' CRM data, customer contacts, pricing, deal intelligence, all the things companies will pay to keep private. That math is only going to get more attractive. More business data moves into SaaS platforms every year, integration sprawl keeps expanding the OAuth attack surface, and the playbook for exploiting it is now public knowledge. We are going to see more of these extortion plays, not fewer.

Where This Leaves Organizations

So where does this leave organizations? I think it reframes the vendor risk conversation in ways most companies have not caught up to yet. We have to move past "does our SaaS provider have an incident response plan" and "do they carry cyber insurance." The real question is what our vendor's playbook looks like when an attacker comes for our data on their platform. Will they negotiate on our behalf? Will they pay? Or will they let it burn? And do we know the answer to that before the incident happens?

If Instructure had not paid, 9,000 institutions would have been on their own. Most of them have no breach counsel, no negotiating leverage, no playbook for a criminal group threatening to dump their students' private messages. The alternative to that payment was chaos. And honestly, if I were a school administrator at that time, I would probably be relieved my vendor stepped in, even if I am ideologically opposed to ransom payments.

That tension is the whole story. The extortion market has matured to the point where payment feels rational, the negotiation process feels orderly, and the outcome feels manageable. Both sides built that. And the more frictionless this becomes, the more profitable it becomes, and the more targets follow.

To be fair, the industry has made real progress. Payment rates are at historic lows. Organizations invested in backups, segmentation, and recovery, and it worked against encryption-based ransomware. But operators adapted. They pivoted from "pay or stay locked out" to "pay or we dump." Against data extortion, immutable backups do not help. Against "pay or we publish your students' private messages," your recovery playbook is irrelevant.

I am not arguing that negotiation capability should not exist. Sometimes it is the only rational path forward, and pretending otherwise is naive. But gaming out these scenarios before they happen still matters, because the work you do proactively determines how much leverage the attacker has when they show up. Data retention policies, access controls, minimization of what lives in platforms you do not own, all of that directly reduces the volume and sensitivity of what can be held against you. If Instructure had purged private messages after twelve months, ShinyHunters would have had a fraction of the leverage they used to force that settlement. The goal is not to avoid the negotiating table entirely. The goal is to arrive at that table with less on the line. And that requires staying diligent on the controls that limit exposure long before the extortion email arrives. The negotiating table is going to be there whether we like it or not. The only question is how much you put on it before you sit down.

Sources

• Chainalysis, "2026 Crypto Crime Report: Ransomware," February 2026. chainalysis.com
• Verizon, "2026 Data Breach Investigations Report," May 2026. verizon.com
• Coveware, "Why Zero-Day Downstream Mass Data Extortion Campaigns Are Losing Their Bite" (Q4 2025 Data), February 2026. coveware.com
• GuidePoint Security, "GRIT 2026 Ransomware and Cyber Threat Report," January 2026. guidepointsecurity.com
• ZeroFox, "The Role of Initial Access Brokers in Ransomware Operations," 2026. zerofox.com
• Rapid7, "Initial Access Brokers Have Shifted to High-Value Targets and Premium Pricing," March 2026. rapid7.com
• MarketIntelo, "Ransomware Negotiation Services Market Research Report 2034," 2025. marketintelo.com
• The Globe and Mail, "The Invisible Necessity of Ransomware Negotiations," 2026. theglobeandmail.com
• The American Prospect, "Ransomware Recovery Firms Share in the Hacking Spoils," January 2026. prospect.org
• BleepingComputer, "Instructure Reaches 'Agreement' with ShinyHunters to Stop Data Leak," May 2026. bleepingcomputer.com
• BleepingComputer, "Klue OAuth Breach Victim List Grows as Icarus Hackers Claim Attack," June 2026. bleepingcomputer.com
• NCC Group, "Annual Cyber Threat Intelligence Report 2025," January 2026 (7,874 leak-site victims). https://www.nccgroup.com/newsroom/ncc-group-annual-cyber-threat-intelligence-2025/
• IBM, "2025 Cost of a Data Breach Report," 2025. ibm.com