Critical Infrastructure Ransomware in 2026: Sector Exposure, Insurance Capacity, and the New Regulatory Floor

The 2024 to 2025 wave: what the incident record actually shows #

Ransomware against US critical infrastructure did not slow after the Colonial Pipeline shock of May 2021. It broadened. The FBI IC3 2024 Annual Report logged 859 complaints from organizations identifying as critical infrastructure, against 1,193 in 2023, with healthcare and public health the largest reported sector for the third consecutive year. CISA joint advisories with the FBI, NSA, and partners attribute the bulk of confirmed activity to a small group of ransomware-as-a-service brands and their affiliates: ALPHV BlackCat, LockBit, Cl0p, RansomHub, Akira, Play, and BianLian. Brand churn is high, the affiliate pool is comparatively stable.

Several incidents reset expectations in 2024. The Change Healthcare intrusion, disclosed by UnitedHealth Group in late February and attributed to ALPHV BlackCat, disrupted claims processing, prescription routing, and provider payments for weeks. UnitedHealth confirmed in congressional testimony that it paid a 22 million USD ransom and disclosed a total cost of approximately 2.9 billion USD in its 2024 results. CDK Global, the dealer management platform supporting roughly 15,000 North American auto dealerships, was forced offline by a June BlackSuit intrusion, with Anderson Economic Group estimating dealer losses above 1 billion USD over a three week recovery window. American Water Works disclosed a cybersecurity incident in October that took its customer portal and billing systems offline. Ascension Health, the Catholic hospital system in 19 states, suffered a Black Basta intrusion in May that diverted ambulances and forced staff to paper records for over a month.

Sector exposure and threat actor map #

The pattern of victimization is not random. Healthcare leads reported critical infrastructure complaints in the IC3 dataset because the sector combines high-value patient data, intolerance for downtime, fragmented identity systems, and a long tail of acquired entities running unsupported software. The HHS Office for Civil Rights breach portal recorded over 250 million individuals affected by reported healthcare breaches in 2024, the highest figure on record, with the Change Healthcare event alone covering an estimated 190 million. Water and wastewater utilities appear less often in IC3 counts but draw disproportionate CISA attention because of operational technology exposure: small utilities with limited IT staff, internet-exposed PLCs, and weak segmentation between business and OT environments. CISA, EPA, and the FBI have issued repeated advisories on Iranian-linked CyberAv3ngers attacks against Unitronics PLCs at US water systems through 2023 and 2024. Energy operators have hardened materially since Colonial Pipeline, though the Verizon DBIR 2024 still identifies industrial sectors as overrepresented in extortion incidents. Manufacturing carries the highest sustained ransomware volume of any vertical. State and local government, K-12 and higher education, and managed service providers complete the high-frequency segment. Mandiant M-Trends 2024 and CrowdStrike Global Threat Report 2025 both flag identity compromise, edge device exploitation, and SaaS-targeted social engineering by groups such as Scattered Spider as the dominant initial access vectors, displacing the phishing-led pattern of 2018 to 2021.

The 2024 disruption operations were the largest coordinated law enforcement actions against ransomware brands to date. The FBI led an international operation against ALPHV BlackCat in December 2023, seizing infrastructure and publishing a decryptor before the group rebranded and retaliated with the Change Healthcare attack weeks later. Operation Cronos, the UK National Crime Agency-led action against LockBit in February 2024, took down the leak site, indicted core operators, and revealed that the group had retained victim data even after ransoms were paid. Both brands effectively dissolved by mid-2024. RansomHub absorbed displaced affiliates and became the most-active brand by leak-site postings in the second half of 2024 before itself fragmenting in early 2025. Akira, Play, Medusa, and Qilin captured the residual share. Russian-language groups continue to dominate the financially motivated ecosystem; North Korean clusters Lazarus and Andariel deploy ransomware as revenue and espionage cover; Iran-linked actors blend ideological targeting with extortion; and China-nexus precursor positioning, characterized by CISA as Volt Typhoon and Salt Typhoon, sits alongside the criminal extortion landscape.

Payment economics and the OFAC overhang #

Coveware's quarterly ransomware reports, which aggregate incident response data across hundreds of cases per quarter, documented a multi-year decline in the share of victims paying ransoms, from above 70 percent in 2019 to roughly 28 to 32 percent by Q4 2024. Average ransom payments have stabilized in the mid six figures: Coveware reported an average payment of approximately 553,000 USD in Q4 2024, with the median materially lower. Chainalysis crypto crime tracking corroborates the directional decline in payment volume from the 2023 peak. The drivers are well-documented: better backups, segmented identity, more sophisticated incident response, and a hardening of board posture against payment in the absence of clear operational necessity.

The OFAC overhang is now a first-order constraint on payment decisions. The 2020 OFAC advisory and its 2021 update made clear that ransom payments to sanctioned individuals or jurisdictions, including the LockBit administrator sanctioned in 2024 and multiple Russian and North Korean entities, can give rise to strict-liability sanctions exposure for the victim, the incident response firm, and the insurer. Payment is no longer a private commercial decision. It is a regulated act with reporting and licensing implications. The proposed CIRCIA rules, published by CISA in 2024, formalize a 72 hour reporting window for substantial cyber incidents and a 24 hour window for ransom payments by covered entities, with the final rule expected in late 2025 or 2026. Boards that have not aligned incident response playbooks, outside counsel, and insurer notification protocols to these timelines face a real probability of a regulatory finding on top of the operational loss.

Regulatory floor: CIRCIA, NIS2, DORA, and sector rules #

The 2024 to 2026 regulatory cycle has materially raised the floor on ransomware preparedness. In the United States, the SEC cyber disclosure rule effective December 2023 requires material cyber incidents to be reported on Form 8-K within four business days, with annual 10-K disclosure of cyber risk management and board oversight. CIRCIA, once finalized, will add the 72 hour and 24 hour windows for covered critical infrastructure entities. The TSA pipeline security directives, revised through 2024, prescribe specific cybersecurity controls for hazardous liquid and natural gas pipeline operators. The HHS proposed update to the HIPAA Security Rule, published in late 2024, introduces explicit requirements for multi-factor authentication, encryption, network segmentation, and patching with defined timelines. The EPA continues to assert cybersecurity authority over public water systems under the Safe Drinking Water Act.

In the European Union, NIS2 entered into force in October 2024 and broadened in-scope sectors to roughly twice the population of the original NIS directive, with explicit obligations on incident reporting, supply chain risk management, and management body accountability. DORA applied from January 2025 and imposes a unified ICT risk management, incident reporting, and third-party risk regime on financial entities, with regulator-designation of critical cloud and tech providers. The Cyber Resilience Act, adopted in 2024 with phased application from 2026 and full application from 2027, places baseline cybersecurity obligations on products with digital elements. Critical infrastructure operators with EU operations now face a layered, prescriptive regulatory stack that did not exist in 2021. The UK NCSC, ENISA, and CISA have converged on a common frame: secure by design, mandatory incident reporting, and supply chain accountability.

Insurance and underwriting: capacity has normalized, terms have not #

The cyber insurance market completed its post-2021 hard cycle by 2024. Marsh, Aon, and Howden quarterly market updates document mid-single-digit to low-teens rate decreases through 2023 and 2024 from the steep increases of 2021 and 2022, with global cyber gross written premium estimated above 14 billion USD by Munich Re for 2024 and trending toward roughly 16 to 17 billion USD in 2025. Standalone cyber capacity in the London and Bermuda markets plus US domestic is now estimated around 7 billion USD per risk for the largest buyers, though stacking that capacity remains complex and ransomware sublimits are common. AM Best's 2024 cyber market segment report kept the outlook stable, citing improved combined ratios and tighter underwriting. Lloyd's of London cyber syndicates similarly returned to profitability in 2023 and 2024 on the strength of portfolio-level controls and tighter wordings.

The terms tell a more important story than the prices. Ransomware sublimits and coinsurance, supplemental ransomware applications focused on identity, backups, EDR coverage, and OT segmentation, and explicit war and infrastructure exclusions following the Lloyd's market bulletin LMA5564 series of 2022 and 2023 are now standard. Underwriters require evidence of MFA for privileged users and remote access, segmented and tested backups, EDR or XDR with 24x7 monitoring, a documented vulnerability management program, and tested incident response retainers before binding meaningful limits. Cyber insurance is transitioning from a balance sheet hedge to a co-managed control framework, where the underwriter becomes a quasi-regulator of basic security hygiene. Reinsurance capacity from Munich Re, Swiss Re, Hannover Re, and the cat bond market is expanding but remains the binding constraint on systemic and aggregation risk arising from cloud, identity provider, and MSP concentration.

Recommendations for boards, CISOs, regulators, and insurers #

For boards, ransomware is a governance question, not a technology question. Boards should require a written ransomware playbook owned by the CEO and General Counsel, tested annually, with explicit triggers for SEC, CIRCIA, NIS2, and OFAC notifications. They should hold the CISO and CFO jointly accountable for resilience metrics on backup integrity, identity hygiene, and OT segmentation, and treat cyber insurance as a structural complement to those controls, not a substitute. Disclosure-grade documentation of board oversight, in line with the SEC final rule, is no longer optional.

For CISOs, the priority hierarchy in 2026 is identity, edge, OT, and third party. Identity hardening (phishing-resistant MFA, privileged access management, conditional access, identity threat detection) addresses the dominant initial access vector. Edge device hygiene (timely patching of VPN, firewall, file transfer, and remote access appliances) closes the second largest. OT segmentation and asset inventory are foundational for sectors with exposed PLCs and SCADA. Third-party and SaaS risk programs must extend beyond questionnaire compliance to continuous validation of identity and incident reporting. For regulators, the frontier is harmonization: CIRCIA, NIS2, DORA, and SEC timelines should converge through cross-recognition and shared templates. For insurers and reinsurers, the durable opportunity is to underwrite better, not cheaper. Tighter wordings, clearer war and infrastructure exclusions, and evidence-based control discounts will outperform headline price competition through the next loss cycle. The actors that disrupted Change Healthcare and CDK in 2024 will be back in some form in 2026 and 2027. The institutions that price, regulate, and govern that risk now have the tools to reduce its frequency and contain its severity.

Sources #

• FBI Internet Crime Complaint Center (IC3) Annual Reports
• CISA Stop Ransomware joint advisories
• UnitedHealth Group, Change Healthcare cyberattack disclosures and 2024 results
• HHS Office for Civil Rights breach portal
• US Department of Justice, ALPHV BlackCat disruption press release (December 2023)
• UK National Crime Agency, Operation Cronos LockBit takedown (February 2024)
• EPA and CISA water sector cybersecurity advisories
• TSA pipeline cybersecurity security directives
• SEC final rule on cybersecurity disclosure
• CISA CIRCIA notice of proposed rulemaking
• EUR-Lex, NIS2 Directive (EU) 2022/2555
• EUR-Lex, DORA Regulation (EU) 2022/2554
• EUR-Lex, Cyber Resilience Act
• ENISA Threat Landscape reports
• UK NCSC Annual Review
• Coveware quarterly ransomware reports
• Chainalysis crypto crime reports
• Mandiant M-Trends
• CrowdStrike Global Threat Report
• Verizon Data Breach Investigations Report (DBIR)
• Lloyd's market bulletin on cyber war and infrastructure exclusions
• Munich Re cyber insurance market reports
• AM Best market segment report on cyber insurance
• OFAC advisory on potential sanctions risks for facilitating ransomware payments
• Anderson Economic Group estimate of CDK Global outage dealer losses