Tech Advisors
Back to blog
8 min read

CPA Firm Ransomware Statistics 2026

Ransomware is no longer a problem that only happens to hospitals and Fortune 500 companies. For CPA and accounting firms — the businesses that hold Social Security numbers, bank details, and complete tax histories for hundreds or thousands of clients — it has become one of the defining cyber risks of 2026. These CPA firm ransomware statistics show how big the threat has gotten, and why firms your size are squarely in the crosshairs.

The data tells a two-sided story. Attacks are more common than ever and increasingly aimed at small and mid-sized organizations — the category almost every accounting practice falls into. At the same time, fewer victims are paying, ransom amounts are falling, and law enforcement is landing real blows against the biggest gangs.

We pulled the latest numbers from primary sources — the FBI’s Internet Crime Complaint Center, Verizon’s Data Breach Investigations Report, and incident-response firm Coveware — and added what each figure actually means for a firm with a few dozen employees and a filing-season deadline.

Here are the ransomware statistics every CPA firm owner should know going into 2026.

Key Takeaways

  • Ransomware now appears in 44% of all data breaches — and in a striking 88% of breaches at small and mid-sized businesses, the size bracket almost every CPA firm sits in.
  • The median company hit by a cyber-extortion attack had just 362 employees, evidence that attackers are targeting firms your size, not just giants.
  • The median ransom paid has fallen to between $115,000 and $140,000, and the share of victims who pay has dropped to a record-low 23%.
  • A ransomware data-theft incident is now a reportable event: the FTC Safeguards Rule requires notifying regulators within 30 days of a breach affecting 500 or more people.

The State of Ransomware in 2026: The Numbers That Matter

Ransomware kept climbing into 2025 and 2026 even as defenders got better at stopping it. The top-line figures set the stage for everything else:

  • Ransomware was present in 44% of all data breaches, up 37% year over year. (Verizon 2025 DBIR)
  • It was “again the most pervasive threat to critical infrastructure,” with related complaints to the FBI rising 9% from the prior year. (FBI IC3, 2024 Report)
  • Americans reported a record $16.6 billion in total cybercrime losses in 2024 — the highest in the IC3’s history. (FBI IC3, 2024 Report)
  • The FBI identified 67 brand-new ransomware variants in a single year, a sign of how fast the criminal market is innovating. (FBI IC3, 2024 Report)
  • Verizon’s researchers analyzed more than 22,000 security incidents, including 12,195 confirmed breaches, to reach these conclusions. (Verizon 2025 DBIR)

Why CPA and Accounting Firms Are Prime Ransomware Targets

There’s a comforting myth that ransomware crews only chase big companies. The data says the opposite — and that is bad news for accounting firms.

  • Ransomware was present in 88% of breaches at small and mid-sized businesses, versus 44% across organizations of all sizes. (Verizon 2025 DBIR)
  • The median company size in cyber-extortion incidents was just 362 employees in Q3 2025 — and that number was actually up 27% from the prior quarter. (Coveware, Q3 2025)
  • Data exfiltration — the theft of files for extortion — appeared in 76% of incident-response cases, meaning client data, not just uptime, is the prize. (Coveware, Q3 2025)
  • Encryption that locks a firm out of its own systems was confirmed in nearly nine out of ten cases. (Coveware, Q3 2025)

For a 20- or 50-person CPA firm, those numbers are uncomfortably specific. You are small enough to lack a dedicated security team, but you hold exactly the data — tax returns, SSNs, bank routing numbers, W-2s — that makes both encryption and extortion pay off for an attacker. They know it, and they price their effort accordingly.

What a Ransomware Attack Actually Costs in 2026

Ransom demands swing from quarter to quarter, but the latest figures show the going rate — and that is before you add the real damage.

  • The average ransom payment was $376,941 in Q3 2025, with a median of $140,000. (Coveware, Q3 2025)
  • Verizon put the median ransom paid over the prior year at $115,000 — “a significant amount for many SMBs.” (Verizon 2025 DBIR)
  • The FBI logged $12.5 million in adjusted ransomware losses in 2024, but warns the figure “does not include estimates of lost business, time, wages, files, or equipment,” so the true cost runs far higher. (FBI IC3, 2024 Report)

That FBI caveat is the part CPA owners should sit with. The ransom is rarely the biggest line item. The lost billable hours during filing season, the forensic investigation, the client-notification mailing, and the reputational hit usually dwarf whatever the attacker demands.

The Good News: Fewer Firms Are Paying the Ransom

The most encouraging trend in the data is that the extortion business model is starting to break down.

  • The overall ransom payment rate fell to a historical low of 23% in Q3 2025 — meaning more than three-quarters of victims refused to pay. (Coveware, Q3 2025)
  • For data-theft-only attacks with no encryption, the payment rate dropped to a record-low 19%. (Coveware, Q3 2025)
  • Verizon found 64% of victim organizations did not pay, up from 50% just two years earlier. (Verizon 2025 DBIR)
  • After law enforcement struck major gangs like LockBit, the FBI has handed out thousands of decryption keys since 2022, “avoiding over $800 million in payments.” (FBI IC3, 2024 Report)

Why does this matter for your firm? Every refused payment makes the whole criminal model less profitable for everyone. But “don’t pay” only works if you can recover without the attacker’s key — which means tested, offline backups and an incident-response plan you have actually rehearsed, not just filed away.

How Ransomware Gets Into a Firm

Attackers rarely break in cinematically. The latest data shows they tend to walk through doors firms leave open.

  • Credential abuse (22%) and exploiting unpatched vulnerabilities (20%) are the top two ways in; vulnerability exploitation alone jumped 34% year over year. (Verizon 2025 DBIR)
  • Third-party involvement in breaches doubled to 30%, meaning a vendor or software provider is increasingly the weak link. (Verizon 2025 DBIR)
  • Once inside, attackers moved laterally across the network in 73% of cases before triggering the payload. (Coveware, Q3 2025)
  • The most common variants hitting victims were Akira (34% market share) and Qilin (10%). (Coveware, Q3 2025)
  • The FBI’s top five ransomware variants by complaint volume were Akira, LockBit, RansomHub, FOG, and PLAY. (FBI IC3, 2024 Report)

The human element is now a literal recruiting pitch. In one 2025 case documented by incident responders, a member of the Medusa ransomware gang approached an employee and offered them a 15% cut of the ransom in exchange for handing over access to their work computer. (Coveware, Q3 2025) For a small firm, that means your people — not just your firewall — are part of the attack surface.

Ransomware Just Became a Compliance Problem, Too

For accounting firms, a ransomware attack is not only an IT emergency — it is a regulatory one. Two federal rules now put a clock on it.

  • Under the FTC Safeguards Rule, tax return preparers “must create and enact security plans to protect client data,” and “failure to do so may result in an FTC investigation.” (IRS Publication 4557)
  • Since the rule’s update, firms must notify the FTC “no later than 30 days after discovery” of a security breach involving “at least 500 consumers.” (FTC, 2023)

Combine that with the fact that 76% of ransomware cases now involve stolen data, and the math is sobering: a successful attack on a mid-sized CPA firm will often clear the 500-client threshold, starting a 30-day regulatory clock on top of the operational chaos. A written information security plan (WISP) is no longer optional paperwork — it is the baseline the IRS and FTC already expect you to have.

Final Thoughts

The headline from these CPA firm ransomware statistics is not “panic.” It is that you are a target, and the firms that prepare are the ones that walk away intact. Attackers have shifted toward businesses exactly your size, they are after the client data you are legally required to protect, and a single incident can trigger both a six-figure recovery bill and a regulatory filing deadline. The firms that come out ahead are the ones with tested backups, trained staff, patched systems, and a written security plan in place before anything goes wrong.

That is the work Tech Advisors does every day for CPA and accounting firms — building the backups, monitoring, patching, and incident-response plans that turn a potential catastrophe into a manageable event, while keeping you on the right side of IRS and FTC requirements. If you are not sure where your firm stands, a short conversation is a good place to start.

All articles
Share this article

Related Resource

Take the 2-minute IT Security Assessment

Find out where your firm stands on cybersecurity and compliance. Instant personalized score. Free, no obligation.

Take the Assessment

More from the Tech Advisors blog

FTC Safeguards Rule for Accounting Firms (2026)

Read

MFA Bypass: How Attackers Beat 2FA on CPA Portals

Read
Accounting Firms

Boston Accounting Firms: Where You Are on the IT Maturity Scale?

Read

Work With Us

Technology expertise, built for accounting firms.

Schedule a free IT assessment. No obligation. Just a conversation.

Get Your Free IT AssessmentSchedule a 15-Minute Call
Fixed monthly pricing
Response in 15 minutes
Free, no obligation
Call UsFree Assessment