Ransomware Profits Plummet as Victims Refuse to Pay
▼ Summary
– Ransomware payment rates hit a record low of 23% in Q3 2025, continuing a six-year declining trend observed by Coveware.
– Organizations are implementing stronger protections and authorities are pressuring victims not to pay, contributing to the drop in ransom payments.
– Ransomware groups now primarily use data exfiltration in attacks, with over 76% of Q3 2025 incidents involving data theft rather than just encryption.
– Average and median ransom payments decreased to $377,000 and $140,000 respectively in Q3 2025 as enterprises revised payment policies to invest in defenses.
– Threat actors are shifting focus to medium-sized firms and using remote access compromises and software vulnerabilities as initial attack vectors.
A significant shift is occurring in the cybersecurity landscape as fewer organizations are choosing to pay ransomware demands, with the payment rate hitting a record low of just 23%. This downward trend, documented over the past six years, highlights a growing resilience among potential targets. While the payment rate saw a brief increase to 28% in early 2024, it has since fallen steadily, reaching its lowest point in the third quarter of 2025. Experts point to two major factors driving this change: companies have implemented more robust and targeted defensive measures, and there is mounting pressure from authorities discouraging any form of payment to cybercriminals.
Industry analysts view this development as a clear sign of collective progress. The dedicated efforts to prevent attacks, reduce their impact, and manage cyber extortion incidents are paying off. Every avoided payment effectively cuts off vital resources from attackers, making their operations less sustainable.
Ransomware tactics have also evolved significantly. Many groups have moved beyond simple encryption attacks to embrace “double extortion,” which involves stealing sensitive data and threatening to release it publicly. In the most recent quarter, data theft was a component in more than 76% of observed ransomware incidents, establishing it as the primary objective for most threat actors. When examining attacks that solely involve data theft without any encryption, the payment rate drops even more dramatically to 19%, which is also a historic low for this specific type of incident.
Financial figures reinforce this trend. The average ransom payment fell to $377,000 in the last quarter, while the median payment was $140,000. This decline suggests that large enterprises are reassessing their policies, deciding that funds are better allocated toward strengthening their defenses rather than filling the coffers of criminals.
However, attackers are adapting their strategies in response to shrinking profits. Prominent groups like Akira and Qilin, responsible for nearly half of all attacks in the last quarter, are increasingly focusing their efforts on mid-sized companies. These organizations often have fewer resources dedicated to cybersecurity and are currently more likely to meet ransom demands.
Another notable change involves the methods used to gain initial access. Compromised remote access systems have become the leading attack vector, accompanied by a sharp rise in exploits targeting software vulnerabilities.
As profit margins continue to narrow, ransomware gangs are expected to become more precise in their targeting. Larger enterprises, despite their improved security, will likely face increased attention from these groups. To bypass enhanced defenses, threat actors are predicted to rely more heavily on sophisticated social engineering campaigns and may attempt to recruit insiders, offering substantial bribes in exchange for help gaining a foothold within corporate networks.
(Source: Bleeping Computer)
