Ransomware Groups Pivot as Victims Stop Paying

A significant shift is occurring in the ransomware economy, with far fewer victims choosing to pay their attackers. Recent data reveals that in the third quarter of 2025, a mere 23 percent of ransomware victims paid a ransom. When attacks involved only data theft without any file encryption, that payment rate fell even further to just 19 percent. This trend signals a major victory for cybersecurity efforts, effectively cutting off the financial lifeblood that sustains these criminal operations.

Security professionals, law enforcement agencies, and legal advisors see this as clear proof that their coordinated strategies are working. Every avoided payment starves cybercriminals of the cryptocurrency they depend on, undermining their business model. The threat landscape, however, is splitting into two distinct camps. Some Ransomware-as-a-Service operations, such as Akira, focus on mid-sized companies with demands for smaller sums, and they manage to maintain a payment rate a bit above the average. On the other hand, other criminal gangs have shifted their focus exclusively to large enterprises, believing these organizations possess the financial capacity to meet much larger ransom demands.

Yet, even these large corporations are now far less willing to pay. Several prominent data theft campaigns ultimately proved unprofitable for the attackers, despite causing significant public disruption for the victim companies. Businesses are increasingly realizing that paying a ransom to prevent the release of stolen data offers little to no practical benefit. The attackers’ success rate is dropping, forcing them to become less opportunistic and more deliberate in their targeting.

Since breaking into a network now requires more effort, criminals must focus on organizations with substantial financial resources. The challenge for them is that these larger firms typically have robust security measures in place, including effective patch management and strict access controls. Consequently, ransomware groups are innovating and adopting new tactics to infiltrate corporate networks.

One of the most notable developments in 2025 is the growing use of insider threats and direct bribery. Attackers are now proactively contacting employees, offering monetary rewards or cryptocurrency in exchange for their login credentials or a way to gain remote access. Helpdesk social engineering has also become more widespread. While this technique was once primarily associated with the Scattered Spider group, it has now been adopted by many others. These criminals call IT support lines, convincingly impersonate employees, and trick technicians into resetting passwords or approving new devices on the network.

Another popular method is callback phishing. Here, attackers send a fraudulent voicemail notification or invoice that instructs the target to call a phone number controlled by the attacker, setting the stage for the next phase of the compromise. What was once a specialized trick has become a standard part of many intrusion playbooks. Despite these new social engineering tactics, the compromise of remote access systems remains the most frequent point of entry. This vector accounted for over half of all ransomware and extortion incidents handled last quarter.

Intrusions that leverage stolen credentials to breach VPNs, cloud gateways, and SaaS integrations continue to be a major problem. This is especially true for organizations undergoing complex infrastructure migrations or those managing intricate authentication systems. Even when all software is fully patched, attackers frequently find success by exploiting what’s known as “configuration debt”, lingering security gaps like old local user accounts, passwords that were never rotated, or poorly monitored OAuth tokens. The lines are blurring between social engineering and remote access compromise, as criminals have learned they don’t always need to steal credentials; they can sometimes simply persuade an employee to create access for them, such as by granting OAuth authorization.

While software vulnerability exploitation still plays a role, its prevalence has diminished. In most cases, the security flaws being leveraged are old and well-documented, particularly those found in network appliances and common enterprise applications.

Once an attacker gains a foothold inside a network, data exfiltration is almost a certainty, while file encryption is often treated as an optional step. Criminals have learned that the threat of exposing sensitive data creates faster and more predictable pressure on a victim through reputational damage, regulatory fines, and customer backlash. Before actually stealing the data, many groups now conduct thorough reconnaissance to identify the most valuable systems and files. This activity can often blend in with normal network traffic, but organizations that can detect anomalies, such as unusual account enumeration or privilege escalation attempts, gain a critical defensive advantage.

Similarly, an attacker’s lateral movement through a network, most commonly executed using tools like RDP, SSH, and PSExec, can be identified and stopped if proper monitoring solutions are in place and actively watched. In light of these evolving tactics, defenders are advised to enhance their monitoring for both data exfiltration and internal system misuse. Strengthening insider threat programs has become an essential component of a modern cybersecurity defense strategy.

(Source: HelpNet Security)