More

    Just 23% Make Payments in Q3 2025

    Cybercrime

    Ransomware Payments Hit Record Low: Only 23% Pay in Q3 2025

    Published by Pierluigi Paganini on October 28, 2025

    Ransomware Trends

    In a significant development within the cybersecurity landscape, researchers at Coveware have reported that only 23% of ransomware victims chose to pay the attackers in the third quarter of 2025. This marks the lowest recorded rate of ransom payments, continuing a six-year trend of declining payment rates.

    The Ongoing Decline in Ransom Payments

    The data from Q3 2025 reveals that ransom payment rates have dropped significantly from earlier periods. In early 2024, for instance, 28% of ransomware victims opted to pay. There was a momentary spike in payments afterward, but the trend has since reversed, with fewer organizations willing to comply with ransom demands. This downward trajectory is notable as it reflects a growing resistance among breached companies to yield to cyber extortion.

    Declining Average and Median Ransom Amounts

    Alongside the reduction in payment rates, the average ransom amount has also seen a substantial decline. The average ransom payment in Q3 2025 fell to $376,941, a staggering 66% reduction from the previous quarter. Similarly, the median ransom dipped to $140,000, down 65%. This shows that larger organizations are increasingly hesitant to pay, realizing that fulfilling these demands often does little to prevent further data compromises.

    Targeting Mid-Sized Firms

    Interestingly, cybersecurity groups are adapting their strategies. New players like Akira and Qilin are shifting their focus toward mid-sized firms with smaller ransom demands. Instead of targeting large enterprises for massive payouts, these groups are utilizing a high-volume, low-demand model. This strategy is yielding success against organizations that may be less resilient and less capable of managing multiple smaller ransom requests over time.

    Historical Context of Ransom Payment Rates

    According to Coveware’s report, the payment rates for ransomware incidents involving data exfiltration and encryption have reached an all-time low of 23% in Q3 2025. This significant decline signals a shift in industry perception regarding the efficacy of paying ransoms. Each instance of avoidance in these payments is seen as a blow to the financial viability of cyber extortionists, often described as cutting off their “Bitcoin oxygen.”

    Evolving Perspectives on Ransom Payments

    Experts in the field are interpreting this decline not just as a statistic, but as a sign of maturity within the cybersecurity industry. With an increasing collaborative effort among defenders, law enforcement, and various stakeholders, the hope is to further diminish the influence and operational capacity of ransomware groups.

    However, there are concerns about the sophistication of these criminal enterprises, especially with the rise of AI-driven attacks. The potential for increased automation in ransomware strategies may create a persistent threat, complicating efforts to fully eradicate such criminal activity.

    The Data Exfiltration Dilemma

    Examining the data further reveals that ransom payments specifically related to data exfiltration-only attacks dropped to a record low of 19% in Q3 2025, even as incidents surged. This decline showcases a growing awareness among organizations, particularly those led by privacy-conscious legal teams. The general consensus is that paying to mitigate data leaks not only fails to serve long-term interests but also sustains an ecosystem of cyber extortion.

    The Profile of Ransomware Targets

    Coveware’s findings indicate a crucial demographic shift: mid-sized organizations typically face smaller ransom demands due to the financial constraints of paying large sums. However, these victims are often easier targets for attackers, giving rise to the opportunistic strategies employed by ransomware groups that focus on exploiting vulnerabilities through high-volume attacks.

    Persistent Attack Methods

    In Q3 2025, attackers continued to favor familiar entry points such as remote access, phishing schemes, and software vulnerabilities. Remote access compromises made up over half of all ransomware incidents, primarily fueled by weak credentials and poor configuration management. A notable trend is the convergence of social engineering tactics with technical exploits, where attackers successfully manipulate staff into granting unauthorized access.

    The Future of Ransomware Economics

    As we look at the broader implications of these trends, it’s clear that ransomware groups remain opportunistic. They seek to exploit easy entry points like unpatched systems, exposed remote access, and stolen credentials rather than targeting specific industries. Coveware’s data indicates that they have gravitated toward volume and minimizing costs over focusing on high-stakes targets.

    Interestingly, while the median company impacted by a cyber extortion incident had around 362 employees in Q3 2025—a 27% increase from the previous quarter—both the frequency of payments and their amounts have declined. This paradox challenges the assumption that larger organizations guarantee larger payouts, hinting that attackers may not always achieve the expected return on investment when targeting bigger firms.

    Follow me on Twitter: @securityaffairs and Facebook.

    Pierluigi Paganini
    (SecurityAffairs – Hacking, Ransomware)

    Latest articles

    Previous article
    Price Movements, GoTo Merger Highlights, and Super Bank Initial Public Offering
    Next article
    Drones, AI, and Robotic Harvesters: Introducing the Completely Self-Sufficient Farm

    Related articles

    Leave a reply

    Please enter your comment!
    Please enter your name here

    Popular

    Popular articles

    Featured

    Popular categories

    Cybercrime88Corporate News77Generative AI77Robotics75Operating Systems75Wearables73

    © Copyright - Tbh.technology