Ransomware groups are experiencing a significant decline in payment rates, with only 23% of victims paying ransoms in Q3 2025, according to Coveware. This trend is attributed to organizations implementing stronger defenses, increased law enforcement pressure, and a growing understanding that paying to suppress stolen data offers little benefit. The average and median ransom payments have also dropped, with figures reaching $377,000 and $140,000, respectively. Ransomware-as-a-Service groups like Akira and Qilin are adapting by targeting different market segments, but even high-profile data exfiltration campaigns have yielded limited returns for attackers.
As payments decrease, ransomware actors are shifting their tactics, focusing more on data exfiltration—now the primary objective in over 76% of observed attacks—and exploring new methods of initial access. Notably, there has been a rise in insider threats, with attackers bribing employees for credentials or remote access, and an evolution in helpdesk social engineering techniques. These changes reflect a more targeted and inventive approach by threat actors as they seek to overcome improved organizational defenses and maximize their chances of financial gain.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
The Q3 2025 findings said falling profits were pushing threat actors toward higher-effort tactics including insider recruitment, help-desk social engineering, callback phishing, and direct extortion approaches. The report also noted remote access compromise remained the leading initial access vector, with attackers increasingly exploiting configuration weaknesses and blending social engineering with credentialed access.
Coveware reported that only 23% of ransomware and extortion victims paid in Q3 2025, a record low. The report also said data-theft-only incidents had an even lower payment rate of 19%, with average and median payments dropping sharply from the prior quarter.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
zdnet.com
Open sourcezdnet.com
Open sourcebankinfosecurity.com
Open sourcegovinfosecurity.com
Open sourcescworld.com
Open sourcesecurityaffairs.com
Open sourcebleepingcomputer.com
Open sourcehelpnetsecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.