Ransomware Payments Hit 19% Low as 76% of Attacks Target Data Theft

TL;DR

• Ransomware payments hit record low of 19% in Q3 2025 (down from 28% in 2024), with median payouts dropping 63% to $140K amid hardened defenses.
• Data exfiltration now dominates 76% of attacks (up from <60% in 2023), enabling extortion via leak threats even without ransom payment.

The Shift in Ransomware Dynamics

Ransomware attacks are undergoing a profound transformation, with payment-resolution rates hitting a record low of 19% in Q3 2025—the lowest in six years of data from Coveware and threat-intel feeds. This decline, down from 28% in early 2024, reflects a steady drop of about 0.8 percentage points per year. Median and average ransom payouts have also collapsed, falling 63% from $377,000 to $140,000, driven by hardened defenses, legal deterrents, and insurance policies that discourage payments.

• Q1 2024: 28%
• Q2 2024: 28%
• Q3 2025: 23%
• Q4 2025 (data-exfiltration subset): 19%

Rise of Data-Centric Extortion

Dual-extortion tactics now dominate, appearing in 76% of incidents—up from under 60% in 2023. Attackers not only encrypt files but also exfiltrate data to threaten public leaks, generating revenue even without ransoms. Password-cracking success rates have risen to 46% from 25% a year ago, amplifying the effectiveness of these strategies. While payouts have decreased, total exposure remains high due to mandatory breach disclosures under regulations like GDPR and CCPA, which add compliance costs, reputational damage, and extended recovery timelines for data integrity verification and notifications.

Key Actors and Toolchains

Ransomware groups are consolidating, with Akira and Qilin accounting for 44% of attacks in Q2-Q3 2025. Their operations leverage Ransomware-as-a-Service (RaaS) platforms, available for as little as $200 per month, which include payload generation, leak-site hosting, and payment integration. Attackers repurpose legitimate Windows utilities like nltest.exe, net.exe, mspaint.exe, and notepad.exe for reconnaissance and data staging. Tools such as PsExec and Encryptor_1.exe enable lateral movement, while open-source cloud transfer apps like Cyberduck facilitate rapid exfiltration to services like Backblaze. Generative AI further enhances attacks by creating phishing content that mimics internal memos and automating reconnaissance for credential harvesting, contributing to a 126% surge in incident volume in Q1 2025 compared to the prior quarter. This blending of malicious activity with legitimate traffic poses significant detection challenges.

Emerging Trends and Forecasts

If defensive investments and policy enforcement continue, payment-resolution rates could dip below 15% within the next year, with exfiltration-first attacks exceeding 80% of incidents. Average payouts may stabilize around $120,000–$130,000, potentially falling under $100,000 by 2026–2027. Overall rates might drop below 18%, and high-value data-theft cases could see resolutions under 15%. AI-enabled attacks are projected to rise by at least 30% year-over-year, fueled by RaaS platforms embedding advanced leak-site capabilities.

Strategic Recommendations

To counter this evolving landscape, organizations should:

1. Implement explicit "no-payment" policies, backed by legal counsel and cyber-insurance adjustments, to reinforce the downward trend.
2. Deploy network-wide data-loss-prevention (DLP) systems that flag abnormal outbound traffic from legitimate tools.
3. Invest in credential monitoring, rapid password rotation, and AI-driven incident-response automation to limit exposure before leaks occur.
4. Integrate unified threat intelligence correlating on-premises and cloud telemetry to detect blended threats.
5. Educate staff on AI-enhanced phishing and enforce verification workflows for internal communications.
6. Collaborate with industry groups, Information Sharing and Analysis Centers (ISACs), and law enforcement to share indicators of compromise (IOCs)—such as Encryptor_1/2 signatures and PsExec usage—and track emerging tactics.

The convergence of robust defenses, regulatory pressures, and attackers' pivot to data exfiltration is reshaping ransomware from a "pay or lose access" model to one focused on preventing theft altogether. By institutionalizing proactive measures like zero-trust networks, credential hygiene, and cross-platform visibility, organizations can reduce reliance on ransoms and mitigate the growing financial and reputational risks of dual-extortion campaigns. Sustained coordination in threat intelligence sharing will be key to maintaining this momentum.