Ransomware Payments Drop to Historic Low as Victims Refuse to Pay

Only 23% of ransomware victims agreed to pay extortionists in the third quarter of 2025, marking a historic low in ransom payment rates, according to cybersecurity firm Coveware.

The decline represents a continuation of a six-year trend: fewer organizations are negotiating with or paying ransomware operators. For comparison, 28% of victims paid ransoms at the beginning of 2024.

Analysts attribute the decrease to intensified law enforcement pressure discouraging payments and the implementation of more effective defensive measures by organizations.

"Cybersecurity defenders, law enforcement officers, and lawyers should view this trend as confirmation of collective progress," Coveware researchers wrote. "The work being done to prevent attacks, minimize their impact, and combat cyber extortion means that every unpaid ransom cuts off the oxygen for cybercriminals."

Extortion Tactics Evolve Beyond Encryption

Ransomware groups have long since moved beyond simply encrypting data. Data theft and threatened publication now serve as the primary pressure tactic, accounting for over 76% of all attacks in Q3 2025.

However, when attackers steal data without encrypting it—and the attack can be contained—payment likelihood plummets to just 19%, the lowest rate ever recorded, according to Coveware.

Ransom Amounts Plunge as Large Firms Stop Paying

Payment amounts have also declined significantly, with average ransoms falling to $377,000 and median payments dropping to $140,000. Experts attribute this to large enterprises refusing to pay and instead redirecting resources toward strengthening defenses against future attacks.

Attackers Shift to Mid-Sized Targets

In response to falling revenues, ransomware operators are adapting their targeting. The Akira and Qilin groups responsible for 44% of all recorded extortion attacks in Q3 have shifted focus to mid-sized businesses, where companies are more likely to pay in hopes of quickly restoring operations.

New Attack Vectors Emerge

The initial compromise methods are also evolving. Attacks increasingly begin with compromised remote access tools and exploitation of software vulnerabilities, rather than traditional phishing campaigns.

Coveware researchers warn that as revenues decline, extortionists are becoming more targeted and aggressive in seeking new infiltration methods. With large enterprises fortifying their defenses, attackers are increasingly turning to social engineering and actively recruiting insiders even bribing employees who can provide access to corporate networks.