SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Stressed businessperson office desk locked computer digital padlocks masked figures
#
Ransomware
#
Crypto
#
Phishing

Ransom payment rates drop to historic low as attackers adapt

Thu, 30th Oct 2025
Author image
By Shannon Williams, Journalist

Ransom payment rates reached a historic low in the third quarter of 2025 as cyber extortion groups shifted their tactics in response to declining profits and evolving enterprise defences.

Recent analysis indicates the cyber extortion marketplace is now divided into two main segments: volume-driven Ransomware-as-a-Service (RaaS) campaigns that target mid-market organisations, and more targeted, resource-intensive attacks aimed at large enterprises. While the RaaS model continues to drive significant activity, especially among mid-sized firms, high-value attacks on larger companies are becoming both more targeted and costly for attackers.

RaaS campaigns and shifting strategies

Mid-market organisations remain especially vulnerable to RaaS groups such as Akira, which witnessed record-breaking attack volumes during July and August. Akira's approach focuses on launching large numbers of attacks with lower individual ransom demands, resulting in higher-than-average payment rates compared to competitors that focus solely on high-value enterprise targets. This methodology supports Akira's substantial market share and persistent presence within the ransomware ecosystem.

In contrast, other groups aim at larger enterprises in hopes of extracting higher ransoms. These campaigns require greater investment and offer no guarantee of success, with payment rates notably lower than those seen in mass-targeted attacks.

According to the research, while mid-sized firms are the most frequent ransomware victims, large enterprises are periodically targeted when attackers exploit widely used technology platforms. Recent quarters have seen groups previously focused on smaller businesses expanding into enterprise environments using more tailored approaches, reflecting increased sophistication amongst attackers.

Insider threats and new methods

A significant development highlighted was a case involving an employee of the BBC, where a member of the Medusa ransomware group attempted to bribe the individual, offering 15% of a ransom payment in exchange for access to the employer's systems. The aim was to deploy ransomware from within the organisation, underscoring a shift towards more targeted and sophisticated insider threat strategies.

The significance of this case study cannot be overstated. While insider threats have always posed risk, they typically manifested as data-theft-only events - for example, disgruntled employees exfiltrating intellectual property or DPRK remote worker stealing data before termination. Public reporting has also documented cases where insiders at major companies were bribed to assist data theft campaigns.

The move by a traditional RaaS group to recruit English-speaking insiders for ransomware deployment is viewed as a marked departure from past opportunistic tactics.

Ransomware economics

The economics of ransomware are changing rapidly. Historically, attackers relied on broad access through vulnerabilities and credentials, operating with low overheads. The introduction of the RaaS model allowed for greater scalability, but also brought increased costs associated with access brokers, data storage, and operational logistics. Over time, this has eroded profit margins and fractured trust among affiliates, leading some groups to abandon ransomware in favour of data-theft-only operations.

Recent industry upheaval, including the collapse of prominent RaaS brands in 2024, has further destabilised the market. The randomness of victim selection is diminishing as attackers adapt more targeted intrusion methods such as insider recruitment and social engineering, which frequently require greater investment and aim at larger, potentially more lucrative, enterprises.

Our assessment of this shift: increasingly dire economics are forcing ransomware actors to be less opportunistic and more creative and targeted when choosing their victims. Shrinking profits are driving greater precision. Initial ingress costs for the actors will increase dramatically, which forces them to target large enterprises that can pay a large ransom. The unit economics shift in unison. These larger targets previously dodged many of the prior opportunistic tactics, as they had basic patch management and other enterprise security best practices well deployed. Social engineering and bribes to insiders are novel methods and often the only way to penetrate networks of certain cyber maturity.

Under this pressure, the report anticipates threat actors will increasingly seek out "white whale" targets-large-scale, high-value organisations that can justify the increased operational risk and cost.

Ransom payments on the decline

In Q3 2025, both the average ransom payment (USD $376,941) and median payment (USD $140,000) dropped sharply by 66% and 65% respectively compared with the previous quarter. Payment rates also fell to a historic low of 23% across incidents involving encryption, data exfiltration, and other forms of extortion, underlining the challenges faced by ransomware groups in securing financial rewards.

This trend reflects two predominant factors: Large enterprises are increasingly refusing to pay ransoms, and attacks on smaller organisations, which are more likely to pay, generally result in lower sums. The drop in payment rates is even more pronounced in data exfiltration-only incidents, with just 19% resulting in a payout in Q3, down to another record low.

Ransom payment rates across all impact scenarios - encryption, data exfiltration, and other extortion - fell to a historical low of 23% in Q3 2025. This continuation of the long-term downward trend is something all industry participants should take a moment to reflect on: that cyber extortion's overall success rate is contracting. Cyber defenders, law enforcement, and legal specialists should view this as validation of collective progress. The work that gets put in to prevent attacks, minimize the impact of attacks, and successfully navigate a cyber extortion - each avoided payment constricts cyber attackers of oxygen (i.e., Bitcoin). Contracting the cyber extortion economy requires continued pressure from all industry participants. Collectively, we can drive this chart to the zero asymptote over time.

This declining financial outcome for attackers has emerged alongside a change in legal best practice, with most privacy lawyers and responders now starting from a position of non-payment during data leak incidents.

Ransomware variants and initial access

Akira and Qilin retained the largest market shares among ransomware variants in Q3 2025. Other top strains included Lone Wolf, Lynx, Shiny Hunters, and KAWA4096. Akira's approach of high-volume, low-value attacks continues to influence the overall market strategy of RaaS operators, and may see further adoption by other groups in the future.

Remote access compromise remains the primary initial attack vector, comprising more than half of all incidents. This technique is increasingly intertwined with social engineering methods such as phishing, with attackers persuading individuals to grant access or manipulate help desk procedures. Exploitation of known software vulnerabilities also continues, especially in environments where network or legacy system maintenance lags behind.

Techniques and impacted sectors

Exfiltration remained the most common tactic, observed in 76% of cases and often replacing encryption as the primary threat to victims. Lateral movement techniques, such as the use of legitimate administrative protocols to traverse networks, appeared in 73% of analysed incidents, highlighting ongoing challenges in distinguishing routine from malicious activity.

Other prevalent methods seen in the quarter include the use of command-and-control tools, disruption of backup systems, and detailed reconnaissance to maximise leverage over targeted organisations.

Ransomware activity remained largely opportunistic in Q3, with attackers exploiting the most accessible entry points rather than targeting specific industry sectors. The median size of impacted organisations rose to 362 employees, but payment rates and ransom amounts both declined, challenging assumptions around the link between company size and extortion outcomes.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ping Identity launches platform to secure & manage AI agents
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Fortinet reports strong Q3 revenue growth & SASE adoption surge
Seven critical ChatGPT flaws expose users to data theft risks

Top stories

EXOq research hub to boost Oxford region by GBP £1.4 billion
Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Geneva launches first citywide quantum network for research & industry
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion