Only 23% of Ransomware Victims Pay the Ransom
The ransomware remediation firm Coveware has reported a growing divide in the ransomware landscape, with larger enterprises facing increasingly targeted, high-cost attacks, whereas attacks on mid-market companies continue to be conducted in volume. Ransomware groups conducting high-volume attacks appear to have found the sweet spot, as while the ransom payments they receive are much lower, the attacks are easier to conduct, and a higher percentage of victims pay up. Attacks on larger companies require more effort, although attacks are far more lucrative when a ransom is paid. Coveware reports that larger organizations are increasingly resisting paying ransoms, having realized that there are few payment benefits, but has warned that these targeted attacks are likely to increase due to falling ransom payments.
Across the board, there has been a sharp fall in both the average and median ransom payments from a 6-year high in Q2, 2025, to the lowest level since Q1, 2023. In Q3, 2025, the average ransom payment fell by 66% to $376,941, with the median ransom payment down 65% to $140,000. In Q1, 2019, 85% of victims of ransomware attacks chose to pay the ransom, compared to a historic low of 23% in Q3, 2025.
When cybercriminals started conducting ransomware attacks, the focus was on file encryption, whereas double extortion tactics are now the norm, with data stolen prior to file encryption. While data can often be recovered from backups, the threat of publication of the data is often enough to see the ransom paid, in an effort to minimize reputation damage from an attack. According to Coveware, 76% of all attacks in Q3, 2025, involved data theft. There has been a growing trend of data theft-focused attacks, with some groups abandoning data encryption altogether. While extortion-only attacks are generally faster and stealthier, Coveware reports that data exfiltration attacks without encryption only have a ransom payment rate of 19% – a record low. That suggests that victims do not believe paying the ransom will result in their data being deleted.
The most common attack vectors frequently change, with phishing and social engineering the most common method of initial access in Q3, 2024, whereas in Q3, 2025, there was a sharp increase in remote access compromise, with phishing/social engineering dropping to around 18% of attacks, almost on a par with the exploitation of software vulnerabilities. Remote access compromise was behind almost 50% of attacks in Q3. Coveware reports that the distinction between different intrusion types is becoming increasingly blurred, such as remote access and social engineering. For example, attacks impersonating SaaS support teams or abusing helpdesk processes trick individuals into providing remote access. “The modern intrusion no longer begins with a simple phishing email or an unpatched VPN. It starts with a convergence of identity, trust, and access across both people and platforms,” explained Coveware.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The two most active ransomware groups in Q3 – Akira (34%0 and Qilin (10%) – are both focused on high-volume attacks that yield relatively low rewards. While a logical response to fewer victims paying a ransom is to conduct even more attacks, Coveware believes it is more likely to trigger more targeted attacks on companies that have the means to pay large ransoms. As security postures have improved, attacks are becoming harder to pull off. One potential consequence is that attackers will focus once again on targeting employees to trick them into providing access, as well as recruiting insiders. Coveware has identified several attacks where employees have been bribed into providing remote access. In one case, the Medusa ransomware group attempted to recruit an employee of a large organization. Medusa promised to pay the employee 15% of any ransom generated if network access through the employee’s computer was provided.
While healthcare remains a lucrative target for ransomware groups, only 9.7% of attacks involving Coveware’s services affected healthcare organizations, putting the industry in joint second place with software services. Professional services was the most commonly attacked sector in Q3, accounting for 17.5% of attacks.
