Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Ransomware payouts have reached a historic low of 23%.
- Falling success rates could lead to more targeted attacks with higher payouts.
- Larger enterprises may be at increased risk of becoming targets.
Fewer and fewer companies are capitulating to ransomware payment demands, with the success rate of this criminal industry reaching a historic low of 23%.
Also: Data theft cyberattacks are on the rise – 7 ways to protect yourself and your business
according to a Q4 2025 Ransomware payments were at their highest in 2019, accounting for nearly 85% of attacks, according to the report published by Coveware, a cybersecurity firm that tracks trends and activities of ransomware groups. With the exception of a few quarterly spikes, the success rate of ransomware blackmail and extortion attempts continues to decline.
For example, researchers say that in the first quarter of 2025, about 27% of victimized organizations made payments. This fell to 26% in Q2 and further to 23% in Q3 2025.
Coveware believes this shows that “the overall success rate of cyber extortion is shrinking.” However, as research shows, it’s not all good news.
data intrusion
Data infiltration, which comprised 76% of ransomware incidents recorded by Coveware in Q3 2025, has now moved from being part of a chain of attacks to being the main target.
As the ransomware industry has become more sophisticated, ransomware operators realized that locking systems can only apply so much pressure, while theft of sensitive corporate and customer data can be used as more effective leverage.
Also: Are AI browsers worth the security risk? Why are experts worried?
While locked systems can be quietly recovered or restored from backups, many ransomware groups today publicly claim that they have stolen the victim organization’s data. They may also set up temporary websites or use paste sites to provide samples.
This could put far more pressure on companies to pay, while they would also have to deal with restitution, cyber forensics, damage to their reputation, and potential legal consequences.
“These are forms of leverage that neither downtime nor lossless backups can solve,” the researchers note.
the market gets divided
During Q3 2025, the ransomware industry has split into two paths: cybercriminals that offer Ransomware-as-a-Service (RaaS) and groups that focus their efforts on targeted, sophisticated attacks.
RaaS provides ransomware to cybercriminals who are willing to either pay outright for these creations or pay associated fees in exchange for access to the malicious code. RaaS focuses on volume, and according to Coveware, RaaS operators are generally targeting the mid-market. In comparison, the other side of the industry is targeting large, enterprise organizations with high-cost targeted attacks.
Also: Best Password Managers for Businesses: Expert Tested
It is interesting to see that with the success rate, the average ransomware payout has dropped to $376,941, which is 66% less than in Q2 2025. The average payout, $140,000, also declined 65% over the same time frame.
The report said that as large enterprise companies continue to resist blackmail demands, overall payments are decreasing – and although small and medium-sized businesses with less-maturity security systems may be forced to pay to resume operations, they may not pay as much.
“Lawyers advocating being paid to suppress data leaks are becoming increasingly extinct (as they should),” the researchers said. “It is becoming a codified best practice to start with a non-payment scenario as a base scenario during data intrusion incidents.”
business ideas
Covware predicts that as profit margins continue to shrink, cybercriminals will turn their attention to “white whale” enterprises that have the wallets to match.
Also: I found 3 AI content detectors that identify AI text 100% of the time – and one even better option
Cyber security cannot be an afterthought. It is now more important than ever that organizations – especially mid-market sized and larger – invest in and implement strong security practices, strategies and post-incident procedures. Businesses should also consider penetration testing to address cybersecurity vulnerabilities before they can be exploited.
Follow ZDNET: Add us as a favorite source On Google.
