Table of Contents

Cyber Extortion Landscape

Payment Rates

Types of Ransomware

Attack Vectors

TTPs

Victimology

As we enter the final quarter of 2025, the cyber extortion landscape has split along two clear paths: volume-driven Ransomware-as-a-Service (RaaS) campaigns targeting the mid-market, and high-cost, targeted intrusions aimed at larger enterprises. 

In the volume category, mid-market companies remain the most impacted by traditional RaaS groups. The Akira RaaS group leveraged a vulnerability that resulted in record-breaking attack volumes between July and August. This quantity-over-quality approach is low-cost for the attackers, generally results in lower demands, but achieves a ransom payment rate that is higher than average. Akira maintains substantial RaaS infrastructure supporting a broad spectrum of attacks against enterprises. This is in line with their long-standing methodology that seeks to maximize the total number of attacks regardless of victim size and profile. This model gives Akira a sustained market share advantage over groups that prioritize selective, high-profile targets. 

Other actors get caught up with “shiny object syndrome” — an attempt to tailor attacks only to enterprises above a certain size or perceived financial capacity. That latter strategy is substantially more expensive for attackers, resulting in lower-than-average ransom payment rates despite higher ransom demands. 

While mid-market companies have historically been the most impacted cohort of victims, larger enterprises periodically drift into focus when extortion campaigns materialize that leverage to exploit widely used software or hardware. Examples of this are CLoP’s campaigns against various file-transfer appliances, and Scattered Spider’s campaigns that exfiltrate data from common SaaS applications. In Q3, we see ransomware groups that have previously limited their efforts to smaller companies expanding into enterprise environments with targeted, higher-cost methods.

Insider Threats and Emerging Tactics

In one recent example involving a BBC employee, a member of the Medusa ransomware gang approached an employee of an organization, offering him a 15% cut of a ransom payment in exchange for network access through the employee’s work computer. The goal was to compromise the organization’s systems and holds its data for ransom.

The significance of this case study cannot be overstated. While insider threats have always posed risk, they typically manifested as data-theft-only events — for example, disgruntled employees exfiltrating intellectual property or DPRK remote worker stealing data before termination. Public reporting has also documented cases where insiders at major companies were bribed to assist data theft campaigns.

A traditional RaaS group hiring an English speaker to try to bribe insiders at companies to help them achieve encryption via ransomware deployment is a very specific and noteworthy deviation from the longstanding opportunistic playbook of most ransomware operations. So why is this happening, and why now?

Ransomware Economics

To understand this inflection point, we need to examine the brief history of ransomware economics. 

A decade ago, when ransomware was ascending as a threat to enterprises rather than home users, initial access was plentiful and inexpensive. This was also an era where there was little to no overhead to run a ransomware operation. Before the RaaS structure rose to prominence and before data exfiltration became adopted as a standard tactic, ransomware actors ran the operation from A to Z. They wrote the ransomware code, carried out the attacks, and handled the negotiations themselves. In this era, actors enjoyed relatively consistent ransom profits and had to reinvest very little into future attacks. This “cottage industry” era held characteristically low operational costs, but the absolute value of extortion profit was also correspondingly low as compared to later years. 

As enterprises improved backups and hygiene, ransom payment rates declined. Ransomware actors tried to counteract this by adding data theft to the mix, a shift that allowed threat actors to pressure victims into paying even if they did not need a decryption tool. This coincided with the growth of the RaaS model — wherein ransomware developers recruited affiliates to deploy ransomware on their behalf at higher volumes in the hopes of maximizing profits for both them and the affiliates taking the predominant cut. For a time, this distributed model expanded reach and profitability; but as with any organization, growth introduced overhead. 

RaaS admins started outsourcing access brokering, data storage, call-center harassment, and more. The need for hosting name-and-shame websites carries its own set of costs, such as bullet proof hosting and labor for maintenance. Some affiliates became disgruntled, demanding higher cuts and eroding margins. As profits thinned and trust between developers and affiliates fractured, the ecosystem destabilized.

Some groups threw in the ransomware towel altogether or announced they were ditching the encryptor and rebranding as a data-theft-only outfit. This hit a crescendo in 2024 following the dual collapse of two leading RaaS brands, which not only splintered the affiliate market but also revealed a trove of deception, broken promises and risky practices that the actors had concealed even from their own affiliates.

Modern Extortion Economics

The bygone RaaS framework that brought groups like Conti, Hive, and Lockbit to prominence is unlikely to succeed in today’s climate. This shift carries far-reaching implications — perhaps the most overlooked of which is the change in cyber extortion victimology. 

Previously, these groups relied largely on access broker relationships (e.g., Trickbot/Emotet), stolen credentials, and known vulnerabilities to choose victims. This led to a victim landscape that was very much random (i.e., not targeted). Certain industry sectors might be represented higher in our datasets, but that stemmed from common characteristics of their industry vertical, such as higher likelihood to use legacy/end of life systems and lesser budgets for cybersecurity tools and teams. 

As the RaaS model adapts to the current ecosystem, the “purely opportunistic” approach to intrusion vectors (and by extension, to victims) that characterized 99% of the ransomware market up until now is no longer the universal approach. Helpdesk social engineering — which two years ago was uniquely tied to the native English-speaking Scattered Spider collective — has been widely adopted as a precursor to ransomware by numerous encryption and data extortion gangs in 2025. Threat actor group Silent Ransom (Luna Moth) leverages different flavors of callback phishing, targeting firms narrowly in the insurance and law firm verticals. The BBC story cited in this report reveals how the Medusa ransomware gang — a group we would characterize as a traditional opportunistic RaaS — has pivoted to insider bribes to try and extort a company far beyond the footprint of the victims they normally impact through opportunistic vectors. 

Our assessment of this shift: increasingly dire economics are forcing ransomware actors to be less opportunistic and more creative and targeted when choosing their victims. Shrinking profits are driving greater precision. Initial ingress costs for the actors will increase dramatically, which forces them to target large enterprises that can pay a large ransom. The unit economics shift in unison. These larger targets previously dodged many of the prior opportunistic tactics, as they had basic patch management and other enterprise security best practices well deployed.  Social engineering and bribes to insiders are novel methods and often the only way to penetrate networks of certain cyber maturity. 

Assuming profit margins continue to narrow, we anticipate a growing focus on “white whale” organizations — large-scale, high-value targets. In the past, this wouldn’t have been as necessary given the vast availability of mid-market victims. Enterprises should re-evaluate the maturity of their insider threat programs — both for mitigations of unauthorized data theft and, apparently, even the staging and execution of full-fledged ransomware attacks.

Ransom Payment Amounts in Q3 2025

Average Ransom Payment

$376,941

-66% from Q2 2025

Median Ransom Payment

$140,000

-65% from Q2 2025

The Average Ransom Payment — $376,941 (down 66% from Q2 2025) — and the Median Payment — $140,000 (down 65%) — both declined substantially in Q3 2025. This reflects the intersecting dynamics of two trends: 

1. Large enterprises are increasingly resisting the pressure to pay ransoms. Several high-profile data exfiltration campaigns were largely unfruitful for the attackers despite widely reported impact on the victim organizations. These organizations are increasingly understanding that paying to suppress the proliferation of stolen data has de minimis to zero utility

2. Mid-market attacks (as profiled with Akira) are relatively more likely to result in a ransom payment of lesser amount. Smaller organizations cannot afford large ransoms but remain easier to disrupt. Groups like Akira and Qilin are increasingly leveraging this high-volume, low-demand strategy.

Ransom Payment Rates in Q3 2025

Ransom payment rates across all impact scenarios — encryption, data exfiltration, and other extortion — fell to a historical low of 23% in Q3 2025. This continuation of the long-term downward trend is something all industry participants should take a moment to reflect on: that cyber extortion’s overall success rate is contracting. 

Cyber defenders, law enforcement, and legal specialists should view this as validation of collective progress. The work that gets put in to prevent attacks, minimize the impact of attacks, and successfully navigate a cyber extortion — each avoided payment constricts cyber attackers of oxygen (i.e., Bitcoin). Contracting the cyber extortion economy requires continued pressure from all industry participants. Collectively, we can drive this chart to the zero asymptote over time. 

For data exfiltration-only incidents (no encryption, only the threat of public release), ransom payments fell to 19% in Q3 2025, another record low. While this resolution rate tends to bounce around, Q3 was a very active quarter for data exfiltration attacks. The dramatic decrease in payment outcomes reflects the growing maturation of both enterprises and the vendors that support cyber incidents, most notably specialized privacy attorneys. 

Attorneys who advocate paying to suppress data leaks are increasingly becoming extinct (as they should). It is becoming codified best practice during data exfiltration incidents to start from a position of non-payment as the base scenario. The concept of a “nuisance payment” deserves scrutiny. Even small payments perpetuate the extortion economy. Any recommendation to pay a ransom as a routine or “nuisance” resolution should be examined critically, and organizations should ensure that all vendors maintain a policy-aligned stance on non-payment.

Most Common Ransom Variants in Q3 2025

Market Share of the Ransomware attacks

Akira and Qilin retain their #1 and #2 market share positions as the most prevalent ransomware variants in Q3 2025. We will be on the lookout in the coming quarters to see if the market bifurcation that we discussed above continues to play out in the market share data. It is possible that other RaaS groups observe the relative success of Akira and move to copy the strategy.

We will also be on the lookout to see how the “lone wolf” and data exfiltration-only groups react to contracting unit economic pressure associated with lower payment rates for data exfiltration only attacks.

Most Common Initial Attack Vectors in Q3 2025

Initial access activity in Q3 reflected the continued evolution of attacker behavior more than any dramatic shift in tactics. The same foundational pillars — remote access compromise, phishing/social engineering, and software vulnerability exploitation — remain at the core of intrusion activity, but the distinctions between them are increasingly blurred. The modern intrusion no longer begins with a simple phishing email or an unpatched VPN. It starts with a convergence of identity, trust, and access across both people and platforms.

Remote access compromise remained the dominant vector, accounting for more than half of all observed incidents. Credential-based intrusions through VPNs, cloud gateways, and SaaS integrations continued to drive compromise, particularly in organizations navigating infrastructure migrations or complex authentication models. Even where technical patching was current, attackers found success exploiting lingering configuration debt such as old local accounts, unrotated credentials, or insufficiently monitored OAuth tokens.

Q3 also underscored how remote access and social engineering have effectively merged. Adversaries increasingly obtain access not just by logging into a system, but by convincing someone else to provision it for them. Campaigns that blurred these lines, such as those impersonating SaaS support teams or abusing help-desk processes to gain OAuth authorization, demonstrated how human trust can be engineered into a technical foothold. This hybrid technique redefines “remote access” as much psychological as technical.

Software vulnerability exploitation rose modestly but remains a critical access path for opportunistic campaigns. The most exploited vulnerabilities this quarter were not cutting-edge zero-days but well-known vulnerabilities in network appliances and enterprise apps where patching lagged or migration hygiene fell short. Even fully patched environments were compromised when legacy credentials or partial configurations reopened the door. The lesson remains consistent: technical remediation without procedural rigor still leaves gaps wide enough for exploitation.

Most Common Tactics, Techniques and Procedures Threat Actors used in Q3 2025

Exfiltration [TA0010]

Exfiltration once again topped the charts in Q3, observed in 76% of Coveware cases, reaffirming its position as the cornerstone of modern extortion. What began as a precursor to encryption has often become the primary objective. Independent and mid-tier actors favor leverage over disruption because it creates leverage without the operational complexity of large-scale encryption. Exfiltration-only and multi-extortion campaigns continue to dominate: data exposure creates faster, more predictable pressure through reputational harm, regulatory scrutiny, and customer fallout. These are forms of leverage that neither downtime nor flawless backups can resolve. 

Lateral Movement [TA0008]

Lateral movement remained foundational, appearing in 73% of Q3 incidents, and continues to be the connective tissue between initial compromise and impact. Adversaries still rely heavily on legitimate administration tools and protocols — RDP, SSH, and PSExec — to expand access, escalate privileges, and stage data for exfiltration. Its persistence reflects both its reliability and the continuing challenge organizations face in distinguishing normal administrative behavior from malicious traversal. The ubiquity of this tactic also presents one of the few consistent opportunities for early detection: when monitored effectively, lateral movement can reveal an attacker’s presence before data theft or encryption begins.

Command and Control [TA0011]

After several quarters below the threshold, command-and-control re-entered the Top 5 as a dominant supporting tactic, observed in more than half of Q3 cases. Threat actors increasingly favor commercial and open-source remote-administration and monitoring tools, often hosted on encrypted, cloud-based infrastructure. Threat actors have also continued to abuse Microsoft Quick Assist to establish live command-and-control sessions under the guise of user assistance.  This blending of trusted enterprise tools with malicious intent underscores how attackers now operate within sanctioned workflows, not just outside of them. The broader shift toward modular, legitimate-looking frameworks continues to complicate detection and post-incident reconstruction, as communications blend into sanctioned traffic.

Impact [TA0040]

Impact tactics, though appearing to decline to 47% of cases, remain a statistical mirage. Encryption was confirmed in nearly nine out of ten Coveware incidents, but forensic visibility into the impact stage continues to lag behind reality; especially in virtualized environments such as ESXi, where reinstallation and administrative lockouts erase critical telemetry. What the data truly reflects is not diminished intent, but a widening visibility gap. Threat actors remain focused on maximizing disruption, particularly through the manipulation or deletion of backup infrastructure, knowing that undermining recovery amplifies payment pressure.

Discovery [TA0007]

Discovery maintained its position in the Top 5, observed in 43% of cases and growing steadily. Modern extortion operations are increasingly data-driven: before exfiltration begins, attackers conduct deliberate reconnaissance to identify the systems, users, and datasets most likely to yield leverage. These activities often rely on built-in administrative commands or third-party utilities, making them difficult to distinguish from legitimate IT operations. Yet this same reconnaissance phase represents one of the most critical opportunities for early detection. Organizations capable of spotting anomalous enumeration or privilege mapping can intercept an attack at its most formative stage before data theft turns into negotiation leverage.

Most Common Industries Impacted by Ransomware in Q3 2025

Ransomware attacks in Q3 remained largely opportunistic, driven by whatever entry points are most accessible: unpatched vulnerabilities, exposed remote access, or compromised credentials. Threat actors continue to exploit common technologies and misconfigurations rather than target specific industries, focusing instead on scale and ease of access. If RaaS groups begin to pivot their efforts towards more targeted attacks, we should expect to see evidence of this evolution in the industry data. 

The median company size of enterprises impacted by a cyber extortion incident was 362 employees (up 27% from Q2 2025) in Q3 2025. The fact that payment frequency and payment amounts are down — a notable paradox that challenges the “big game hunting” assumption that larger targets guarantee bigger payouts. This suggests that while attackers may invest more to reach larger organizations, the return on investment is not assured.

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at: https://www.coveware.com/blog/2025/10/24/insider-threats-loom-while-ransom-payment-rates-plummet