No One Pays Ransomware Demands Anymore - So Attackers Have A New Goal

solarseven/iStock/Getty Images Plus

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET's cardinal takeaways

• Ransomware payments person reached a historical debased of 23%.
• Dropping occurrence rates could lead to much targeted attacks pinch higher payouts.
• Large enterprises could person an accrued consequence of becoming targets.

Fewer and less companies are capitulating to ransomware costs demands, pinch occurrence rates for this criminal manufacture reaching a historical debased of 23%.

Also: Data-stealing cyberattacks are surging - 7 ways to protect yourself and your business

According to a Q4 2025 study published by Coveware, a cybersecurity patient that tracks nan trends and movements of ransomware groups, ransomware payments made were astatine their highest -- successful astir 85% of attacks -- backmost successful 2019. With nan objection of a fistful of quarterly spikes, nan occurrence complaint of ransomware blackmail and extortion attempts has continued to drop.

For example, nan researchers opportunity that successful Q1 2025, astir 27% of unfortunate organizations paid up. This dropped to 26% successful Q2 and slid further to 23% successful Q3 2025.

Coveware believes that this shows that "cyber extortion's wide occurrence complaint is contracting." However, arsenic nan investigation reveals, it is not each bully news. 

Data exfiltration

Data exfiltration, which was progressive successful 76% of ransomware incidents recorded by Coveware successful Q3 2025, has pivoted from being portion of an onslaught concatenation to being nan main goal.

As nan ransomware manufacture has grown much sophisticated, ransomware operators realized that locking systems tin use only truthful overmuch pressure, whereas nan theft of delicate firm and customer information could beryllium utilized arsenic much effective leverage.

Also: Are AI browsers worthy nan information risk? Why experts are worried

While locked systems could beryllium softly recovered aliases restored from backups, galore ransomware groups coming quickly spell nationalist to declare they person stolen a unfortunate organization's data. They whitethorn besides group up impermanent websites aliases usage paste sites to supply samples. 

This tin use acold much unit connected companies to salary up, while they must besides woody pinch restoration, cyberforensics, harm to their reputations, and imaginable ineligible consequences.  

"These are forms of leverage that neither downtime nor flawless backups tin resolve," nan researchers note.

The marketplace splits

During Q3 2025, nan ransomware manufacture has continued to divided into 2 paths: cybercriminals who connection ransomware-as-a-service (RaaS) and groups that attraction their efforts connected targeted, blase attacks. 

RaaS provides ransomware to cybercriminals who are consenting to either salary outright for these creations aliases salary an connection interest successful return for entree to malicious code. RaaS focuses connected volume, and according to Coveware, RaaS operators are mostly targeting nan mid-market. In comparison, nan different broadside of nan manufacture is aiming toward large, endeavor organizations pinch high-cost, targeted attacks.

Also: The champion password managers for businesses: Expert tested

It's absorbing to spot that on pinch occurrence rates, nan mean ransomware costs has dropped to $376,941, a 66% alteration from Q2 2025. The median payment, $140,000, has besides decreased by 65% successful nan aforesaid clip frame. 

The study says that arsenic ample endeavor firms proceed to defy blackmail demands, payments connected nan full are dropping -- and though mini and mid-sized businesses pinch low-maturity information systems mightiness beryllium forced to salary up to resume operations, they can't salary arsenic much.

"Attorneys who advocator paying to suppress information leaks are progressively becoming extinct (as they should)," nan researchers noted. "It is becoming codified champion believe during information exfiltration incidents to commencement from a position of non-payment arsenic nan guidelines scenario."

Enterprise considerations

Coveware anticipates that arsenic profit margins proceed to shrink, cybercriminals will hone their attraction connected "white whale" enterprises pinch nan wallets to match.

Also: I recovered 3 AI contented detectors that place AI matter 100% of nan clip - and an moreover amended option

Cybersecurity can't beryllium an afterthought. It is now much important than ever that organizations -- particularly mid-market size and larger -- put successful and instrumentality robust information practices, strategies, and post-incident procedures. Businesses should besides see penetration testing to resoluteness cybersecurity vulnerabilities earlier they tin beryllium exploited.

Follow ZDNET: Add america arsenic a preferred source connected Google.