Full Report
The number of victims paying ransomware threat actors has reached a new low, with just 23% of the breached companies giving in to attackers' demands. [...]
Analysis Summary
# Incident Report: Decline in Ransomware Payment Rates (Q3 2025)
## Executive Summary
Ransomware payment resolution rates reached an all-time low in Q3 2025, with only 23% of breached companies complying with attacker demands. This decline is attributed to stronger organizational protections and increased pressure from authorities discouraging payments. While encryption remains common, data exfiltration is now the primary extortion tactic in over 76% of observed cases, indicating a tactical shift by threat actors towards high-value data theft.
## Incident Details
- **Discovery Date:** Q3 2025 analysis period (reporting on trends up to this quarter).
- **Incident Date:** Ongoing trend throughout Q3 2025.
- **Affected Organization:** Trend data reflects multiple organizations across various sectors.
- **Sector:** Broad industry impact covered by the trend analysis.
- **Geography:** Not specifically defined; global/observed market trend.
## Timeline of Events
### Initial Access
- **Date/Time:** Q3 2025 (Specific dates not provided; trend analysis period).
- **Vector:** Remote access compromise, alongside a significant increase in the use of software vulnerabilities.
- **Details:** Leading observed attack vectors changed; social engineering and insider recruitment are anticipated to increase as profits shrink.
### Lateral Movement
- Attackers utilized established access to move laterally during observed breaches (implied by multi-stage attacks).
### Data Exfiltration/Impact
- **Details:** Data exfiltration occurred in over 76% of observed attacks in Q3 2025, cementing it as the primary objective (double extortion). If data theft occurs without encryption, payment rates fall to 19%.
### Detection & Response
- **How it was discovered:** Data derived from vendor reports (Coveware) on incident handling over Q3 2025.
- **Response actions taken:** Organizations are deploying stronger, more targeted protections, and increased law enforcement/legal pressure against paying ransoms are noted as contributing factors to the trend.
## Attack Methodology
- **Initial Access:** Remote access compromise, exploiting software vulnerabilities. Predicted future reliance on social engineering and insider recruitment.
- **Persistence:** Not explicitly detailed, but implied by multi-stage attacks.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Not explicitly detailed, though stronger organizational defenses correlate with lower payment rates.
- **Credential Access:** 46% of environments experienced password cracking, nearly double the previous year (based on external report referenced).
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Implied methods used to reach valuable data stores before exfiltration.
- **Collection:** Primarily focused on data theft (exfiltration).
- **Exfiltration:** Primary objective in 76%+ of cases, indicating data theft over pure encryption.
- **Impact:** Financial extortion attempts; impact mitigated by victim choice not to pay (23% resolution rate).
## Impact Assessment
- **Financial:** Average ransomware payment fell to \$377,000; median payment fell to \$140,000 in Q3 2025. Organizations are redirecting funds to defense strengthening instead of payment.
- **Data Breach:** Data exfiltration is the primary lever used by threat actors.
- **Operational:** Organizations appear more resilient, with fewer successful extortion outcomes (23% payment rate).
- **Reputational:** Not detailed, but successful navigation of extortion implies minimized reputational fallout related to public data leaks.
## Indicators of Compromise
*Note: No specific IoCs were provided in the summary text (only general trends).*
- **Network indicators:** (None specified)
- **File indicators:** (None specified)
- **Behavioral indicators:** Use of remote access compromises and software vulnerability exploitation as entry vectors. Trend toward increased reliance on insider support.
## Response Actions
- **Containment measures:** Organizations are implementing stronger and more targeted protections.
- **Eradication steps:** Not detailed beyond general defensive strengthening.
- **Recovery actions:** Successful navigation of cyber extortion attempts without payment in the majority of cases (77%).
## Lessons Learned
- Collective efforts by cyber defenders, law enforcement, and legal specialists in preventing attacks and navigating extortion are proving effective.
- Stronger and more targeted security posture implementation directly correlates with reduced attacker success (lower payment rates).
- Data exfiltration without encryption or alongside it remains the most common mechanism leveraged by threat actors.
## Recommendations
- Organizations should continue to invest heavily in preventative measures, particularly hardening defenses against the leading initial access vectors: remote access compromises and software vulnerability exploitation.
- Review and strengthen policies regarding the payment of ransoms, aligning with legal and law enforcement guidance.
- Given the increased success rate of data theft (76%), ensure robust Data Loss Prevention (DLP) and least privilege controls are strictly enforced to mitigate exfiltration risks.