Fewer victims are paying ransoms as companies toughen defenses against hackers

Ransomware payments hit record low

Ransomware victims are paying attackers less than ever. In Q3 2025, only 23% of victims paid in incidents tracked by Coveware, a historical low in payment rates and part of a longer downward trend.

Analysts say the decline is linked to better backup and recovery capabilities, stronger law enforcement takedowns and seizures, and changes in insurer and legal advice that make payment a less attractive or feasible option.

The drop marks the lowest recorded payment rate, showing that cyber defenses are starting to weaken ransomware’s traditional leverage over victims.

Average ransoms drop sharply

Alongside fewer payments, ransom sizes also fell sharply. Coveware reports the average ransom payment in Q3 2025 as $376,941, a 66% drop from Q2 2025, while the median payment was $140,000, down 65% from the prior quarter.

This indicates that even when organizations do pay, the financial impact is lower than before. Security firms say the decline reflects tighter defenses, better preparedness, and stronger oversight from boards and insurers demanding proof of recovery alternatives before considering any payment.

Data breaches now dominate attacks

Ransomware groups increasingly steal sensitive data instead of relying solely on file encryption. Coveware observed exfiltration in 76% of its Q3 2025 cases, highlighting how data theft and double extortion are now central extortion tactics.

However, companies with strong response plans are often able to contain breaches and avoid payments, further reducing the success rate of extortion. This change demonstrates how attack methods are evolving even as overall payouts decline.

Medium-sized firms are the new target

While many large enterprises have hardened defenses and are resisting payment, attackers have increased their volume of attacks against mid-market and smaller firms that often lack the same recovery resources.

These companies often face higher operational pressure during attacks, making them more vulnerable. Despite this focus, even medium-sized firms are increasingly implementing backups and segmented networks to avoid paying ransoms.

Global payments continue to shrink

Overall, ransomware payments fell year over year. Chainalysis estimates that victims paid about $813.6 million in 2024 compared with roughly $1.25 billion in 2023.

Lower payouts are tied directly to improved defenses, government guidance against paying ransoms, and increased risk for attackers from law enforcement tracking.

The trend confirms that ransomware is becoming a less predictable revenue source for criminal networks, even as the number of attacks remains high.

Governments discourage ransom payments

The U.S., U.K., and Australia have issued clear guidance urging organizations not to pay ransoms. Paying attackers can fund criminal networks and potentially violate sanctions.

The UK government has proposed measures that could ban payments by certain public bodies and require notification to authorities before payments in other cases; the details are part of an active consultation and are still being finalised.

These measures reinforce the shift away from paying ransoms, aligning policy with the observed global decline in successful ransom payments.

Insurance rules tighten payouts

Cyber insurers are revising policies to limit automatic reimbursement for ransom payments. Many now require proof that companies attempted recovery through backups and other defensive measures before payouts are considered.

This reduces the financial incentive for organizations to pay attackers and encourages investment in resilience measures. Experts note that policy changes are a key factor in why fewer companies are paying, strengthening the overall downward trend in ransom revenue.

Stronger backups reduce attack leverage

Organizations with cloud-based, immutable, and segmented backups can restore systems quickly after attacks, removing the need to pay ransoms. These systems prevent attackers from holding critical data hostage, dramatically reducing their bargaining power.

Security analysts highlight that the proliferation of automated recovery systems correlates directly with the historic low in ransom payments, showing that investment in defensive infrastructure is paying off.

Cryptocurrency tracing adds pressure

Improved blockchain forensics and international law enforcement actions make it harder for attackers to cash out and launder ransom proceeds.

Chainalysis and other forensic teams report that law enforcement seizures and tracing have reduced the attractiveness of ransomware as a predictable cash flow.

As a result, victims are more confident in refusing to pay, knowing the chance of recovery and prosecution for the attackers has risen. Tracing efforts have become a key factor in lowering successful ransom outcomes.

Critical sectors remain high risk

Hospitals, utilities, and local governments continue to face ransomware threats. Even with stronger defenses, these organizations are targeted because downtime can have immediate operational consequences.

While payment rates in these sectors remain slightly higher than corporate averages, government partnerships and improved recovery procedures are helping to mitigate the need for ransom payments. Programs like national cyber coordination centers now assist critical sectors in rapid recovery and attack containment.

Transparency helps fight cyberattacks

Mandatory and voluntary reporting of ransomware attacks helps organizations prepare and respond more effectively. Public disclosure creates transparency, allowing other firms to adopt similar defensive strategies.

Recent legislation in the U.K. and U.S. requires certain organizations to report incidents, providing authorities with a better understanding of the threat landscape and allowing faster intervention, which in turn reduces reliance on ransom payments.

Boards take lead on ransomware strategy

Cybersecurity decisions are increasingly made at the executive level. Boards are now involved in policies regarding payment refusals and contingency planning. Organizations with clear, high-level policies are more likely to resist ransom demands.

This corporate oversight ensures consistent response strategies and strengthens resilience, contributing to the overall decline in ransomware payment rates across industries.

Attackers shift to stealing data, not systems

In many attacks, ransomware groups now steal data without encrypting systems. These incidents, often called “data-only” extortion, had a lower payment rate of 19% in Q3 2025.

While attackers rely on the threat of disclosure rather than operational disruption, strong containment and legal frameworks have enabled many victims to avoid payment. The trend shows that even as attack techniques evolve, defensive measures remain effective.

Regional payment trends vary

Median ransom amounts differ across regions. Some countries have reported reductions of up to 65% in ransom payments over the past year. These variations reflect differences in government guidance, corporate preparedness, and law enforcement coordination.

Regardless of location, the general global trend is a steady decline in both payment rate and average ransom size, demonstrating that defenses are increasingly effective worldwide.

Criminal networks adapt to falling payouts

As fewer payments succeed, ransomware-as-a-service platforms face shrinking profitability. Reports show that many criminal networks are rebranding or diversifying tactics as the guaranteed revenue stream diminishes.

Analysts note that this indicates a structural shift in the ransomware ecosystem: extortion is no longer a highly reliable business model, even as attackers continue to innovate.

As ransomware profitability declines, hackers hope you forget this email safety tip, underscoring how attackers exploit human behavior.

Defenses are reshaping cybercrime

The combined impact of lower payments, smaller ransoms, legal pressure, and better recovery tools shows that ransomware attackers are under growing pressure. While attacks continue, the ecosystem is changing: resilience now dominates over extortion.

The shift demonstrates that investments in cybersecurity, backups, and reporting infrastructure are successfully reducing the effectiveness of ransomware and protecting organizations from paying criminal demands.

Lower payments and legal pressure continue while cyber scammers upgrade tactics with AI, showing the evolving challenges organizations face.

What do you think about this? Let us know in the comments, and don’t forget to leave a like.

Read More From This Brand:

• Ghost Ransomware Strikes Firms in 70+ Countries
• DNS malware could be the next cyberweapon
• Caller ID spoofing leads to a bank fraud spree

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.