The share of companies that agree to pay a ransom after ransomware attacks has fallen to a historic low — only 23% of victims accepted the attackers’ terms in the third quarter of 2025, report analysts at Coveware.
The gradual decline in ransomware groups’ revenues has been ongoing for six years: fewer and fewer organizations are entering into negotiations and deals with hackers. For comparison, in early 2024, only 28% of victims paid the ransom. Analysts attribute this decrease to actions by law enforcement and authorities, who are increasing pressure on victims not to pay attackers, as well as the implementation of new targeted security measures.
“Cyber defenders, law enforcement officers, and lawyers should view this trend as confirmation of collective progress,” the experts write. “The work being done to prevent attacks, minimize their impact, and counter cyber extortion means that every unpaid ransom cuts off the oxygen to cybercriminals.”
However, hacker groups have long since stopped limiting themselves to data encryption alone. Their primary lever against victims is data theft and the threat of publication. In the third quarter of 2025, such incidents accounted for more than 76% of all attacks.
At the same time, Coveware claims that in cases where attackers do not encrypt but steal data, and the attack is contained, the likelihood of paying the ransom drops to 19% — the lowest level on record.
It is also noted that the amounts of ransoms paid have dropped significantly—to $377,000 (average) and $140,000 (median). Experts attribute this to large companies refusing to pay hackers and directing their resources and funds toward strengthening defenses against future attacks.
According to experts, for these reasons the Akira and Qilin groups, which are responsible for 44% of all ransomware attacks recorded during the quarter, have shifted their focus to mid-sized businesses, where companies are more likely to agree to pay, hoping to restore operations more quickly after an incident.
The attack vector is changing as well. More and more incidents start with the compromise of remote access tools and the exploitation of vulnerabilities in various software.
Researchers warn that as revenues decline, ransomware operators are acting more selectively and more actively seeking new ways to break in. Now that large companies have strengthened their defenses, hackers are increasingly turning to social engineering and looking for insiders—even bribing employees who can help them gain access to corporate networks.