Ransomware Profits Drop As Victims Stop Paying Hackers

An anonymous reader quotes a report from BleepingComputer: The number of victims paying ransomware threat actors has reached a new low, with just 23% of the breached companies giving in to attackers' demands. With some exceptions, the decline in payment resolution rates continues the trend that Coveware has observed for the past six years. In the first quarter of 2024, the payment percentage was 28%. Although it increased over the next period, it continued to drop, reaching an all-time low in the third quarter of 2025.

One explanation for this is that organizations implemented stronger and more targeted protections against ransomware, and authorities increasing pressure for victims not to pay the hackers. [...] Over the years, ransomware groups moved from pure encryption attacks to double extortion that came with data theft and the threat of a public leak. Coveware reports that more than 76% of the attacks it observed in Q3 2025 involved data exfiltration, which is now the primary objective for most ransomware groups. The company says that when it isolates the attacks that do not encrypt the data and only steal it, the payment rate plummets to 19%, which is also a record for that sub-category.

The average and median ransomware payments fell in Q3 compared to the previous quarter, reaching $377,000 and $140,000, respectively, according to Coveware. The shift may reflect large enterprises revising their ransom payment policies and recognizing that those funds are better spent on strengthening defenses against future attacks. The researchers also note that threat groups like Akira and Qilin, which accounted for 44% of all recorded attacks in Q3 2025, have switched focus to medium-sized firms that are currently more likely to pay a ransom. "Cyber defenders, law enforcement, and legal specialists should view this as validation of collective progress," Coveware says. "The work that gets put in to prevent attacks, minimize the impact of attacks, and successfully navigate a cyber extortion -- each avoided payment constricts cyber attackers of oxygen."

23% is huge

[test321]

23% of companies paying in decline from 28% is still a very large percentage that encourages ransomware authors. They still only need 4 attempts to win a comfortable pay.

Re:23% is huge

[RitchCraft]

Yep, came here to say the same. Nothing will change until that number reaches 0%. Make it a crime to pay ransoms. Use that money instead to fund your IT departments properly.

Re:23% is huge

[ndsurvivor]

I suspect BTC will crash if that happens.

Re:

[RitchCraft]

You're probably right!

Re:

[registrations_suck]

Nah. There's still drugs, weapons and pussy to buy.

Re:

[Rodolpho Zatanas]

So you're saying it's a win-win proposition!

Re:

[Voyager529]

Yep, came here to say the same. Nothing will change until that number reaches 0%. Make it a crime to pay ransoms. Use that money instead to fund your IT departments properly.

I'm not so sure. Spamming can use the law of large numbers due to its low barrier to entry and easy automation, so even a 0.01% success rate can be profitable. With ransomware, most of the easy stuff has been picked off already - basically nobody has RDP open on 3389 anymore, pretty much everyone has SSH locked down, lots of people do their work in SaaS products which are more difficult to ransomware, and for all the obnoxiousness for Microsoft shoving OneDrive down everyone's throat, it *does* do versionin

Re:

[FluxCap]

Totally agree! Paying the ransom through a third-party must also be illegal. Companies should also be required to report to the FBI if they are being extorted over a certain dollar amount so that the government can track this activity and assist the companies. If the company doesn't comply with these laws, then the people (CEO, officers, IT, accountant, etc.) responsible at the company should be subject to jail. Fines are not sufficient since it just the companies money that is being lost. Once companies

Re:

[EnvyRAM]

It comes down to a business decision for these organizations. Even people that have a hard line moral stance on this are suddenly faced with not the question of should I pay the ransom or fund the IT department, it is should I pay the ransom or go out of business.

An obvious example is a hospital system, where suddenly ambulatory care has to be diverted, Epic is down, and they're scrambling with DR procedures to dispense medication and track everything on paper while not being able to treat cancer patients b

Re:23% is huge

[CaptQuark]

The drop from 28% to 23% is only in the past year. If you look at the data in TFA you will see over the past 5 years, the drop has been from 77% down to 23%, a much larger difference.

The graph shows a downward trend over the last 6-1/2 years, down from 83%. I don't know why the summary only focused on the last year when the difference makes it seem like the trend is minimal. Look at the graph yourself to see the steady decline in payments.

Re:

[test321]

Great news, thanks for pointing out.

They're making more money in the AI bubble!

[Somervillain]

I bet all these folks who used to ransomware are now just starting bullshit AI startups and either fleecing investors or hoping to get acquired by another company desperate to get on the AI hype train.

Companies are develeping prevention strategies.

[miniskunk]

I think companies are learning how to not be held hostage by having redundancy. Backup servers that are kept available reduces the cost of losing access to critical systems making it cheaper to just abandon the compromised devices. Basically don't keep everything in one place so you can get back in operation faster w/o needing to pay to get a server/computer unlocked. If backed up often enough and keeping the backups offline when not making backups or until needed, they only lose some records not all. Employees are also being trained how not to make the company a victim of scammers. At my business, we have had issues in the past with employees not being smart enough to just hang up when scammers call or better yet call the business manager when in doubt before doing anything they are asked to do. We have been fortunate to not lose any money in the past due to acting fast enough to stop unauthorized fund transfers by naive staff. Locking down the PCs so the employees cannot install unauthorized software like Anydesk without a password is a simple strategy to protect yourself and your customers from data breaches/ransomware installations. Also, never allow critical passwords/usernames be saved on the PC that can give access to bank accounts/payroll etc especially on the employee shared PCs goes a long way to stop scammers in their tracks.

Deepfakes are Adding to the Risks

[nuckfuts]

At my business, we have had issues in the past with employees not being smart enough to just hang up when scammers call

AI impersonation is making it harder and harder to tell legitimate people apart from fakes.

Here's an example of deepfake audio being used to impersonate a CEO and steal US$243,000 [trendmicro.com].

Here's an example of an AI-generated person that is so realistic her own family couldn't tell the difference [www.cbc.ca].

And here's a video conference call where everyone in the meeting other than the victim was a fake [cnn.com], including a deepfake of the Chief Financial Officer.

If your own family can be fooled, so much for employees being "smart eno

Re:

[EnvyRAM]

Backups have been a sore spot with ransomware recovery the last several years. Most people have some sort of backups, but generally, one or more of these things happens:

1. Backups were connected to the Active Directory domain (which was compromised), alternatively, password reuse
2. Backups were destroyed or encrypted (including backup solutions claiming to have "immutable backups")
3. Not all servers were being backed up as people thought they were
4. Backups failed at some point and no one realized it
5. Last