Ransomware payments dropped significantly in the third quarter of 2025, according to an analysis conducted by ransomware incident response firm Coveware.
According to Coveware, ransomware payment rates dropped to a historical low of 23% in Q3 2025, indicating that “cyber extortion’s overall success rate is contracting”, which should be viewed as a success of the efforts of law enforcement, cyber defenders and legal specialists.
Coveware reported that the average ransom payment in Q3 2025 was roughly $377,000, a 66% decrease compared to the previous quarter. The median ransom payment dropped by 65%, to $140,000.
The company has largely attributed the drop in payment amounts to a couple of trends. The first is large enterprises increasingly refusing to pay ransoms after being targeted in a ransomware attack.
“Several high-profile data exfiltration campaigns were largely unfruitful for the attackers despite widely reported impact on the victim organizations. These organizations are increasingly understanding that paying to suppress the proliferation of stolen data has de minimis to zero utility,” Coveware explained.
The second aspect is that mid-market organizations, which are more likely to pay up after their systems have been hit, agree to pay smaller ransoms.
“Smaller organizations cannot afford large ransoms but remain easier to disrupt. Groups like Akira and Qilin are increasingly leveraging this high-volume, low-demand strategy,” Coveware said.
Akira and Qilin were the most active ransomware groups in the past quarter, which has been confirmed by reports published recently by ReliaQuest and ZeroFox.
All three security firms reported that the professional services sector was the most targeted.
ReliaQuest also reported that the number of data leak websites managed by cybercriminals has hit an all-time high, reaching 81 in the third quarter of 2025.
ZeroFox reported seeing more than 1,429 ransomware and extortion incidents in Q3, a 5% increase from Q2, and a drop of roughly 27% from the record-breaking 1,961 incidents observed in Q1.
Related: Ransomware Group Claims Attack on Beer Giant Asahi
Related: Fencing and Pet Company Jewett-Cameron Hit by Ransomware
Related: Microsoft Revokes Over 200 Certificates to Disrupt Ransomware Campaign
