Ransomware groups are facing an economic downturn of their own: In Q3 2025, only 23 percent of victims paid a ransom, and for data theft incidents that involved no encryption, the payment rate dropped to just 19 percent, according to Coveware.
“Cyber defenders, law enforcement, and legal specialists should view this as validation of collective progress. The work that gets put in to prevent attacks, minimize the impact of attacks, and successfully navigate a cyber extortion — each avoided payment constricts cyber attackers of oxygen (i.e., Bitcoin),” the company noted.
A split in the threat landscape
Ransomware-as-a-Service groups like Akira target the mid-market and ask for smaller payments, but their payment rate remains slightly higher than the average. Other actors have gone in the opposite direction, targeting exclusively large enterprises that appear able to pay higher sums.
But large enterprises are now less inclined to pay the ransom.
“Several high-profile data exfiltration campaigns were largely unfruitful for the attackers despite widely reported impact on the victim organizations. These organizations are increasingly understanding that paying to suppress the proliferation of stolen data has de minimis to zero utility,” Coveware noted.
As payments fall, attackers are becoming less opportunistic and more inventive. Since they are spending more to get in, they must target organizations with deeper pockets – and many of those larger firms already have solid patch management and access controls. As a result, ransomware groups are turning to new ways to get inside networks.
Initial access
One of the most notable shifts in 2025 is the rise of insider threats and bribery. Attackers are directly approaching employees for access, offering money or cryptocurrency in exchange for credentials or remote entry.
Helpdesk social engineering has also evolved. Two years ago it was mostly used by the Scattered Spider group, and now other groups have hopped on that wagon: they call support lines, impersonate staff, and persuade technicians to reset passwords or approve new devices.
Some attackers use callback phishing. They use fake voicemail or invoice to direct the target to phone the attacker, setting up the next step of compromise. What used to be a niche technique has become a standard stage in many intrusions.
Most common initial attack vectors in Q3 2025 (Source. Coveware)
Remote access compromise remains the most common entry point: it accounted for more than half of all ransomware/extortion incidents Coveware has helped address last quarter.
“Credential-based intrusions through VPNs, cloud gateways, and SaaS integrations continued to drive compromise, particularly in organizations navigating infrastructure migrations or complex authentication models. Even where technical patching was current, attackers found success exploiting lingering configuration debt such as old local accounts, unrotated credentials, or insufficiently monitored OAuth tokens,” the company says.
Also, social engineering and remote access are beginning to overlap, as attackers no longer rely only on stolen credentials, but have also learned to persuade someone else to create the access for them (grant OAuth authorization, provision a temporary account).
Software vulnerability exploitation still plays a role, though less than before. Most exploited bugs are old and well known, especially in network appliances and enterprise applications.
Once attackers are inside
Data exfiltration is almost guaranteed, and encryption is often optional. “Data exposure creates faster, more predictable pressure through reputational harm, regulatory scrutiny, and customer fallout,” Coveware noted.
Before stealing data, though, many groups now perform detailed reconnaissance to find the most valuable systems and files. This phase often blends into normal IT activity, but organizations that can spot anomalies (e.g., account enumeration, privilege mapping, etc.) have an advantage over attackers.
Similarly, adversaries’ lateral movement efforts, which are most often pulled off via RDP, SSH, and PSExec, can be flagged if monitoring solutions are implemented and kept an eye on.
Defenders should tighten monitoring around both data theft and internal misuse, and need to strengthen insider threat programs.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
