Ransomware payments experienced a notable decline in the third quarter of 2025, reaching a historic low of just 23% for payment rates, according to an analysis by cybersecurity firm Coveware. This substantial decrease signifies a contraction in the overall success rate of cyber extortion efforts, which can be attributed to enhanced strategies by law enforcement, cybersecurity professionals, and legal experts.
The average ransom payment in Q3 2025 fell to approximately $377,000, marking a significant 66% decrease from the previous quarter. The median ransom payment also saw a dramatic drop of 65%, settling at $140,000. Coveware’s analysis identified two primary trends contributing to this decline.
One key trend is that larger enterprises are increasingly opting not to pay ransoms after a cyberattack. Coveware noted that several high-profile data exfiltration campaigns yielded limited success for attackers, despite widespread media coverage of the impacts on victim organizations. “These organizations are increasingly understanding that paying to suppress the proliferation of stolen data has de minimis to zero utility,” the firm stated.
Another factor influencing the decrease in ransom amounts is the behavior of mid-market organizations, which tend to agree to smaller ransom demands after being targeted. According to Coveware, smaller organizations often cannot afford large ransoms, making them more vulnerable to disruption. Ransomware groups like Akira and Qilin have adapted their strategies to focus on high-volume, low-demand operations, effectively exploiting this vulnerability.
The professional services sector emerged as the most targeted industry during the past quarter. This finding was corroborated by reports from both ReliaQuest and ZeroFox. In a concerning trend, ReliaQuest reported that the number of data leak websites managed by cybercriminals reached an all-time high of 81 in Q3 2025. Additionally, ZeroFox tracked more than 1,429 ransomware and extortion incidents during the same period, representing a 5% increase from Q2 but a 27% decrease from the record 1,961 incidents recorded in Q1.
The data reflects a shifting landscape in ransomware dynamics, highlighting the impact of collective efforts by organizations and law enforcement to combat cybercrime. As companies adapt to these threats, understanding the motivations behind ransomware payments and the strategies employed by attackers will remain crucial in mitigating risks in the future.
