According to Coveware, a ransomware remediation company, the ransomware scene is divided into two where bigger companies face more targeted, high-cost attacks, while mid-market firms are attacked in volume. Ransomware groups perform high-volume attacks even though the ransom payments are much lower because the attacks are simpler to carry out, and more victims pay the ransom. Attacks on bigger organizations demand more work, but the attacks are much more rewarding with a bigger ransom payment. Coveware states that bigger companies are more resistant to paying ransoms, because they have realized the minimal ransom payment benefits. However, these targeted attacks will probably increase because of decreasing ransom payments.
Regardless of the type of company attacked, ransom payments have dropped to the lowest level since Q1 of 2023. The average and median ransom payments are $376,941 (down by 66%) and $140,000 (down by 65%), respectively. In Q1 of 2019, 85% of ransomware attack victims paid the ransom; in Q3 of 2025, only 23% of victims paid.
When cybercriminals began executing ransomware attacks, the emphasis was on file encryption, but now the practice is double extortion tactics, stealing data before file encryption. Although data can be retrieved from backup copies, the risk of data exposure is usually enough to compel victims to pay the ransom in order to lessen the reputation damage caused by an attack. As per Coveware, in 76% of Q3 2025 attacks, data theft was involved. The growing trend is that groups attack to steal data without deploying data encryption. Extortion-only attacks are typically quicker and stealthier, but only 19% succeed in getting a ransom payment. That indicates that victims do not think ransom payment will delete their stolen data.
Attack vectors often change. In Q3 of 2024, phishing and social engineering are the most common initial access methods. In Q3 of 2025, remote access compromise increased while phishing/social engineering decreased to about 18% of attacks. Remote access compromise was responsible for about 50% of Q3 attacks. Coveware states that the difference between various malware attack types is becoming more fuzzy, for example, social engineering and remote access. Attacks impersonating SaaS support groups or exploiting helpdesk operations trick people into giving remote access. The current attacks do not start with an unpatched VPN or a simple phishing email. It begins with a merging of identity, trust, and access throughout people and platforms.
In Q3 of 2025, Akira (34%) and Qilin (10%) are the top two active ransomware groups, which conducted high-volume attacks that produced rather minimal profits. A reasonable response to the low percentage of ransom payments is to do more attacks. Coveware thinks it is likely that companies able to pay large ransoms would be targeted more. With the improvement of security postures, attacks are more difficult to pull off. One possible result is that attackers will again target employees who can be tricked into giving access and hiring insiders. Coveware has discovered several attacks where staff were paid to give remote access. In one instance, the Medusa ransomware group tried to hire an employee of a big company. Medusa stated it will pay the employee 15% of all ransom payments when system access is established through the employee’s computer.
Although healthcare is still a profitable ransomware group target, only 9.7% of attacks impacted HIPAA-covered healthcare entities, just like software services, which are in second place. The most commonly attacked sector was Professional services, with 17.5% of attacks.
Image credit: MosrikaMomin, AdobeStock
