No one pays ransomware demands anymore - so attackers have a new goal

solarseven/iStock/Getty Images Plus Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways Ransomware payments have reached a historic low of 23%. Dropping success rates could lead to more targeted attacks with higher payouts. Large enterprises could have an increased risk of becoming targets. Fewer and fewer companies are capitulating to ransomware payment demands, with success rates for this criminal industry reaching a historic low of 23%. Also: Data-stealing cyberattacks are surging - 7 ways to protect yourself and your business According to a Q4 2025 report published by Coveware, a cybersecurity firm that tracks the trends and movements of ransomware groups, ransomware payments made were at their highest -- in around 85% of attacks -- back in 2019. With the exception of a handful of quarterly spikes, the success rate of ransomware blackmail and extortion attempts has continued to drop. For example, the researchers say that in Q1 2025, approximately 27% of victim organizations paid up. This dropped to 26% in Q2 and slid further to 23% in Q3 2025. Coveware believes that this shows that "cyber extortion's overall success rate is contracting." However, as the research reveals, it is not all good news. Data exfiltration Data exfiltration, which was involved in 76% of ransomware incidents recorded by Coveware in Q3 2025, has pivoted from being part of an attack chain to being the main goal. As the ransomware industry has grown more sophisticated, ransomware operators realized that locking systems can apply only so much pressure, whereas the theft of sensitive corporate and customer data could be used as more effective leverage. Also: Are AI browsers worth the security risk? Why experts are worried While locked systems could be quietly recovered or restored from backups, many ransomware groups today quickly go public to claim they have stolen a victim organization's data. They may also set up temporary websites or use paste sites to provide samples. This can apply far more pressure on companies to pay up, while they must also deal with restoration, cyberforensics, damage to their reputations, and potential legal consequences. "These are forms of leverage that neither downtime nor flawless backups can resolve," the researchers note. The market splits During Q3 2025, the ransomware industry has continued to split into two paths: cybercriminals who offer ransomware-as-a-service (RaaS) and groups that focus their efforts on targeted, sophisticated attacks. RaaS provides ransomware to cybercriminals who are willing to either pay outright for these creations or pay an affiliate fee in return for access to malicious code. RaaS focuses on volume, and according to Coveware, RaaS operators are generally targeting the mid-market. In comparison, the other side of the industry is aiming toward large, enterprise organizations with high-cost, targeted attacks. Also: The best password managers for businesses: Expert tested It's interesting to see that along with success rates, the average ransomware payment has dropped to $376,941, a 66% decrease from Q2 2025. The median payment, $140,000, has also decreased by 65% in the same time frame. The report says that as large enterprise firms continue to resist blackmail demands, payments on the whole are dropping -- and although small and mid-sized businesses with low-maturity security systems might be forced to pay up to resume operations, they can't pay as much. "Attorneys who advocate paying to suppress data leaks are increasingly becoming extinct (as they should)," the researchers noted. "It is becoming codified best practice during data exfiltration incidents to start from a position of non-payment as the base scenario." Enterprise considerations Coveware anticipates that as profit margins continue to shrink, cybercriminals will hone their focus on "white whale" enterprises with the wallets to match. Also: I found 3 AI content detectors that identify AI text 100% of the time - and an even better option Cybersecurity can't be an afterthought. It is now more important than ever that organizations -- especially mid-market size and larger -- invest in and implement robust security practices, strategies, and post-incident procedures. Businesses should also consider penetration testing to resolve cybersecurity vulnerabilities before they can be exploited. Follow ZDNET: Add us as a preferred source on Google.