The success rate of cyber extortion is clearly shrinking, as indicated by Coveware’s analysis. The firm reported that the rate of organizations choosing to pay a ransom hit a historical low of just 23% in Q3 2025, a positive signal for law enforcement, cyber defenders, and legal specialists working to combat these attacks.
This falling success rate coincided with a major reduction in payment size. The average ransom payment plummeted by 66% from the previous quarter, landing at roughly $377,000. Similarly, the median payment dropped by 65% to $140,000. Coveware largely attributes this dramatic decrease to a major shift: large enterprises are now systematically refusing to pay after being targeted.
Large organizations are realizing the futility of caving to demands, even when data is exfiltrated. Coveware noted that several major data theft campaigns proved “largely unfruitful for the attackers.” Victims are increasingly understanding that paying a ransom solely to prevent the publication of stolen data provides little to no practical benefit.
The second factor driving down payment averages is the strategy shift among attackers targeting the mid-market. While these smaller organizations are more likely to ultimately pay to recover systems, they are agreeing to smaller ransoms. As Coveware explained, groups like Akira and Qilin are increasingly exploiting this “high-volume, low-demand strategy” because smaller organizations cannot afford large ransoms but remain easier targets to disrupt.
This active targeting confirms external reports: ReliaQuest and ZeroFox both confirmed Akira and Qilin were the most active ransomware groups during the quarter, and all three security firms agreed that the professional services sector remained the primary target for these groups. Furthermore, the number of data leak websites used by cybercriminals reached an all-time high of 81 in Q3 2025, according to ReliaQuest. While activity remains high, the 1,429 ransomware and extortion incidents observed by ZeroFox in Q3 represent only a 5% increase over Q2 and a significant 27% drop from the record-breaking 1,961 incidents reported in Q1.
Reference:
