For years, ransomware incidents were interpreted through a familiar set of signals. Leaders identified the malware family, mapped it to the threat group, assessed the demand, and used those inputs to judge the scale of the event and how to respond. The approach was never precise, but it gave executives a practical shorthand for framing risk quickly.
In 2025, that shorthand became far less reliable. Based on hundreds of incidents supported by Coveware by Veeam, this analysis draws on direct extortion response and negotiation experience from across the year. The pattern was consistent:
- The ecosystem continued to fragment, as attacker brand, malware variant, and headline ransom demand explained less and less about what actually determined the outcome.
- Payment rates fell to 20%, the lowest level on record, prompting new attack vectors.
- Data exfiltration-only extortion remained a weak converter at roughly 25%.
- The most disruptive incidents were increasingly dependent on whether attackers could exploit identity, manipulate trusted workflows, and weaken confidence in recovery enough to force rushed decisions.
Four shifts defined the year. Taken together, they show how cyber extortion is changing.
1. Payment Fell, but the Threat Did Not
Overall ransom payment rates fell to 20%, below the 25–35% range that had held for several quarters and had begun to look like a floor. What this doesn’t mean is that extortion became less dangerous. Rather, payment became a less-reliable way to manage risk. Across 2025 cases, organizations in both the enterprise and mid-market increasingly showed they could absorb encryption-driven disruption and restore operations without depending on a threat actor’s decryption key. The pattern suggests measurable improvement in backup integrity, recovery planning, and incident response execution.
At the same time, the most severe incidents still drove unusually large settlements. Median payments remained relatively steady, while average payments rose sharply because a small number of high-impact events pulled them upward. As a result, average ransom figures now reveal more about the extreme end of the market than about the experience of most victims, leading to the conclusion that payment behavior was shaped less by any broad return to willingness to pay and more by the fact that a narrow set of severe disruptions continued to create exceptional pressure.
The larger implication is straightforward. Organizations did not face less pressure, but more of them were able to withstand it. As payment rates declined, attackers responded by increasing urgency, repeating outreach, and escalating pressure in an effort to compress decision timelines and force leadership into decisions they would be less likely to make under steadier conditions.
2. Exfiltration-Only Extortion Kept Losing Monetization Power
Data theft without encryption remained disruptive in 2025, but it continued to weaken as a reliable extortion model. The latest figures put exfiltration-only payment rates at roughly 25%, and the conversion rates across major mass exfiltration campaigns make the trend even clearer. Accellion converted at 25%, GoAnywhere at 20%, MOVEit at 3%, while both Cleo and Oracle E-Business Suite were at 0%. Even in the Oracle EBS campaign, where victims often lacked clean forensic reconstruction and the stolen data was materially sensitive, investigators still saw limited engagement and weak monetization.
In exfiltration-only cases, payment rarely changes the core exposure. It does not typically remove breach notification obligations, materially reduce litigation risk, prevent stolen data from being retained or resold, or rule out future extortion attempts. Across the year’s active matters, a consistent pattern emerged: more mature enterprises increasingly approached these incidents as legal, regulatory, communications, and incident response events, rather than as negotiation scenarios that payment could meaningfully resolve.
These campaigns still appealed to attackers because they were inexpensive to run and easy to scale across a large number of victims. Broad pressure could still create disruption, but weak conversion rates made the model less effective than it once appeared.
3. Identity and Social Engineering Moved to the Center
Many of the highest-impact intrusions in 2025 originated in the ordinary mechanisms organizations use to grant access and keep work moving. Across the year’s most disruptive cases, attackers relied on people, process, and identity, using targeted social engineering across email, chat platforms, SMS, and voice to exploit legitimate workflows. Because that access appeared authorized, it was often harder to detect, validate, and contain. Helpdesk resets, MFA enrollment flows, remote support procedures, and routine approval paths repeatedly served as effective entry points because they were already embedded in trusted operating practices.
Remote access compromise remained the most common initial access vector, though in practical terms it often reflected weak identity hygiene. VPN, RDP, remote management services, SaaS identity, and edge services all became high-leverage ingress points when authentication, conditional access, and session controls were insufficient. Once privileged pathways were exposed, the boundary between initial access and lateral movement narrowed considerably. Logged-in access increasingly accomplished what older intrusion models treated as separate stages of intrusion and exploitation.
Phishing also evolved in ways that matter strategically. In 2025 casework, it increasingly operated within a broader pattern of trust exploitation. The objective was often persistent, seemingly legitimate access established through manipulated workflows, OAuth grants, and user-driven installation of legitimate remote support tools. That gave attackers access patterns that could look routine to defenders, extending dwell time and making containment harder. Across the most disruptive incidents, the quickest route to operational disruption often ran through identity, with recurring weaknesses in identity governance, IT operating procedures, service desk verification, and third-party relationships with standing access.
4. Recoverability Became Contested Territory
In 2025, having backups was no longer the same thing as being confident in recovery. Across the year’s cases, attackers repeatedly moved beyond outright deletion and into more subtle forms of sabotage, including tampering with backup configurations, policies, schedules, and objects in ways that might remain invisible until restore time. That changed the core question organizations had to answer. The issue was no longer simply whether backups existed. It was whether recoverability could be proven under adversarial conditions.
Immutability remained a critical control, but the year’s incident experience makes clear that it is not sufficient on its own. Recovery confidence also depends on the completeness and security of backup configurations, the integrity of the identity and administrative paths that manage them, and the practical ability to restore data in a usable timeframe without reintroducing attacker persistence, compromised credentials, or malware into the rebuilt environment. Organizations that assumed recovery was assured, only to discover under pressure that key restore paths were incomplete or compromised, faced some of the most severe outcomes.
This is why recoverability became such an important executive issue. False confidence creates a decision trap. Once leadership learns, in the middle of a crisis, that recovery assumptions were wrong, the room gets narrower, the timeline gets shorter, and the appeal of a rushed settlement increases. The organizations that performed best were generally the ones that had already tested restoration assumptions, verified backup integrity, and planned for recovery in an environment where attacker persistence might still be present.
What Leadership Should Bring Into 2026
The central lesson from 2025 is that cyber extortion can no longer be read through the older shorthand alone. Malware family, actor brand, and headline demand still provide context, but they no longer explain outcomes as reliably as they once did. Across firsthand Coveware by Veeam casework, three factors proved more consistently decisive: the integrity of identity systems, confidence in recovery, and the quality of executive decision-making under pressure. Payment rates continued to decline, exfiltration-only conversion remained weak, and attackers adjusted by putting more pressure on identity, trusted workflows, and recoverability.
The organizations that managed these incidents most effectively were usually not the ones making assumptions based on reputation, familiarity, or optimism. They entered the crisis with tested recovery procedures, disciplined control over identity, and decision support grounded in current intelligence and operational reality. In 2025, stronger outcomes tended to come from organizations that could recover cleanly, maintain trust in their own systems, and keep urgency from driving leadership into avoidable decisions.
For insights from the frontline of cyber extortion, click here.
