The Ransomware Paradox: Payments Plummet to 23% as Insider Bribery Surges
The Coveware report on ransomware activity for the third quarter of 2025 paints a paradoxical picture. On one hand, mass-scale Ransomware-as-a-Service (RaaS) campaigns continue to flood mid-tier companies; on the other, there is a marked rise in targeted assaults on large enterprises, where threat actors are shifting from automated methods to bespoke operations involving insider collaboration. Despite the growing number of incidents, the ransomware economy is collapsing: payment rates have plummeted to historic lows, and profitability is rapidly eroding.
One of the most striking examples of large-scale tactics comes from the Akira group, which exploited a vulnerability to carry out a record number of attacks during July and August. The group’s strategy hinges on the low cost of intrusions and relatively modest ransom demands — a model that ultimately drives higher payment conversion rates. Akira now controls roughly a third of the market and continues to expand its attack infrastructure to target organizations of all sizes. This high-volume approach stands in contrast to “elite” groups that focus on prestigious targets, where each operation is more expensive and the odds of payout far slimmer.
A new and deeply troubling trend has emerged in the realm of insider threats. In one case, members of the Medusa gang attempted to bribe an employee, offering 15% of the ransom in exchange for access to their workstation. According to researchers, this incident marks a shift from traditional infection scenarios to highly personalized operations. Whereas insider activity once revolved around data theft or sabotage, it now extends to direct participation in ransomware deployment. The involvement of English-speaking intermediaries within Medusa highlights this tactical evolution — from opportunistic attacks to carefully orchestrated campaigns rooted in social engineering.
The economics of ransomware have undergone a radical transformation in recent years. In its early days, cybercriminals acted independently — writing code, gaining access, and negotiating ransoms on their own. These operations were inexpensive but yielded modest profits. As corporate defenses strengthened, attackers adopted double extortion tactics, threatening data leaks, and developed the RaaS model, in which ransomware developers enlisted affiliates to distribute their malware en masse. This ecosystem quickly expanded, spawning infrastructure costs, hosting fees, and even “customer support” services. Internal disputes between developers and affiliates, combined with eroding trust within the criminal underground, destabilized the market. By 2024, several major “brands” had collapsed, and many groups abandoned encryption altogether, resorting instead to pure data extortion.
Today’s landscape is defined by shrinking profits and rising costs. To stay afloat, ransomware operators are forced to invent new infiltration strategies, increasingly turning to social engineering and insider bribery. As organizations harden their defenses and refuse to pay, the prospect of quick profit fades. The average ransom payment fell by 66% to $376,941, while the median dropped 65% to $140,000. The overall payment rate hit a historic low of 23%, and among data-theft-only cases, just 19% of victims paid. An ever-growing number of legal and crisis-response professionals now adopt a principled stance against any payment — viewing even “symbolic settlements” as undermining collective resistance to extortion.
The most active groups remain Akira and Qilin, holding 34% and 10% of the market respectively, followed by Lone Wolf, Lynx, Shiny Hunters, and KAWA4096. The primary attack vectors remain unchanged — remote access, phishing, and vulnerability exploitation — yet the boundaries between them have blurred. Attackers now combine technical and psychological manipulation, coaxing employees into granting access themselves. Increasingly, the success of an attack depends not on exploits, but on exploiting trust.
The predominant tactics include data exfiltration (76%), lateral network movement (73%), and the establishment of command channels via legitimate tools such as Microsoft Quick Assist. Nearly every attack still involves encryption, but researchers note a widening gap between the actual extent of damage and the ability to detect it — particularly in virtualized environments where traces of compromise are quickly erased.
The average size of victim organizations rose to 362 employees, up 25% from the previous quarter. Yet contrary to expectations, larger targets have not produced higher payouts. Attackers are spending more resources on complex infiltrations, but the financial return increasingly fails to justify the investment. This accelerating imbalance underscores the decline of the ransomware economy and is pushing threat actors toward new pressure tactics — from insider collusion to hybrid attacks blending psychological coercion with technical intrusion.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
