Ransomware Payouts Decline as Defenses Strengthen, But Threat Actors Adapt
A new report from cyber insurance provider Coalition reveals a sharp decline in ransomware payouts, signaling improved resilience among enterprises. In 2025, only 14% of policyholders paid ransoms down from 44% in 2024 despite attackers maintaining average demands of $1 million. The shift reflects stronger defenses, including robust backups, incident response plans, and proactive security measures.
The findings align with Chainalysis’ 2026 Crypto Crime Report, which noted a drop in total on-chain ransomware payments last year. Researchers attributed the decline to better incident response, regulatory pressure, law enforcement crackdowns on ransomware groups, and the fragmentation of ransomware-as-a-service (RaaS) operations, leading to smaller, less coordinated attacks.
However, threat actors are evolving their tactics. Triple-extortion schemes where attackers encrypt data, exfiltrate it, and threaten to leak it to victims’ customers or employees are becoming more common. Some groups have even adopted quadruple extortion, filing complaints with regulators like the SEC against victims for delayed breach disclosures to increase pressure.
AI is reshaping the ransomware landscape, enabling attackers to automate and scale operations while targeting both large enterprises and smaller businesses. On the defensive side, security teams are leveraging AI to prioritize vulnerabilities, detect anomalies, and respond faster to threats.
While ransomware remained the costliest cyber claim in 2025 (averaging $269,000 per incident), business email compromise (BEC) and funds transfer fraud (FTF) dominated overall, accounting for 58% of incidents. BEC claims rose 15% year-over-year, with average losses increasing 28% to $27,000, often serving as a precursor to more severe attacks like FTF.
Remote access tools particularly VPNs (59% of ransomware entry points) and remote desktop applications (14%) remain prime targets. Managed security service providers (MSSPs) play a critical role in securing these vectors through continuous monitoring, identity protections, and timely patching. Coalition’s incident response team also demonstrated success in reducing ransom demands by 65%, negotiating average payouts down from $873,000 to $355,000.
The data underscores a shifting dynamic: while ransomware remains a major threat, stronger defenses and declining payouts may force attackers to adapt further potentially increasing the use of AI-driven attacks and multi-layered extortion tactics.
Source: https://www.msspalert.com/news/ransom-demands-are-up-but-payments-are-down-coalition-finds
Coalition, Inc. cybersecurity rating report: https://www.rankiteo.com/company/coalitioninc
"id": "COA1773095050",
"linkid": "coalitioninc",
"type": "Ransomware",
"date": "1/2025",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'type': ['enterprises', 'smaller businesses']}],
'attack_vector': ['VPNs', 'remote desktop applications', 'email'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': ['personally identifiable information'],
'type_of_data_compromised': ['encrypted data',
'exfiltrated data']},
'date_publicly_disclosed': '2025',
'description': 'A new report from cyber insurance provider Coalition reveals '
'a sharp decline in ransomware payouts, signaling improved '
'resilience among enterprises. Threat actors are evolving '
'tactics, including triple-extortion schemes and AI-driven '
'attacks, despite stronger defenses like robust backups and '
'incident response plans.',
'impact': {'data_compromised': ['encrypted data',
'exfiltrated data',
'personally identifiable information'],
'financial_loss': '$269,000 (average per ransomware incident)',
'legal_liabilities': ['regulatory complaints filed by attackers'],
'systems_affected': ['VPNs',
'remote desktop applications',
'email systems']},
'initial_access_broker': {'entry_point': ['VPNs',
'remote desktop applications']},
'lessons_learned': 'Stronger defenses, including robust backups, incident '
'response plans, and proactive security measures, have '
'reduced ransomware payouts. However, threat actors are '
'adapting with AI-driven attacks and multi-layered '
'extortion tactics.',
'motivation': ['financial gain', 'data exfiltration', 'regulatory pressure'],
'post_incident_analysis': {'corrective_actions': ['enhanced monitoring',
'timely patching',
'network segmentation'],
'root_causes': ['weaknesses in remote access tools',
'lack of timely patching',
'insufficient monitoring']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$1,000,000 (average)',
'ransom_paid': '$355,000 (average negotiated payout)'},
'recommendations': ['Strengthen defenses with robust backups and incident '
'response plans',
'Proactively monitor and patch remote access tools like '
'VPNs and remote desktop applications',
'Leverage AI for vulnerability prioritization and anomaly '
'detection',
'Engage managed security service providers (MSSPs) for '
'continuous monitoring and identity protections'],
'references': [{'date_accessed': '2025', 'source': 'Coalition Report'},
{'date_accessed': '2025',
'source': 'Chainalysis’ 2026 Crypto Crime Report'}],
'regulatory_compliance': {'legal_actions': ['SEC complaints filed by '
'attackers']},
'response': {'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ['robust backups', 'timely patching'],
'third_party_assistance': ["Coalition's incident response team",
'managed security service providers '
'(MSSPs)']},
'threat_actor': ['ransomware groups', 'initial access brokers'],
'title': 'Decline in Ransomware Payouts as Defenses Strengthen and Threat '
'Actors Adapt',
'type': ['ransomware',
'business email compromise (BEC)',
'funds transfer fraud (FTF)']}