Qilin: Ransomware payments hit record low: only 23% Pay in Q3 2025

Ransomware Payments Hit Record Low in Q3 2025, Coveware Reports

In Q3 2025, only 23% of ransomware victims paid attackers the lowest rate ever recorded continuing a six-year decline in payment rates, according to cybersecurity firm Coveware. This follows a brief uptick in early 2024, when 28% of victims paid, before rates resumed their downward trend.

The average ransom payment dropped to $376,941 (a 66% decrease from Q2), while the median fell to $140,000 (down 65%). Large enterprises are increasingly refusing to pay, recognizing that ransoms rarely prevent data leaks. Meanwhile, ransomware groups like Akira and Qilin are targeting mid-sized firms with smaller, more frequent demands, exploiting their lower resilience with a high-volume, low-demand strategy.

Coveware’s report highlights that payment rates for all ransomware scenarios including encryption, data exfiltration, and extortion fell to 23%, with data exfiltration-only attacks seeing an even lower rate of 19%. The decline reflects growing maturity among enterprises, cyber response teams, and privacy attorneys, who now discourage payments as they sustain the extortion economy.

Attackers continue to exploit common entry points, including remote access compromise (accounting for over half of incidents), phishing, and unpatched software vulnerabilities. Weak credentials, poor configuration hygiene, and social engineering remain key vectors. Despite the shift in payment trends, ransomware groups remain opportunistic, targeting organizations with weak security rather than specific industries.

The median size of impacted companies rose to 362 employees in Q3 (up 27% from Q2), challenging the assumption that larger targets guarantee bigger payouts. While attackers may invest more to breach larger organizations, the return on investment is no longer assured.

Source: https://securityaffairs.com/183941/cyber-crime/ransomware-payments-hit-record-low-only-23-pay-in-q3-2025.html

QILIN cybersecurity rating report: https://www.rankiteo.com/company/qilin

"id": "QIL1768636703",
"linkid": "qilin",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'size': 'Median size: 362 employees (Q3 2025)',
                        'type': 'Mid-sized firms, Large enterprises'}],
 'attack_vector': ['Remote access compromise',
                   'Phishing',
                   'Unpatched software vulnerabilities',
                   'Weak credentials',
                   'Poor configuration hygiene',
                   'Social engineering'],
 'data_breach': {'data_encryption': 'Yes (ransomware encryption reported)',
                 'data_exfiltration': 'Yes (data exfiltration-only attacks '
                                      'reported)'},
 'date_detected': '2025-Q3',
 'description': 'In Q3 2025, only 23% of ransomware victims paid attackers—the '
                'lowest rate ever recorded—continuing a six-year decline in '
                'payment rates, according to cybersecurity firm Coveware. The '
                'average ransom payment dropped to $376,941 (a 66% decrease '
                'from Q2), while the median fell to $140,000 (down 65%). '
                'Ransomware groups like Akira and Qilin are targeting '
                'mid-sized firms with smaller, more frequent demands. Payment '
                'rates for all ransomware scenarios fell to 23%, with data '
                'exfiltration-only attacks seeing an even lower rate of 19%. '
                'Attackers exploit remote access compromise, phishing, and '
                'unpatched software vulnerabilities, with weak credentials and '
                'poor configuration hygiene as key vectors.',
 'impact': {'financial_loss': '$376,941 (average ransom payment in Q3 2025)'},
 'lessons_learned': 'Enterprises are increasingly refusing to pay ransoms, '
                    'recognizing that payments rarely prevent data leaks. '
                    'Cyber response teams and privacy attorneys now discourage '
                    'payments to avoid sustaining the extortion economy. '
                    'Attackers are shifting to high-volume, low-demand '
                    'strategies targeting mid-sized firms with lower '
                    'resilience.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': ['Remote access compromise',
                                            'Phishing',
                                            'Unpatched software '
                                            'vulnerabilities',
                                            'Weak credentials',
                                            'Poor configuration hygiene',
                                            'Social engineering']},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransom_paid': '23% of victims (Q3 2025), 19% for data '
                               'exfiltration-only attacks',
                'ransomware_strain': ['Akira', 'Qilin']},
 'recommendations': 'Improve remote access security, patch software '
                    'vulnerabilities, enforce strong credential hygiene, '
                    'enhance configuration management, and educate employees '
                    'on social engineering risks. Organizations should also '
                    'prepare for ransomware attacks by implementing robust '
                    'incident response plans and backup strategies.',
 'references': [{'source': 'Coveware'}],
 'threat_actor': ['Akira', 'Qilin'],
 'title': 'Ransomware Payments Hit Record Low in Q3 2025',
 'type': 'Ransomware'}