The Decline Of Ransomware Profits Amid Rising Refusal To Pay

In recent quarters, ransomware threat actors have faced a steep drop in profits as an increasing number of victims refuse to pay. This decline has prompted cybercriminals to reassess their tactics and explore alternative avenues to regain leverage.

Ransomware payment rates have sunk to record lows. In Q1 2024, only 28% of victims paid ransom demands, marking a new low in extortion success rates. Over successive quarters, that percentage has continued to erode. By Q3 2025, the overall resolution rate, or, in other words, successful extortions by threat actors, had dropped to 23%, according to new research published by Coveware.

This decline reflects both improved defenses on the part of the victims and increased external pressure on organizations not to capitulate. Many firms now deploy stronger ransomware-resilient security measures and cultivate a willingness to endure data loss rather than fund criminal enterprises.

Legal actors and regulators also discourage ransom payments, thereby intensifying the reputational and regulatory costs associated with paying.

In practical terms, ransomware groups are seeing shrinking yields:

• In Q3 2025, the average ransom payment fell to $376,941, while the median stood at $140,000.
• Those represent a 66% and 65% drop, respectively, from the Q2 2025 figures.
• Among incidents involving only data exfiltration (without encryption), the payment rate slipped even further, to 19%, a new record low in that sub-category.

The shift is especially stark when viewed longitudinally. Coveware and other threat intelligence firms have recorded a consistent downward trend in payment rates since 2019. In many quarters, payment rates have been undercut by approximately 30%.

The causes of this decline in profitability are multifaceted:

• Improved defensive posture and response capabilities. Organizations have hardened recovery, backup systems, and incident response playbooks. They can often recover without paying.
• Legal and regulatory pressure. Some jurisdictions are increasingly discouraging ransom payments; insurers and counsel may refuse to accept claims if payment is made.
• Erosion of trust in attackers' promises. Many ransomware actors have reneged on promises not to leak or resell data, reducing victims' confidence that payment ensures non-publication.
• RaaS ecosystem strain. The rise of Ransomware-as-a-Service introduced overhead (hosting leak sites, negotiating support, paying affiliates). As margins shrink, affiliates demand higher cuts, leading to internal disruption.
• Selective target exhaustion. Larger enterprises have invested heavily in security, making them more difficult to breach; many ransomware actors now target mid-market or less hardened firms.

Those shifts have real consequences for the economics of attackers. Several previously dominant RaaS operations dissolved or rebranded into pure data theft outfits in 2024, citing unprofitable business models. Some affiliates even abandoned ransomware activity entirely.

Moreover, attacker tactics have evolved. Over 76% of observed incidents in Q3 2025 involved data exfiltration, which increasingly serves as the primary goal rather than just a tool to amplify encryption pressure. In incidents without encryption, the already low payment rates drop further.

As direct encryption extortion profits continue to decline on average, threat actors now emphasize:

• More precise targeting of organizations more likely to pay.
• Greater reliance on social engineering and insider recruitment for stealthy access.
• Use of remote access compromise as a dominant initial vector, often combined with phishing or help-desk abuse.

As payment rates dwindle, threat actors are being forced into high-stakes gambits, and that transition marks the shape of new ransomware strategies.

Ransomware Actors Seek New Payment Channels

As traditional ransom payments become less reliable, threat actors are experimenting with more creative, aggressive, and diversified strategies to ensure payment compliance. Their evolving approaches highlight a more adaptive, if riskier, criminal model.

One of the most striking developments is the explicit recruitment or bribery of insiders. In a widely publicized case, the Medusa ransomware gang reached out to a BBC journalist with a proposal: assist in compromising the organization's systems, and receive 15% of any ransom paid. The attacker even offered 0.5 BTC in escrow before the breach.

While the approach failed due to the journalist refusing to cooperate, it underscores how ransomware groups now view insiders as direct, cost-effective vectors. Coveware noted that this shift is no coincidence. As ransomware margins decline, actors must reduce costs and raise effective hit rates; insider access provides both.

Attackers have refined their tactics to blur the lines between technical intrusion and social manipulation. Threat groups impersonate support personnel or SaaS help desks to coax victims into granting access or privilege escalation. They may also exploit OAuth workflows, abusing token permissions or cloud app access to infiltrate environments without needing classic payload deployments. This hybrid method changes remote access into a psychological as well as a technical problem.

Facing fragmented profits across many minor victims, ransomware actors are now increasingly targeting large, high-value organizations, known as "white whales." While breaching such organizations demands more effort, the payoffs can justify the cost in this new low-margin economy. These tailored intrusions often exploit zero-day or unpatched vulnerabilities, combined with social engineering or insider assistance.

Some groups are subtly shifting business models away from simple ransom demands. Instead, they may:

• Monetize stolen data directly (e.g., sell it to competitors or darknet buyers) rather than relying on extortion payments.
• Use ransomware as a diversion to plant malware related to ransomware (e.g., crypto miners, persistent backdoors) for long-term revenue.
• Coerce victims into subscription-style payments (e.g., "ransom for monthly leak suppression") rather than one-off payments.

To rebuild trust with skeptical victims, some operators now propose escrow schemes or partial guarantees. They may offer proof of decryption or partial release before full payment. This kind of "trust building" is rare historically but emerging under pressure. While no public case in the provided sources details a fully functioning escrow, analysts consider such mechanisms likely to arise under stressed economies.

In summary, ransomware groups are currently facing a structural crisis. The traditional extortion model, with its reliance on victim compliance, has become far less lucrative as organizations refuse to pay, regulatory pressure increases, and defenses become more robust. In response, threat actors are becoming more creative. They are recruiting insiders, abusing social and technical trust, targeting bigger prize organizations, and turning to nuanced forms of extortion and data monetization.

These adaptations suggest that the ransomware threat will not vanish with falling payment rates, but rather morph into forms that are harder to detect and counter. Vigilance, defense-in-depth, insider threat monitoring, and a strong anti-extortion and incident response posture remain more essential than ever.