According to Coveware’s latest Q3 2025 ransomware report, the share of organizations that pay after an incident has fallen to a historic low. Only 23% of victims paid a ransom, down from 28% in early 2024. The average payment dropped to $377,000, and the median fell to $140,000, extending a six-year decline in both payment rates and ticket sizes.
Why refusal to pay is rising: enforcement pressure and maturing defenses
A combination of law enforcement pressure, regulatory scrutiny, insurance requirements, and improved cyber hygiene is shifting decisions away from payment. Each refusal weakens the attackers’ business model by reducing ROI and raising operational risk.
Law enforcement and regulatory factors
Multinational actions against ransomware ecosystems—such as the FBI/Europol disruptions of Hive and QakBot, the LockBit infrastructure takedown efforts, and Operation Endgame targeting criminal botnets—have increased friction for threat actors. At the same time, corporate policies and cyber insurance clauses increasingly disincentivize payment, while sanctions and compliance guidance, including OFAC advisories, require stricter due diligence before any funds are transferred.
From encryption to data theft: the shift to extortion via exfiltration
Attackers continue to move beyond traditional file encryption. Data theft—and the threat to publish stolen information—has become the primary lever. In Q3 2025, data-theft scenarios accounted for more than 76% of incidents. In these “non-encrypting” cases, organizations that rapidly contain the intrusion and validate the integrity of backups and recovery plans reduce the likelihood of paying to just 19%, Coveware notes.
The economics of refusal for threat actors
Lower payment rates and shrinking payouts erode the profitability of campaigns. In response, groups are increasing reconnaissance on targets, staging multi-pronged pressure (partial data leaks, outreach to partners or customers), and investing more heavily in social engineering and insider recruitment to regain leverage.
Target profile and initial access: mid-market under pressure
Coveware attributes 44% of observed ransomware attacks in Q3 2025 to Akira and Qilin. As large enterprises harden their environments and resist payment, adversaries are prioritizing the mid-market, where a stronger need for rapid operational recovery can translate into negotiation willingness.
Initial access continues to concentrate around compromised remote access (RDP/VPN), exploitation of vulnerabilities in business-critical software, and supply chain footholds. Social engineering is rising, including business-process-themed phishing and the direct bribery of employees for network access.
Controls that consistently reduce risk and response costs
Organizations most likely to refuse payment typically have foundational controls in place: enforce multi-factor authentication for all remote access, rigorously segment networks, patch high-risk vulnerabilities promptly, and maintain tested, offline backups to ensure clean recovery.
Equally important are EDR/XDR with 24/7 monitoring to detect lateral movement, privileged access management (PAM) to limit blast radius, minimization of exposed services, and predefined procedures for rapid isolation of endpoints and accounts during an incident.
To counter “double extortion” (data exfiltration plus publication pressure), deploy data loss prevention (DLP) where feasible, keep a current inventory of sensitive data, and apply encryption for data at rest and in transit. Establish processes to quickly determine what was accessed or exfiltrated to strengthen legal, regulatory, and communications responses.
Regular tabletop exercises, ready-to-execute incident response playbooks, established contacts with law enforcement, and legal readiness for stakeholder notifications compress decision time, reduce uncertainty, and blunt extortion attempts. Extending these practices to key vendors and managed service providers further limits supply chain exposure.
The data points to a new norm: refusing to pay is increasingly viable when organizations prepare for containment and recovery. Strengthening remote access, closing known vulnerabilities, training staff against social engineering, and institutionalizing incident readiness across leadership and suppliers directly lowers the probability of extortion success—and avoids tomorrow’s ransom by investing in prevention and managed response today.
