Ransomware payments surge as attackers shift to data theft - Coveware

Ransomware actors are raising the stakes. The latest quarterly findings from Coveware by Veeam show ransom payments doubling in Q2 2025, fuelled by a clear pivot toward data exfiltration and highly targeted social engineering.

Bill Siegel, CEO, Coveware by Veeam, said, “The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook. Attackers aren’t just after your backups – they’re after your people, your processes, and your data’s reputation. Organisations must prioritise employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought.”

Social engineering leads the charge

Three ransomware groups, Scattered Spider, Silent Ransom and Shiny Hunters, dominated activity in the quarter. They traded mass opportunistic attacks for precision breaches, focusing on impersonating employees, help desks and service providers. By exploiting trust, they gained faster and deeper access than with traditional malware-heavy methods.

Ransom payments hit record levels

Average and median ransom payments climbed to $1.13 million and $400,000 respectively, both more than doubling from Q1 2025. The rise is linked to organisations paying after data theft-only incidents, where no encryption occurred but sensitive data was held hostage. Despite the jump in ransom size, the overall payment rate held steady at 26%.

Data theft overtakes encryption

In 74% of cases, data exfiltration was the central weapon. Encrypting files is no longer essential for extortion. Instead, attackers increasingly rely on the threat of public leaks, lawsuits or regulatory penalties. Multi-extortion tactics, including delayed threats resurfacing months after a breach, are now common.

Industries and victims most exposed

Professional services (19.7%), healthcare (13.7%) and consumer services (13.7%) were hit hardest. Mid-sized firms, with 11–1,000 employees, made up 64% of victims. These companies remain attractive to attackers, large enough to afford payouts but often lacking hardened cyber defences.

Techniques evolve, but people remain the weak link

Credential theft, phishing and exploitation of remote services remain the top entry points. But attackers are bypassing technical controls through well-crafted social engineering. At the same time, vulnerabilities in platforms such as Ivanti, Fortinet and VMware continue to be exploited. Lone-wolf operators using generic, unbranded ransomware toolkits also gained traction in Q2.

New names on the leaderboard

The most active ransomware variants in Q2 were Akira (19%), Qilin (13%) and Lone Wolf (9%). Silent Ransom and Shiny Hunters entered the top five for the first time, reflecting how fresh players can quickly disrupt the threat landscape.

Read More:

WSO2 CEO Sanjiva Weerawarana on India’s software growth strategy

Canon India's Print Strategy: AI, Sustainability & Partner Growth with C Sukumaran

Backup as a Service in India rises as DPDPA reshapes data protection

Backup as a Service: Decoding India’s opportunity and reality