Mere data exfiltration is no longer a lucrative approach for ransomware groups, and threat actors may increasingly rely on encryption to regain leverage, Coveware notes in a new report.
Following a series of highly successful data-exfiltration-only attacks conducted by known groups such as Cl0p, other ransomware groups adopted the trend, stealing victims’ data without encrypting it.
The campaigns targeting MOVEit, Cleo, and Oracle E-Business Suite (EBS) customers are proof that the approach no longer delivers return on investment, Coveware says.
Cl0p, it explains, started this trend with a simple strategy: it acquired an exploit for a zero-day vulnerability in a popular enterprise file transfer or data storage product, hacked as many instances as possible for data exfiltration, and extorted each compromised entity into paying a ransom.
In 2021, the group likely made tens of millions of dollars using this tactic in the Accellion campaign, when over 25% of the impacted organizations likely paid a ransom. Roughly 20% of the entities impacted by the GoAnywhere MFT hack also paid a ransom.
In the subsequent campaigns, however, the victims’ willingness to pay dropped significantly: less than 2.5% of those affected by the MOVEit breach paid, and almost none paid in the Cleo and Oracle EBS incidents, Coveware says in its latest ransomware trends report.
According to the company, this trend was fueled by an overall maturity in the face of an enterprise breach: paying does not suppress legal consequences and does not ensure that the attackers would not retain, leak, or recycle the stolen data.
“Enterprises are getting educated on the pros and cons of paying a ransom to suppress the release of already breached data. The bullet points on the ‘pro’ side of the white board are getting increasingly scarce, while the cons side is getting crowded,” Coveware notes.
The Shiny Hunters extortion group, the company says, adopted the tactic, but also with disappointing financial results. In both the Snowflake and Salesforce attacks, victims rarely paid a ransom.
Amid record low ransom payment rates, Coveware expects ransomware groups to return to data encryption, “which has always been a more effective lever than data extortion at increasing the chance of payment.”
Additionally, the threat actor may seek additional means to monetize access to the compromised networks, beyond direct extortion, and are expected to downsize their operations to minimize both cost and risk.
Average payments increase
Despite low willingness to pay, average ransom payments were close to $600,000 in the fourth quarter of last year (up 57% from Q3), driving median payments up as well, to $325,000 (up 132% from Q3).
“The pronounced spikes in average payment reflect isolated, high-impact incidents, typically tied to decryption-motivated settlements where business interruption could not be otherwise mitigated. These events are not indicative of a broad resurgence in willingness to pay,” Coveware says.
The median ransom payments remain lower than the average because the attacks mainly target small and mid-sized businesses, which are limited in the amounts they can sustain, Coveware notes.
Overall, ransom payments reached roughly 20% in the last three months of 2025, with high-value settlements driven purely by data exfiltration declining and payment magnitude influenced by incident impact.
According to Coveware, organizations show an increased resilience to encryption-driven ransomware attacks, being able to restore operations without paying up, but threat actor activity remains high.
During the fourth quarter of last year, Akira was the most active ransomware group, accounting for approximately 14% of the observed activity, followed by Qilin with 13% and Lone Wolf with 12%.
In Q4 2025, the professional services sector was targeted by the largest number of ransomware attacks, at 18.92%, followed by healthcare at 15.32%, technology hardware and equipment at 9.91%, software services at 7.21%, and consumer services at 9.01%, Coveware’s ransomware trends report shows.
“Each avoided ransom payment removes oxygen from the cyber extortion ecosystem. The cumulative effect of improved prevention, reduced blast radius, and disciplined response decision-making continues to erode attacker economics, particularly for volume-driven RaaS operations,” Coveware notes.
Related: SmarterTools Hit by Ransomware via Vulnerability in Its Own Product
Related: Living off the AI: The Next Evolution of Attacker Tradecraft
Related: Cyber Insights 2026: Social Engineering
Related: APT-Grade PDFSider Malware Used by Ransomware Groups
