Coveware by Veeam Reveals Q2 2025 Ransomware Surge: Social Engineering and Data Exfiltration Drive Record Payouts

Business Wire

4 days ago

SEATTLE--(BUSINESS WIRE)-- Coveware by Veeam ®, the leading authority in ransomware response and cyber extortion trends, today unveiled its Q2 2025 ransomware report, spotlighting a dramatic escalation in targeted social engineering attacks and a surge in ransom payments driven by sophisticated data exfiltration tactics.
'The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook,' said Bill Siegel, CEO of Coveware by Veeam.
'The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook,' said Bill Siegel, CEO of Coveware by Veeam. 'Attackers aren't just after your backups – they're after your people, your processes, and your data's reputation. Organizations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought.'
Key Q2 2025 findings from Coveware by Veeam include:
Social Engineering Drives the Biggest Threats: Three major ransomware groups – Scattered Spider, Silent Ransom, and Shiny Hunters – dominated the quarter, each leveraging highly targeted social engineering to breach organizations across sectors. These groups abandoned mass opportunistic attacks for precision strikes, using novel impersonation tactics against help desks, employees, and third-party service providers.
Ransom Payments Soar to New Highs: Both the average and median ransom payments rocketed to $1.13 million (+104% from Q1 2025) and $400,000 (+100% from Q1 2025), respectively. This spike is attributed to larger organizations paying out after data exfiltration-only incidents, even as the overall rate of organizations paying ransoms held steady at 26%.
Data Theft Overtakes Encryption as Primary Extortion Method: Exfiltration was a factor in 74% of all cases, with many campaigns now prioritizing data theft over traditional system encryption. Multi-extortion tactics and delayed threats are on the rise, keeping organizations in the crosshairs long after an initial breach.
Professional Services, Healthcare, and Consumer Services Hit Hardest: Professional services (19.7%), healthcare (13.7%), and consumer services (13.7%) bore the brunt of attacks. Mid-sized companies (11 – 1,000 employees) comprised 64% of victims, a sweet spot for attackers balancing payout potential against less mature defenses.
Attack Techniques Evolve, Human Factor Remains Key Vulnerability: Credential compromise, phishing, and exploitation of remote services continue to dominate initial access, with attackers increasingly bypassing technical controls via social engineering. Groups regularly exploit vulnerabilities in widely-used platforms (Ivanti, Fortinet, VMware), and 'lone wolf' attacks by seasoned extortionists using generic, unbranded toolkits are on the rise.
New Entrants Reshape Ransomware Rankings: Q2's top ransomware variants were Akira (19%), Qilin (13%), and Lone Wolf (9%), while Silent Ransom and Shiny Hunters entered the top five for the first time.
Coveware by Veeam has helped thousands of cyber extortion victims and developed industry leading software and services that enable rapid forensic triage, extortion negotiation and remediation, cryptocurrency settlements and decryption services with a singular goal and outcome - data recovery from ransomware attacks. Through these incidents, Coveware by Veeam has gathered data and insights on threat actor patterns that provide an unrivaled view of the current threat landscape. These valuable findings are shared with customers to help educate and reduce risks, improve security posture, and ensure rapid recovery. Select Coveware by Veeam capabilities are incorporated into Veeam offerings including Veeam Data Platform and the Veeam Cyber Secure Program, delivering the insights and capabilities to a broader set of customers.
Coveware by Veeam's quarterly report is based on firsthand data, expert insights and analysis from the ransomware and cyber extortion cases that they manage each quarter. By utilizing real-time incident response, proprietary forensic tools (including Recon Scanner), and comprehensive documentation of threat actor behavior, attack vectors, and negotiation outcomes, Coveware by Veeam delivers unparalleled visibility into the threat landscape. By aggregating and analyzing case-specific data – rather than relying on third-party sources – Coveware by Veeam is able to identify emerging trends, track tactics, techniques, and procedures (TTPs), and provide actionable, experience-based intelligence on the rapidly evolving ransomware landscape.
To learn more on this latest report from Coveware by Veeam, read the blog post. For more information on Veeam, visit https://www.veeam.com.
About Veeam Software
Veeam®, the #1 global market leader in data resilience, believes every business should be able to bounce forward after a disruption with the confidence and control of all their data whenever and wherever they need it.​ Veeam calls this radical resilience, and we're obsessed with creating innovative ways to help our customers achieve it.
Veeam solutions are purpose-built for powering data resilience by providing data backup, data recovery, data portability, data security, and data intelligence. ​With Veeam, IT and security leaders rest easy knowing that their apps and data are protected and always available across their cloud, virtual, physical, SaaS, and Kubernetes environments.
Headquartered in Seattle with offices in more than 30 countries, Veeam protects over 550,000 customers worldwide, including 67% of the Global 2000, that trust Veeam to keep their businesses running. ​Radical resilience starts with Veeam. Learn more at www.veeam.com or follow Veeam on LinkedIn @veeam-software and X @veeam.
Frequently Asked Questions:
What are the biggest ransomware threats facing organizations in 2025?
According to the latest report from Coveware and Veeam, the main threats are targeted social engineering attacks and data exfiltration, led by groups like Scattered Spider, Silent Ransom, and Shiny Hunters.
Which industries and company sizes are most impacted by ransomware attacks?
The latest report from Coveware and Veeam found professional services, healthcare, and consumer services firms are most targeted. Mid-sized companies (11–1,000 employees) make up 64% of victims due to less mature defenses.
How have ransomware techniques evolved in 2025?
The latest report from Coveware and Veeam found that attackers now focus on credential compromise, phishing, and exploiting remote services. Social engineering is a key weakness, and there's a rise in 'lone wolf' attacks using generic toolkits and vulnerabilities in platforms like Ivanti, Fortinet, and VMware.
How can organizations strengthen their defenses against ransomware?
Coveware by Veeam advises boosting employee security awareness, hardening identity controls, and urgently addressing data exfiltration risks. Using Veeam's resilience and recovery solutions helps reduce risk and maintain business continuity.