Ransom payments surge to USD $1.13 million as data theft rises
The report highlights that average and median ransom payments rose sharply during the second quarter. The average ransom reached USD $1.13 million, a 104% increase from Q1 2025, while the median doubled to USD $400,000. This escalation follows a pattern of more significant demands after incidents in which data is stolen rather than systems encrypted.
Social engineering threats
According to Coveware by Veeam, three major ransomware groups - Scattered Spider, Silent Ransom, and Shiny Hunters - dominated activity in Q2. These offenders shifted away from broad, opportunistic attacks to highly targeted campaigns, employing sophisticated impersonation techniques. The tactics included posing as employees or service providers to breach help desks and exploit internal processes.
"The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook," said Bill Siegel, CEO of Coveware by Veeam. "Attackers aren't just after your backups – they're after your people, your processes, and your data's reputation. Organisations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought,"
Data exfiltration on the rise
The report found that data theft is now prioritised over encryption in extortion efforts. Exfiltration was involved in 74% of ransomware cases handled by Coveware in Q2. Attackers increasingly rely on multi-extortion tactics and are known to issue delayed threats, prolonging risks to targeted organisations long after the initial breach is detected and contained.
Targeted sectors and company sizes
Analysis of the case data indicates that the professional services, healthcare, and consumer services sectors accounted for the highest proportion of incidents, comprising 19.7%, 13.7%, and 13.7% of attacks, respectively. Mid-sized enterprises, defined as those employing between 11 and 1,000 people, represented 64% of victim organisations. The report notes that attackers view such companies as offering the best balance between substantial ransom payout potential and relatively less developed cyber defences.
Attack methods and vulnerabilities
Credential compromise, phishing emails, and exploitation of internet-facing services remain the principal means of obtaining initial access to victim networks. The report also points to increased exploitation of vulnerabilities in well-known platforms including Ivanti, Fortinet, and VMware. Simultaneously, there has been a rise in attacks by so-called "lone wolf" perpetrators. These individuals are described as seasoned extortionists who use generic toolkits, but without clear branding or affiliation to known ransomware groups.
The top ransomware variants in Q2 were named as Akira (19%), Qilin (13%), and Lone Wolf (9%). For the first time, Silent Ransom and Shiny Hunters also appeared within the top five variants monitored.
Ransom payment dynamics
The report attributes the dramatic increase in payment values largely to larger organisations choosing to pay ransoms following theft of sensitive data. This occurred even as the overall percentage of organisations agreeing to pay ransoms remained steady at 26%.
Coveware by Veeam reports that its findings are based on proprietary data collected during incident response engagements, rather than external or third-party sources. The company utilises forensic tools and detailed documentation of threat actor behaviour to generate its quarterly insights. These reports are intended to offer actionable guidance on ongoing trends and new tactics, techniques, and procedures emerging within the ransomware landscape.
Through real-time analysis, Coveware by Veeam has identified patterns that inform recommendations for enhancing organisational defences, such as improved employee training, more rigorous identity management protocols, and preparedness for incidents focused purely on data theft.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
4 hours ago
- Techday NZ
Asia Pacific manufacturers boost focus on cybersecurity threats
Manufacturers across the Asia Pacific region are facing heightened cybersecurity risks as operational technology (OT) and information technology (IT) systems become increasingly interconnected. New findings from Rockwell Automation's 10th annual State of Smart Manufacturing Report reveal that cybersecurity has become a key concern for manufacturing businesses, second only to inflation and economic conditions. Boardroom priority Manufacturing businesses are recognising cybersecurity as a strategic issue, not just a technological challenge. The report, which collected feedback from over 1,500 manufacturing leaders in 17 countries, shows that one third of respondents hold direct IT and OT cybersecurity responsibilities. As companies further integrate OT and IT in their operations, the risk of cyberattacks grows more complex. Many are increasingly turning to artificial intelligence (AI) and machine learning (ML) to address these risks in real time. "Cybersecurity is no longer just a technology issue - it's a boardroom issue," said Stephen Ford, Vice President and Chief Information Security Officer at Rockwell Automation. "As IT and OT become more connected, the attack surface is expanding. Our latest research confirms what we're seeing firsthand: Cyber risk is now one of the top threats to manufacturing growth. You can't protect tomorrow's enterprise with yesterday's tools. AI is a critical part of the modern security stack, enabling manufacturers to detect threats in real time, maintain productivity, and stay ahead in an increasingly aggressive threat landscape." Key survey findings According to the Rockwell Automation survey, cybersecurity (30%) is now seen as one of the two most significant external risks by respondents, just after inflation and economic growth (34%). More than half (61%) of cybersecurity and IT professionals plan to adopt AI or ML-based solutions for security within the next year, 12 percentage points above the broader manufacturing sector. The report also indicates that 38% of manufacturers intend to leverage data collected from current sources to enhance protection. Additionally, 48% of cybersecurity professionals highlighted the need to secure converging IT and OT architecture within the next five years, compared to an average of 37% among all respondents. Workforce and skills needs Talent requirements are also changing as the digital environment evolves. More than half (53%) of respondents from companies with revenues of USD $30 billion or more view cybersecurity practices and standards as extremely important skills, compared with 47% of all respondents. This highlights a growing emphasis on cybersecurity capabilities in workforce development and hiring strategies. The report acknowledges ongoing challenges in talent development, workplace training, and rising labour costs, all of which continue to affect the competitiveness of manufacturing organisations in the region. As manufacturers seek to hire new talent, cybersecurity and analytical skills are expected to be critical requirements. "Cybersecurity has become a business enabler," said Ford. "It's no longer just about preventing threats, it's about empowering transformation with confidence. The most forward-thinking manufacturers are proactively leveraging advanced technologies like AI to stay ahead of evolving risks." Survey methodology The State of Smart Manufacturing Report analysed responses from 1,560 participants from a range of sectors - including consumer packaged goods, food and beverage, automotive, semiconductor, energy and life sciences. Respondents ranged from management to C-suite roles and represented companies with annual revenues from USD $100 million up to more than USD $30 billion. The findings reflect the increasing role cybersecurity plays in manufacturing and reflect industry trends towards integration of IT and OT, the growing use of AI, and prioritisation of skills development for future workforce needs.
Techday NZ
7 hours ago
- Techday NZ
Lior Ron joins Waabi for driverless trucks expansion
Waabi has announced that Lior Ron will join the company as Chief Operating Officer. This appointment is regarded as a significant step as Waabi moves towards scaling its operations and preparing to launch fully driverless trucks later in the year. Lior Ron brings extensive experience in technology and logistics, having served as Founder and Chief Executive Officer at Uber Freight for the past decade. In that role, Ron led the company from its foundation to a logistics platform with annual revenue exceeding USD $5 billion, providing services to one in three Fortune 500 shippers. His background in the construction of a large-scale, multi-modal freight network is viewed as complementary to Waabi's approach to autonomous trucking. Ron's appointment is expected to support Waabi's commercial objectives as it transitions from technology development to market adoption in the trucking sector. In his new role, Ron will focus on shaping the company's commercial strategy and expanding strategic partnerships, drawing on his operational experience and industry knowledge. "After years of focused development, it is clear that the moment of autonomous trucks has decisively arrived and that this technology, which will drive profound societal change, is ready for commercial prime time. With an unparalleled development advantage and a product that is scalable, cost efficient and safe, Waabi is uniquely positioned to lead in this next era," said Lior Ron. "I'm thrilled to join Waabi's world-class team at this pivotal moment to help drive the future of autonomous logistics and deliver its immense value to the world." Waabi's Founder and Chief Executive Officer, Raquel Urtasun, commented on Ron's hire, emphasising his combined experience in technical and operational leadership. "Waabi is entering a pivotal new phase as we transition from pioneering our technology to driving commercial adoption in the trucking industry. Lior brings that rare combination of technical expertise, deep industry knowledge, and proven execution - he truly understands the nuances, challenges, and opportunities within trucking, and how breakthrough technology can unlock the industry's full potential," said Raquel Urtasun. "As a leader who has scaled an end-to-end logistics platform from founding to billions of dollars of annual revenue, he will be an invaluable addition to our executive team, enabling us to accelerate our commercialization at scale and bring our autonomous solutions to market in a way that creates real value for our customers and partners." Waabi has recently achieved several milestones, including a strategic partnership with Volvo Autonomous Solutions for the joint development and deployment of autonomous trucks. The company has also announced technical advancements, such as achieving a simulation realism score of 99.7% for Waabi World, its neural simulator, and the introduction of Mixed Reality Testing, an alternative to closed-course testing. These achievements are described as enabling quicker and more capital-efficient development, supporting feature-complete autonomous driving capabilities. Commercially, Waabi has expanded its presence in the logistics sector through a partnership with Uber Freight, launched in 2023. The two companies have been running regular commercial loads between Dallas and Houston, committing to ongoing expansion and operational integration to demonstrate the practicality and impact of autonomous trucking for shippers and carriers. The company is supported by a range of investors from the technology, automotive, and logistics sectors, and continues to focus on advancing the adoption of its autonomous trucking technology. Follow us on: Share on:
Techday NZ
14 hours ago
- Techday NZ
Ransom payments surge to USD $1.13 million as data theft rises
Coveware by Veeam has released its Q2 2025 ransomware report, indicating significant increases in both the frequency and financial impact of targeted social engineering attacks, particularly those involving data exfiltration. The report highlights that average and median ransom payments rose sharply during the second quarter. The average ransom reached USD $1.13 million, a 104% increase from Q1 2025, while the median doubled to USD $400,000. This escalation follows a pattern of more significant demands after incidents in which data is stolen rather than systems encrypted. Social engineering threats According to Coveware by Veeam, three major ransomware groups - Scattered Spider, Silent Ransom, and Shiny Hunters - dominated activity in Q2. These offenders shifted away from broad, opportunistic attacks to highly targeted campaigns, employing sophisticated impersonation techniques. The tactics included posing as employees or service providers to breach help desks and exploit internal processes. "The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook," said Bill Siegel, CEO of Coveware by Veeam. "Attackers aren't just after your backups – they're after your people, your processes, and your data's reputation. Organisations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought," Data exfiltration on the rise The report found that data theft is now prioritised over encryption in extortion efforts. Exfiltration was involved in 74% of ransomware cases handled by Coveware in Q2. Attackers increasingly rely on multi-extortion tactics and are known to issue delayed threats, prolonging risks to targeted organisations long after the initial breach is detected and contained. Targeted sectors and company sizes Analysis of the case data indicates that the professional services, healthcare, and consumer services sectors accounted for the highest proportion of incidents, comprising 19.7%, 13.7%, and 13.7% of attacks, respectively. Mid-sized enterprises, defined as those employing between 11 and 1,000 people, represented 64% of victim organisations. The report notes that attackers view such companies as offering the best balance between substantial ransom payout potential and relatively less developed cyber defences. Attack methods and vulnerabilities Credential compromise, phishing emails, and exploitation of internet-facing services remain the principal means of obtaining initial access to victim networks. The report also points to increased exploitation of vulnerabilities in well-known platforms including Ivanti, Fortinet, and VMware. Simultaneously, there has been a rise in attacks by so-called "lone wolf" perpetrators. These individuals are described as seasoned extortionists who use generic toolkits, but without clear branding or affiliation to known ransomware groups. The top ransomware variants in Q2 were named as Akira (19%), Qilin (13%), and Lone Wolf (9%). For the first time, Silent Ransom and Shiny Hunters also appeared within the top five variants monitored. Ransom payment dynamics The report attributes the dramatic increase in payment values largely to larger organisations choosing to pay ransoms following theft of sensitive data. This occurred even as the overall percentage of organisations agreeing to pay ransoms remained steady at 26%. Coveware by Veeam reports that its findings are based on proprietary data collected during incident response engagements, rather than external or third-party sources. The company utilises forensic tools and detailed documentation of threat actor behaviour to generate its quarterly insights. These reports are intended to offer actionable guidance on ongoing trends and new tactics, techniques, and procedures emerging within the ransomware landscape. Through real-time analysis, Coveware by Veeam has identified patterns that inform recommendations for enhancing organisational defences, such as improved employee training, more rigorous identity management protocols, and preparedness for incidents focused purely on data theft.
