2 days ago
Ransom payments surge to USD $1.13 million as data theft rises
Coveware by Veeam has released its Q2 2025 ransomware report, indicating significant increases in both the frequency and financial impact of targeted social engineering attacks, particularly those involving data exfiltration.
The report highlights that average and median ransom payments rose sharply during the second quarter. The average ransom reached USD $1.13 million, a 104% increase from Q1 2025, while the median doubled to USD $400,000. This escalation follows a pattern of more significant demands after incidents in which data is stolen rather than systems encrypted.
Social engineering threats
According to Coveware by Veeam, three major ransomware groups - Scattered Spider, Silent Ransom, and Shiny Hunters - dominated activity in Q2. These offenders shifted away from broad, opportunistic attacks to highly targeted campaigns, employing sophisticated impersonation techniques. The tactics included posing as employees or service providers to breach help desks and exploit internal processes.
"The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook," said Bill Siegel, CEO of Coveware by Veeam. "Attackers aren't just after your backups – they're after your people, your processes, and your data's reputation. Organisations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought,"
Data exfiltration on the rise
The report found that data theft is now prioritised over encryption in extortion efforts. Exfiltration was involved in 74% of ransomware cases handled by Coveware in Q2. Attackers increasingly rely on multi-extortion tactics and are known to issue delayed threats, prolonging risks to targeted organisations long after the initial breach is detected and contained.
Targeted sectors and company sizes
Analysis of the case data indicates that the professional services, healthcare, and consumer services sectors accounted for the highest proportion of incidents, comprising 19.7%, 13.7%, and 13.7% of attacks, respectively. Mid-sized enterprises, defined as those employing between 11 and 1,000 people, represented 64% of victim organisations. The report notes that attackers view such companies as offering the best balance between substantial ransom payout potential and relatively less developed cyber defences.
Attack methods and vulnerabilities
Credential compromise, phishing emails, and exploitation of internet-facing services remain the principal means of obtaining initial access to victim networks. The report also points to increased exploitation of vulnerabilities in well-known platforms including Ivanti, Fortinet, and VMware. Simultaneously, there has been a rise in attacks by so-called "lone wolf" perpetrators. These individuals are described as seasoned extortionists who use generic toolkits, but without clear branding or affiliation to known ransomware groups.
The top ransomware variants in Q2 were named as Akira (19%), Qilin (13%), and Lone Wolf (9%). For the first time, Silent Ransom and Shiny Hunters also appeared within the top five variants monitored.
Ransom payment dynamics
The report attributes the dramatic increase in payment values largely to larger organisations choosing to pay ransoms following theft of sensitive data. This occurred even as the overall percentage of organisations agreeing to pay ransoms remained steady at 26%.
Coveware by Veeam reports that its findings are based on proprietary data collected during incident response engagements, rather than external or third-party sources. The company utilises forensic tools and detailed documentation of threat actor behaviour to generate its quarterly insights. These reports are intended to offer actionable guidance on ongoing trends and new tactics, techniques, and procedures emerging within the ransomware landscape.
Through real-time analysis, Coveware by Veeam has identified patterns that inform recommendations for enhancing organisational defences, such as improved employee training, more rigorous identity management protocols, and preparedness for incidents focused purely on data theft.
