Ransomware in 2025: the 44% finding and what it means

The 2025 Verizon DBIR's ransomware finding got less coverage than the human-element headline, but it deserves more attention than it got. Ransomware (with or without encryption) appeared in 44% of all breaches in this year's dataset — a 37% jump from 32% the prior year. That's the volume story.

The economics story is different. Median ransom paid dropped to $115,000, down from $150,000. 64% of victim organizations did not pay the ransom. And ransomware claim severity in the insurance market has been moderating.

What's actually going on?

More attempts, less successful extortion

Two trends are running in parallel:

1. Ransomware-as-a-service has lowered the cost of running an attack. More affiliates, more targeting, more attempted intrusions. This drives the volume number up.
2. Defender capability has improved faster than attacker capability. Better backups (especially immutable, network-segmented backups), better detection, better incident response playbooks, and stronger insurance-mediated negotiation have collectively reduced how often a ransom actually gets paid.

The result is a 2025 ransomware landscape with more attempts and fewer successful extortion outcomes. It's not victory — but it's a marked shift from where the market sat in 2021-2023, when payment rates were materially higher.

The SMB problem

The DBIR explicitly flags ransomware as disproportionately a problem for small and mid-sized organizations. The reasons are structural:

• SMBs underinvest in backups. Or they have backups but discover at the worst moment that they're connected to the production network and got encrypted along with everything else.
• SMBs have less mature incident response. A 500-person company often has no internal IR capability. A ransomware event becomes a fire drill that costs days while a third-party IR firm is engaged.
• SMBs are under-banked on insurance. Either they don't carry cyber, or they carry too little, or they have sub-limits on extortion that don't cover the actual demand.

If you're a sub-1,000 person organization, the DBIR data should make ransomware preparation a first-quartile budget item.

What changed defender economics

A few things explain the falling payment rate:

Backup hygiene improved. The rise of immutable, air-gapped, or cloud-native backup architectures means many organizations now have a real recovery path that doesn't involve negotiation. Recovery from backup is faster and cheaper than negotiation, every time.

Insurance negotiation matured. Cyber insurance carriers — and their incident response panels — have years of negotiation data now. They know which threat actor groups are negotiable, which honor data deletion claims, which don't. Skilled negotiation routinely brings demands down 60-80%, and in many cases ends in no payment because the alternative cost (rebuild) is lower.

Government pressure raised the bar on payment. Treasury sanctions on certain threat actor groups, US executive guidance discouraging payment, and several states' explicit prohibitions on government entities paying ransoms have created a "default to don't pay" posture that didn't exist three years ago.

Decryption tooling and actor disruption. Law enforcement disruption operations against several ransomware groups (with decryptor releases for victims) have weakened a few of the most prolific affiliates.

What the data does NOT say

Worth being honest about: the DBIR does not say ransomware is a solved problem. A few caveats:

• Volume is up sharply. A 37% increase in ransomware presence across all breaches is significant. Even if payment rates fall, the operational disruption and recovery cost from a ransomware event remains substantial.
• Median ransom paid is down, but mean is not. Big-game hunting (large enterprise targets, multi-million-dollar demands) still happens. The median dropped because more SMB victims successfully refused to pay; the high-end didn't move much.
• Data exfiltration extortion is rising. Some ransomware actors have moved to "we won't encrypt — we'll just leak your data unless you pay." That's harder to recover from with backups.

What to actually do

Three program priorities that map directly to the DBIR data:

1. Test your backup restore. Not "do we have backups." Actually run a tabletop where you restore from your backups end-to-end. Time it. Many organizations discover during the test that their RTO target is fiction.

2. Decide your payment posture in advance, in writing. The middle of an active incident is not when to figure out whether you'd pay. Document a position — including who has the authority to decide, what counsel is involved, and what your insurance carrier requires you to do — before you need it.

3. Reduce initial access. Most ransomware doesn't start with "ransomware." It starts with phishing, credential abuse, or vulnerability exploitation. The DBIR data on these initial access vectors is unchanged: phishing and credentials are the dominant entry points. A strong awareness program and aggressive MFA rollout reduce the rate at which ransomware events even get to the deployment stage.

The economic shift

The 2025 ransomware landscape is busier and noisier than 2024 — but not necessarily more lucrative for attackers. That's a real win for defenders, and it's worth understanding why:

• More backups
• More incident response capability
• More insurance-mediated negotiation
• More legal and regulatory pressure not to pay

Each of those is a downstream effect of investments security teams have been making for the past three years. The 44% volume number isn't a defeat; it's the visible part of a pattern where attackers are spending more effort to get less in return. That trend continues only if defenders keep investing.

---

Source: Verizon 2025 Data Breach Investigations Report — Executive Summary.