Skip to main content
Emerging ThreatsMalware & Ransomware

ransomware payments: Stunning Risky Surge to $3.6M

ransomware payments: Stunning Risky Surge to $3.6M

“Why pay the ransom?” security teams ask as boardroom calculators click away. For many organizations in 2025 the answer is rawly pragmatic: because the alternative — prolonged outages, stolen data published publicly, regulatory fines and cascading operational losses — can cost far more. ExtraHop’s latest threat landscape report captures this shift: average ransomware payments jumped 44% to $3.6 million in 2025 even as the total number of incidents declined. That single number reframes the conversation from volume to impact.

ransomware payments

The headline — $3.6 million — is striking, but context matters. A rising average alongside fewer incidents signals a market increasingly driven by high-value targeting. Attackers are no longer spray-and-pray vandals; they operate like corporate extortionists who carefully pick targets with deep pockets or critical operations. Ransomware-as-a-Service (RaaS) platforms, affiliate models, double-extortion tactics (encrypting systems while stealing data) and the auctioning or doxxing of stolen material have professionalized the criminal enterprise. These capabilities increase leverage over victims and, in many cases, justify larger payouts.

Economic and legal conditions also shape behavior. Cyber insurance often covers parts of ransom demands, inconsistent breach disclosure laws create uncertainty, and the difficulty of tracing illicit cryptocurrency flows reduces the perceived risk for attackers. These factors can unintentionally encourage ransom payments, especially when organizations face the immediate prospect of severe disruption to services or exposure of sensitive customer data.

A concentrated threat

ExtraHop’s findings suggest attackers are investing more effort where the return is greatest. Rather than mounting thousands of low-value intrusions, criminal groups focus on fewer but more fruitful targets: healthcare providers, large enterprises, supply-chain intermediaries and organizations with weak segmentation. These targets yield bigger recoveries, particularly when the adversary can combine encryption with data theft and extortion.

Technologists see the trend as both urgent and inevitable. “The calculus has changed,” said an incident responder at a managed security services firm. Security programs must assume that any successful breach could result in near-immediate data exfiltration and extortion. That means shifting focus from simply preventing file encryption to early detection of lateral movement and data theft. Zero trust segmentation, rigorous backup validation, extended detection and response (XDR) platforms, and regular tabletop exercises are no longer optional — they are essential.

Policy tensions and practical consequences

Policymakers are wrestling with how to respond. Legislatures in the U.S., U.K. and EU are debating tougher reporting requirements, limits on ransom payments, and clearer rules around cyber insurance. Advocates of mandatory breach reporting argue it would enhance transparency and intelligence sharing; opponents counter that bans on payments risk harming victims — especially hospitals or utilities — if criminals threaten life-critical systems. The debate exposes a core tension: how to deter criminals without putting victims in operational peril.

For customers and employees the consequences are immediate and tangible: delayed payroll, interrupted services, leaked personal information and long-term reputational damage. Small and medium-sized enterprises are particularly vulnerable; a single multi-million-dollar payout or the indirect costs of recovery — legal fees, fines, remediation and lost business — can be existential.

How attackers adapt

Higher payouts encourage specialization across the criminal ecosystem. Access brokers sell high-quality initial footholds; affiliates hone extortion techniques aimed at pressuring leadership teams; some groups stage partial leaks to prove credibility and accelerate payment. Others combine ransomware with supply-chain compromises to magnify impact by hitting multiple victims through a single compromised vendor.

Practical risk management steps

Organizations can take several concrete steps to reduce the likelihood and impact of an extortion event:
– Implement strong network segmentation and validate backups regularly so encryption loses leverage.
– Prioritize rapid detection of data exfiltration and lateral movement rather than focusing only on preventing encryption.
– Revisit cyber insurance terms and incident response retainer arrangements to understand negotiating posture and coverage limits.
– Improve executive and board-level cyber literacy so ransom decisions reflect technical, legal and ethical dimensions.
– Support public–private information sharing to ensure law enforcement and defenders see adversary patterns early.

Structural responses and the human factor

Beyond technical and organizational controls, structural actions matter. Greater international law enforcement cooperation, tighter tracking of illicit cryptocurrency flows, and incentives for secure software development could raise the cost of running a ransomware enterprise. Yet policies must be carefully calibrated to avoid inadvertently pushing victims toward catastrophic operational failure.

The human element remains central to both attack success and defense. Adversaries exploit outdated inventories, weak privilege management and delayed patching as readily as they exploit software vulnerabilities. Training, regular exercises and clear incident escalation protocols are relatively inexpensive investments compared with the six- or seven-figure bills many organizations face after a breach.

Conclusion

ExtraHop’s report is a sober reminder that fewer intrusions do not equate to lower risk when each intrusion is more devastating. The rise in average ransomware payments to $3.6 million reframes the threat landscape: it’s no longer about stopping every single attack but about limiting impact, detecting exfiltration early, and making extortion unprofitable. Whether defenders, insurers and policymakers can coordinate quickly enough to shift the economics against attackers remains an open question — but organizations that invest now in segmentation, detection, backup validation and executive readiness will be better positioned to withstand the next targeted extortion attempt.