In the shadowy world of cybercrime, a seismic shift is underway as ransomware operators grapple with dwindling revenues. Victims, once quick to pay up to regain access to their encrypted data, are increasingly refusing demands, leading to a historic low in payout rates. According to a recent report from BleepingComputer, only 23% of breached companies capitulated to attackers in the third quarter of 2025, a stark decline from previous years. This trend reflects improved cybersecurity defenses, better backups, and a growing reluctance to fund criminal enterprises.

The data paints a picture of resilience among targeted organizations. For incidents involving data theft without encryption, the payment rate plummeted to just 19%, as detailed in analysis from Help Net Security. Experts attribute this to enhanced recovery strategies, including robust offsite backups and incident response plans that allow companies to restore operations without negotiating with hackers. Meanwhile, ransomware groups are adapting by pivoting to pure extortion tactics, threatening to leak stolen data rather than relying solely on encryption.

Shifting Economics of Cyber Extortion: As payment rates hit rock bottom, the financial incentives for ransomware-as-a-service (RaaS) operations are eroding, forcing affiliates to reconsider their strategies amid a fragmented ecosystem.

Even as the number of ransomware incidents rises—global attacks surged in 2025, aided by AI-driven scaling, per insights from TechReport—profits are tumbling. A study highlighted by Darknet.org.uk notes a 35% drop in payments from 2024 levels, despite more breaches. This paradox underscores how victims’ refusal to pay is disrupting the RaaS model, where operators provide tools to affiliates in exchange for a cut of the spoils.

Law enforcement actions and international collaborations are also squeezing the ecosystem. Prominent groups like LockBit and RansomHub have seen their victim-publishing activities stall, as reported in Check Point Research‘s Q2 2025 overview. The net effect is a more volatile market for cybercriminals, with some outfits dissolving or rebranding to evade pressure.

Evolving Victim Strategies and Industry Responses: Companies are bolstering defenses with proactive measures, but the rise in attack volumes demands ongoing vigilance from CISOs and policymakers alike.

Research from IT Pro reveals that just 17% of enterprises paid ransoms in the first half of 2025, an all-time low driven by better preparedness. Hornetsecurity’s 2025 survey, detailed on their blog, found that 24% of businesses faced attacks, yet many recovered without payment thanks to investments in cyber insurance and resilience training.

Average payout amounts, however, remain high for those who do pay, surging to $2 million as per DeepStrike.io‘s statistics. This highlights the persistent threat, especially in sectors like consumer and professional services, which bore the brunt of 504 incidents in September alone, according to Cyfirma.

Long-Term Implications for Cybersecurity: While declining profits may deter some actors, the adaptability of ransomware groups suggests that innovation in defenses must keep pace to sustain this positive momentum.

Looking ahead, the decline echoes earlier trends, such as the 40% profit drop in 2022 noted by the BBC News. Industry insiders warn that without sustained efforts, including bans on ransom payments in more jurisdictions, hackers could rebound with sophisticated tactics. For now, the message is clear: refusing to pay is starving the beast, reshaping the economics of digital extortion for the better.