Global ransomware activity rises 36% in Q3 2025, but average payments collapse

It became more difficult to ignore ransomware in Q3 2025. Planes were grounded, automotive production lines stalled, hospitals diverted patients, and even a UK nursery chain reported stolen records. Jaguar Land Rover only recently restored operations after a major August incident, while smaller suppliers continue to absorb financial damage long after.

These cases illustrate a broader trend. According to BlackFog, from July to September 2025, ransomware surged 36% year-on-year, with 270 publicly disclosed attacks across 93 countries. This rise was due to a combination of increasingly sophisticated ransomware-as-a-service (RaaS) operations, widespread exploitation of software vulnerabilities, and attackers shifting toward data-theft-first strategies. Together, these lowered the barrier to entry for attackers and opened the door to more frequent, more coordinated campaigns across multiple regions.

Healthcare, government, and technology carried the heaviest burden, together accounting for more than half of verified incidents. With 86 attacks, healthcare remained the single most targeted industry, a reflection of both its data sensitivity and its historically weaker security maturity.

Undisclosed attacks, those never publicly reported, rose to 1,510, a 21% increase from last year, reflecting both growing sophistication in stealth attacks and organisations’ reluctance to disclose breaches publicly due to reputational risk. Manufacturing and industrial supply chains dominated these cases, highlighting how deeply ransomware has penetrated the operational backbone of global production.

MORE INSIGHTS ON THIS TOPIC:

• 📊 Ransomware revenue declined in 2022 as more victims refused to pay
• Why Ransomware Attacks Are Decreasing in 2025
• CHART: Ransomware Payments Reached Its Highest-Ever Record in 2023

Diverging Attack Models

As the quarter unfolded, a clear divide emerged in how ransomware groups operate.

On one end, volume-driven RaaS campaigns, led by groups like Akira, continued to target mid-market companies. Where weaker security and slower incident response make them easy targets. These attacks favour quantity over payout size, helping attackers keep costs low while still securing steady, smaller ransoms.

On the other end, larger enterprises became targets of more sophisticated, high-cost campaigns. Groups such as CLoP and Scattered Spider used vulnerabilities in popular software-as-a-service (SaaS) tools and file-transfer appliances to break into big organisations. This shift reflects the rising cost of initial access: mid-market attacks produce smaller ransoms, and attackers increasingly need more precision and effort to extract value from high-value targets.

In total, 54 ransomware groups were active globally in Q3, with 18 new entrants emerging. Qilin became the most active group with 20 confirmed incidents, while newly surfaced groups like DEVMAN followed closely with 19 attacks and a record-breaking $91 million ransom demand against the Shimao Group.

These massive demands show how profitable the landscape remains and why new groups continue to form.

Attackers also leaned heavily into data theft. In 96% of disclosed attacks, data was stolen rather than just encrypted. The average volume, 527.65GB per dark-web listing, shows how much leverage attackers now gain simply from exfiltration. The bigger the dataset, the harder it is for victims to refuse negotiation.

Geography Shapes Targeting

As Q3 progressed, ransomware groups began focusing on specific regions where attacks would yield the highest rewards. In South Korea, for example, the Qilin RaaS group targeted multiple asset-management firms under the “Korean Leak” label. In Latin America, government agencies and infrastructure providers faced repeated attacks, taking advantage of weaker local defences. By concentrating on these areas, attackers could reuse the same methods, exploit familiar software vulnerabilities, and disrupt regional supply chains through shared vendors.

Attackers also expanded their tactics beyond code. Insider involvement rose notably: the Medusa gang reportedly attempted to bribe a BBC employee for internal access in exchange for a share of the ransom. This illustrates how ransomware groups are experimenting with more human, social methods to bypass technical barriers and gain initial access.

Still, traditional intrusion methods remain dominant. Remote access compromise, phishing, and software vulnerabilities continue to serve as primary entry points. Once inside, attackers move laterally through networks and disguise command-and-control activity to blend into normal workflows, making detection much harder.

Ransom Economics Shift

Despite record attack volumes, ransomware’s financial returns declined sharply. Average payments fell to $376,941, down 66% from Q2, and the median dropped 65% to $140,000. Payment rates hit a record low of 23%, with exfiltration-only attacks resolving at just 19%.

According to Coveware, this decline reflects improved legal guidance, more mature cyber-preparedness, and a broader industry movement away from “nuisance payments.” Larger enterprises, in particular, are increasingly refusing to pay, forcing attackers to rely on volume or target softer mid-market organisations.

Conclusion

The Q3 2025 ransomware landscape shows a maturing but still evolving threat. Attackers continue to pressure mid-market firms through volume campaigns while simultaneously refining high-value operations against large enterprises. As profit margins shrink, they’re diversifying, geographically, operationally, and psychologically, to maintain leverage.

For organisations, the clear takeaway is that resilience matters more than ever. Effective data protection, robust insider-threat programs, and rigorous response plans reduce leverage and make paying a ransom less likely. The cost of inaction is high, but strategic preparation can blunt the impact of these increasingly targeted attacks.