The average ransomware payment has increased to $3.6m this year, up from $2.5m in 2024 – a 44% surge despite a decline in the overall number of attacks.
The 2025 Global Threat Landscape Report findings from ExtraHop point to a clear evolution in cybercriminal strategy: fewer, more targeted operations that aim for higher returns and longer-lasting impact.
Fewer Attacks; Higher Stakes
The report surveyed 1800 IT and security leaders across seven countries, who reported an average of five to six ransomware incidents over the past year, down roughly 25% from 2024.
While the number of attacks dropped, the damage intensified. Seventy percent of affected organizations paid the ransom, and payouts in critical sectors were significantly higher than average. Healthcare and government agencies faced the most significant financial burdens, both with payouts of nearly $7.5m, while finance averaged $3.8m per incident.
The report attributes this escalation to increasingly disciplined adversaries. Groups such as RansomHub, LockBit and DarkSide continue to dominate, refining their methods to maximize leverage.
“The combination of sophisticated attackers and a broader attack surface is a dangerous one,” ExtraHop wrote.
“It makes attacks harder to detect and gives criminals a significant head start.”
Read more on ransomware trends and digital risk management: Retail Ransomware Attacks Jump 58% Globally in Q2 2025
Expanding Attack Surfaces and Entrenched Threats
The study identified public cloud infrastructure (53.8%), third-party integrations (43.7%) and generative AI applications (41.9%) as the top sources of cybersecurity risk. These interconnected systems are widening the attack surface and complicating defense efforts.
The 2024 Snowflake breach, which exposed the data of 165 major customers including AT&T, was a notable example of how vulnerabilities in cloud ecosystems can cascade across industries.
Phishing remains the leading method of infiltration, responsible for 33.7% of attacks, followed by software vulnerabilities (19.4%) and supply chain compromises (13.4%).
Once inside a network, threat actors typically go undetected for about two weeks – ample time to move laterally, exfiltrate data and prepare ransomware deployment.
Long Response Times Add to Losses
On average, organizations took over two weeks to contain a security alert, while each incident led to roughly 37 hours of downtime. In the transportation sector, disruptions stretched to as long as 74 hours.
Limited visibility, talent shortages and alert fatigue were cited as major barriers to faster response.
To counter these trends, ExtraHop recommends organizations:
-
Map their whole attack surface and identify weak points
-
Monitor internal network traffic for lateral movement
-
Stay proactive against new tactics, particularly those using generative AI
The report concludes that while ransomware incidents may be fewer, their growing precision, scale and financial impact underscore an increasingly dangerous digital environment.
