Cybercriminals are earning more and more from ransomware attacks. The second quarter of 2025 shows a doubling of average ransom payments to $1.13 million (€970,000) compared to the first quarter.
This is according to research by Coveware by Veeam. Traditional ransomware revolved around locking systems. Now it appears that stealing data is more effective. In 74 percent of all cases, data extraction played a role, often without systems being encrypted at all.
The new approach keeps organizations in its grip for longer. Multi-extortion tactics and delayed threats ensure that companies are still under attack months after a breach. According to Bill Siegel of Coveware by Veeam, attackers “aren’t just after your backups – they’re after your people, your processes, and your data’s reputation.”
Social manipulation replaces mass attacks
The ransomware landscape is undergoing a major shift. Whereas cybercriminals used to focus on broad, opportunistic attacks, they now opt for precision work. Scattered Spider, Silent Ransom, and Shiny Hunters dominated the second quarter with targeted social manipulation.
These groups target help desks, employees, and external service providers with advanced impersonation techniques. The result is a new generation of attacks where the human factor becomes the weakest link, not the technology.
SMEs remain vulnerable
Professional services (19.7 percent), healthcare (13.7 percent), and consumer services (13.7 percent) remain the most affected sectors. It is striking that medium-sized organizations with 11 to 1,000 employees account for 64 percent of victims.
These companies are in an unfortunate position: large enough to be attractive targets for ransom payments, but too small to invest in advanced security measures. It is precisely the sweet spot that criminals are targeting.
Defense under pressure
Credential compromise, phishing, and misuse of remote services remain the primary means of access. Cybercriminals are increasingly circumventing technical security measures by focusing on social manipulation. At the same time, they exploit vulnerabilities in widely used platforms such as Ivanti, Fortinet, and VMware.
A worrying trend is the emergence of ‘lone wolf’ attacks by experienced criminals using generic toolkits. These attacks are more difficult to detect and predict than those carried out by known groups.
The new ranking of ransomware variants shows shifts at the top. Akira leads with 19 percent, followed by Qilin (13 percent) and Lone Wolf (9 percent). Silent Ransom and Shiny Hunters make their first appearance in the top five, underscoring the dynamic nature of this criminal ecosystem.