Ransom payouts hit record levels this quarter, thanks to a dramatic rise in targeted social engineering attacks.
Analysis from Coveware by Veeam showed that the average ransom payment rocketed to $1.13 million - up 104% from the first quarter. The median payment rose by a similar amount, doubling to $400,000.
This surge was largely down to an increase in payments by larger organizations hit by data exfiltration-only incidents.
The study noted that data theft has now overtaken encryption as the primary extortion method, with exfiltration a factor in 74% of all cases. Meanwhile, multi-extortion tactics and delayed threats are on the rise.
"The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook,” said Bill Siegel, CEO of Coveware by Veeam.
“Attackers aren’t just after your backups – they’re after your people, your processes, and your data’s reputation."
The quarter’s top ransomware variants were Akira (19%), Qilin (13%), and Lone Wolf (9%), while Silent Ransom and Shiny Hunters entered the top five for the first time.
Ransomware groups target precision
The biggest threats involved social engineering attacks from three major ransomware groups – Scattered Spider, Silent Ransom, and Shiny Hunters.
These groups have now abandoned mass opportunistic attacks for precision strikes, using new impersonation tactics against help desks, employees and third-party service providers.
They regularly exploit vulnerabilities in widely-used platforms such as Ivanti, Fortinet VMware and Windows services, often right after a vulnerability has been publicly disclosed.
Meanwhile, 'lone wolf' attacks by extortionists using generic, unbranded toolkits are on the rise. allowing even mid-tier actors to breach enterprise infrastructure.
Insider threats escalate
Insider and third-party access risks showed an uptick in the quarter, particularly involving business process outsourcing (BPO) partners, contractors, and IT service providers.
"These external parties often hold privileged access but operate outside core security oversight, making them a growing vector of exploitation for credential misuse or social engineering," the researchers point out.
The worst-hit industry sector was professional services at 20%, followed by healthcare and consumer services at 14% each.
Mid-sized companies with between 11 and 1,000 employees made up 64% of victims - a sweet spot, researchers noted, for attackers balancing payout potential against less mature defenses.
Before exfiltrating or encrypting data, attackers are putting effort into mapping networks, enumerating assets and identifying the most valuable systems or datasets. This reconnaissance phase often relies on legitimate admin tools or built-in OS commands, making it hard to spot without contextual analysis.
If it can be detected, though, by monitoring for anomalous enumeration or employing deception technologies such as decoy credentials, honeyfiles or fake infrastructure, this phase can act as an early warning system.
"Organizations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought," advised Siegel.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- Ransomware victims are getting better at haggling with hackers
- The new ransomware groups worrying security researchers in 2025
-
Microsoft says these 10 jobs are at highest risk of being upended by AINews Microsoft thinks AI is going to destroy jobs across a range of industries – while experts aren't fully convinced, maybe it's time to start preparing.
-
From Mishaps to Meltdowns. Could you fully recover your Active Directory?whitepaper Download Now
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victimsNews The Akira and Lynx ransomware groups are focusing on small businesses and MSPs using stolen or purchased admin credentials
-
The UK’s ‘chronic shortage of cyber professionals’ is putting the country at riskNews While high-profile attacks grab headlines, a security researcher warns the UK's "chronic shortage of cyber professionals" is left unaddressed by government, industry, and academia.
-
Credential theft has surged 160% in 2025News AI-powered phishing and the growth of Malware as a Service means hackers are compromising more accounts than ever
-
US federal judiciary agency hit by 'escalated cyber attacks' which exposed highly sensitive dataNews The agency says it plans to step up cybersecurity capabilities in the wake of the incident
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
