Veeam’s Coveware business unit has released its Q2 ransomware report showing average ransomware payments are double last quarter’s amount at $1.13 million.
Data protector Veeam bought the Coveware business, with its cyber-extortion incident response facilities, in April last year. The quarterly report is a snapshot of what it’s seeing, based on “firsthand data, expert insights, and analysis from the ransomware and cyber extortion cases that they manage each quarter.” And it is seeing business digital data theft increasing with socially-engineered entry points the main attack vector.
Coveware CEO Bil Siegel stated: “The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook. Attackers aren’t just after your backups – they’re after your people, your processes, and your data’s reputation. Organizations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought.”
The report says social engineered attacks are now the biggest threat with three ransomware groups prominent in the quarter: Scattered Spider, Silent Ransom, and Shiny Hunters. They are “using novel impersonation tactics against help desks, employees, and third-party service providers. … Credential compromise, phishing, and exploitation of remote services continue to dominate initial access, with attackers increasingly bypassing technical controls via social engineering.”
The top three top ransomware variants were Akira (19 percent), Qilin (13 percent), and Lone Wolf (9 percent), with Silent Ransom (5 percent) and Shiny Hunters (5 percent) entering the top five for the first time.
This quarter’s report notes: “The Average Ransom Payment: $1,130,070 (+104 percent from Q1 2025) and Median Ransom Payment: $400,000 (+100 percent from Q1 2025), jumped substantially in Q2 2025 versus the prior quarter. We attribute this increase to an increase in payments by larger organizations impacted by data-exfiltration-only incidents. While the quarterly increase is dramatic, we note that similar jumps quarter to quarter have occurred in the past and do not yet believe these metrics to be an inception of a trend.”
We are told that data theft has overtaken encryption as the primary extortion method. “Exfiltration played a role in 74 percent of all cases, with many campaigns now focusing on data theft rather than traditional system encryption.”
Access defences can be weak: “Credential-based intrusions dominate, with groups like Akira regularly exploiting exposed VPNs and remote services using stolen or weak credentials, often sourced from infostealers or successful phishing campaigns. Social engineering also continues to mature, with actors leveraging trusted communication channels like Microsoft Teams for vishing, SEO poisoning to deliver malware, and deceptive scripts masked behind fake security prompts or CAPTCHAs.”
And: “These tactics bypass technical controls by targeting human behavior, a trend exemplified by groups like Scattered Spider, whose tailored impersonation techniques make help desks the front line of compromise.”
The report says: “The percentage of organizations that opted to pay a ransom regardless of impact remained relatively low at 26 percent. We are encouraged that the overall rate of payment has not shown regression over the prior quarters. As compared to years past, companies are generally better prepared to defend themselves against extortion attacks, and are getting better prepared at navigating the nuances of cyber incidents via IR preparedness.”
However payment rates for data exfiltration are higher, with the report noting: “The payment rate on data exfiltration only matters increased in Q2 and remains in a stubbornly high bracket. Some threat actors are increasingly focusing on data exfiltration only as they feel the effort-impact / payout economics are more favorable to the encryption attacks. Encryption attacks do still cause the most impact and urgency though.”
The top three victim organization types were:
- Professional services (19.7 percent)
- Healthcare (13.7 percent)
- Consumer services (13.7 percent)
Victim organization size is a factor: “Ransomware attacks most commonly affect small to mid-sized organizations, with companies ranging from 11 to 1,000 employees making up a combined 64 percent of incidents. This suggests that attackers often target firms that are large enough to offer a potential payout but may lack the robust cybersecurity infrastructure of larger enterprises. Mid-sized organizations (1,001 to 10,000 employees) account for 17 percent of attacks, showing that as companies grow, they remain attractive targets.
“Interestingly, very large enterprises—with over 25,000 employees—make up just 8 percent of incidents, indicating that scale may offer better protection through more mature security programs. At the smallest end, companies with fewer than 10 employees represent only 4%, likely due to limited assets or lower visibility. Overall, the data highlights a ransomware “sweet spot” in the small to mid-sized range, where vulnerabilities are more common and defenses often underfunded.”
There is much more information in the report which is a sobering read. Cut and paste a copy from the website into a file and go read it in a quiet room. If you are in a small-to-mid-sized organization then consider yourself at risk, and realize that your online employees and partner staff represent the main attack surface. They need constant social engineering attack awareness.
You can read a Bill Siegel blog to get more background info.
