In a rare bright spot for defenders, ransomware and extortion groups are experiencing their own financial squeeze. According to new reporting from Help Net Security, only 23% of victims paid ransom demands in Q3 2025, and for data-theft-only extortion attacks, that number fell to just 19%.

Coveware notes this decline is proof that prevention, coordinated law enforcement pressure, and improved incident response are making a measurable impact:

“Each avoided payment constricts cyber attackers of oxygen (i.e., Bitcoin),” the firm wrote.

But success brings unintended consequences.
As payments shrink, attackers are becoming more targeted, more creative, and more willing to invest heavily in gaining initial access. The ransomware economy isn’t collapsing — it’s evolving, and not in ways that favor unprepared organizations.

Still, Carson & SAINT’s perspective is clear: lower payment rates do not equal lower risk. They signal a pivot to more aggressive tactics.

A Divided Threat Landscape: Mid-Market vs. Large Enterprise

Ransomware-as-a-Service (RaaS) groups and independent extortion operators are splitting into two strategies:

1. Mid-Market Attackers (e.g., Akira): Volume Over Value

Groups like Akira aim for mid-size companies, requesting smaller ransom amounts but keeping payment rates slightly above average.
Their model depends on:

• High-volume targeting

• Short dwell times

• Lower ransom expectations

This tier remains highly opportunistic and agile.

2. High-End Attackers: Focusing on Enterprise Targets

Other threat actors target only large enterprises capable of paying seven- or eight-figure ransoms. But Coveware reports these efforts are now “largely unfruitful” because major organizations increasingly understand that:

“Paying to suppress the proliferation of stolen data has de minimis to zero utility.”

As a result, attackers pursuing large enterprises must spend more, plan more, and innovate more—leading to far more sophisticated intrusion tactics.

Initial Access: How Attackers Are Getting In Now

As revenue tightens, threat actors are abandoning simplistic smash-and-grab tactics and investing in multi-stage social engineering, insider access, and remote compromise.

Insider Threats and Bribery Surge

A major trend in 2025: attackers directly contacting employees and offering money or cryptocurrency for:

• Credentials

• Remote access

• MFA approval

This bypasses technical controls entirely and exposes weaknesses in insider threat programs.

Helpdesk Social Engineering Goes Mainstream

What started with Scattered Spider is now widespread.
Attackers:

• Call helpdesks

• Impersonate employees

• Persuade technicians to reset passwords or approve new devices

This tactic exploits process gaps more than technology gaps.

Callback Phishing Becomes Standard Playbook

Fake invoices, voicemail alerts, or “support messages” direct victims to call the attacker — enabling:

• Device enrollment

• Credential harvesting

• Remote access installation

Callback phishing has moved from niche to baseline intrusion technique.

Remote Access Compromise Remains the #1 Entry Point

Coveware reports that over half of all ransomware/extortion incidents last quarter originated from remote access issues:

• VPN exposure

• Cloud gateway weaknesses

• SaaS misconfigurations

The Hidden Risk: Configuration Debt

Even organizations with strong patching programs remain vulnerable because of forgotten, aging, or misaligned configurations — including:

• Old local accounts

• Unrotated credentials

• Dormant OAuth tokens

Attackers now routinely search for — and exploit — this configuration debt.

Vulnerability Exploitation Still Occurs, But Mostly Old Bugs

Threat actors continue exploiting network appliances and enterprise software — but overwhelmingly through known, unpatched vulnerabilities, reflecting gaps in vulnerability risk management programs and patch prioritization.

Once Inside: Data Exfiltration Is the New Ransom

Coveware notes that data theft is now “almost guaranteed” in ransomware/extortion events — encryption optional.

Why?
Because data exposure creates faster, more predictable pressure:

• Regulatory scrutiny

• Customer backlash

• Reputational harm

• Contractual violations

Attackers know that even if organizations won’t pay to recover systems, some may pay (or feel pressured) to contain fallout.

Reconnaissance Before Exploitation

Most groups now conduct methodical reconnaissance before stealing data:

• Privilege enumeration

• Sensitive folder mapping

• Identifying high-value systems

Because this activity mimics normal IT administration, organizations must rely on behavioral monitoring to detect it.

Lateral Movement: Still RDP, SSH, PSExec — Still Effective

Lateral movement techniques remain unchanged, but better monitoring and anomaly detection is needed to detect them quickly.

What Organizations Must Prioritize Now

Carson & SAINT recommends five immediate focus areas to reduce exposure to next-generation ransomware threats.

1. Harden Identity and Access Governance

• Strengthen helpdesk authentication workflows

• Enforce least privilege

• Tighten VPN/MFA policies

• Monitor session activity across cloud and SaaS

Identity is the new perimeter — and attackers know it.

2. Eliminate Configuration Debt

• Audit credentials and legacy accounts

• Rotate OAuth tokens

• Remove unused integrations

• Reassess remote access policies

Most breaches Coveware observed involve misconfigurations, not exploits.

3. Mature Insider Threat Programs

• Train staff on bribery/red flag behaviors

• Deploy user behavior analytics

• Establish reporting paths for suspicious contact

Insiders — willing or unwitting — are now one of the most cost-effective access paths for attackers.

4. Strengthen Detection of Reconnaissance & Lateral Movement

• Monitor for privilege mapping and account enumeration

• Flag abnormal RDP, SSH, and PSExec behaviors

• Use UEBA solutions to detect subtle anomalies

Organizations that detect reconnaissance early dramatically reduce breach impact.

5. Modernize Vulnerability Risk Management (VRM)

Your VRM program must do more than tally CVEs — it must prioritize exploitability, identity weaknesses, and configuration risks.

Carson & SAINT’s Vulnerability Risk Management approach focuses on:

• Continuous scanning of remote access systems

• Prioritizing vulnerabilities attackers actually exploit

• Exposing identity and configuration weaknesses early

This is how organizations stay ahead of attacker innovation.

Progress Is Real — But So Is the Evolution of the Threat

The drop in ransom payments is a legitimate win for defenders—but it does not mean ransomware is fading. Instead, attackers are:

• Becoming more targeted

• Using more human-centric access methods

• Exploiting identity and configuration weaknesses

• Prioritizing data theft over encryption

So, organizations that mistake “fewer payments” for “less danger” risk becoming the next headline.

Carson & SAINT helps enterprises modernize identity security, reduce configuration debt, and build resilience against this next era of ransomware and extortion.

Let’s strengthen your defenses before attackers adapt again.
Contact us to assess your risk.