Fewer organizations are paying the ransom when confronted with a ransomware attack – but those that do make ransomware payments are paying much more.
That’s one of the takeaways from ExtraHop’s new 2025 Global Threat Landscape Report, which also looked at the riskiest attack surfaces, dwell times, initial attack vectors, and more.
The report, which the NDR vendor conducted with Censuswide, is based on a July 2025 survey of 1,800 security and IT decision-makers in midsize and large organizations in seven countries.
Average Ransom Payment Tops $3.6 Million
The survey found that while organizations are experiencing fewer ransomware incidents – and fewer are paying ransoms – those organizations that do pay are paying $1.1 million more than they did last year, up from $2.5 million to more than $3.6 million, an increase of more than 40%.
While 70% of respondents said their organization paid a ransom, there was an overall decline in the number of ransomware payments for the first time, and the number of organizations that say that they didn’t pay a ransom tripled from 9% last year to 30% this year.
Also on the plus side, the organizations overall reported fewer ransomware incidents, with their organizations experiencing between five and six ransomware incidents each within the previous 12 months, down roughly 25% from nearly eight incidents in 2024. However, the percentage of organizations hit with 20 or more ransomware incidents tripled, rising to 3% year-over-year. Healthcare and government organizations were among those facing a greater number of attacks.
Cyble’s ransomware data, which is based on ransomware group claims on their dark web data leak sites, show that ransomware attacks are up 50% so far this year from the same period of 2024.
The average ransom amount varied by country, with UAE organizations, for example, facing an average of seven ransomware incidents, with paid ransoms averaging $5.4 million. Australia organizations, on the other hand, experienced the fewest ransomware incidents in the report, averaging just four per year, and ransomware payments averaged $2.5 million.
The healthcare sector had the highest payouts at $7.5 million, followed by the government sector (just under $7.5 million) and the finance sector ($3.8 million).
Respondents also struggled with ransomware detection, as more than 30% of respondents didn’t detect that they were being targeted by ransomware until data exfiltration had begun.
Riskiest Attack Surfaces and Entry Points
The report found that the public cloud, third-party risks, and GenAI were the riskiest attack surfaces (chart below).
“As organizations rapidly adopt emerging technologies, navigate complex device interdependencies, and manage sprawling supply chains, their IT infrastructures become inherently more complex,” the report said. “This escalating complexity inevitably leads to a larger attack surface.”
Phishing and social engineering were the most common initial point of entry for attackers at 33.7%, followed by software vulnerabilities (19.4%), third-party/supply chain compromise (13.4%), and compromised credentials (12.2%) (chart below).
