Mass Data Exfiltration Campaigns Lose Their Edge in Q4 2025
pData Theft CampaignsppPayment RatesppTypes of RansomwareppAttack VectorsppTTPsppVictimologyppQ4 of 2025 was marked by the latest largescale data theft campaign by the CL0P ransomware gang this time exploiting a zeroday vulnerability in Oracle EBusiness Suite EBS The campaign came from a playbook CL0P pioneered nearly five years ago The strategy involves purchase a zeroday exploit of a widely used enterprise file transfer or data storage appliance compromise as many instances as possible before detection exfiltrate as much data as possible from as many downstream customers as possible and finally monetize at scale the attack through extortion of each unique downstream party This strategy does not involve the encryption of the target assets Often the entire attack chain occurs outside of the victims network This was the 5th campaign where CL0P followed this playbook and the financial outcome for CL0P tells an interesting story about the current state of cyber extortionppCL0P developed this playbook during the Accellion breach in Q12021 At the time data exfiltrationonly extortion was still a relatively novel tactic Most cyber extortion attacks in 20202021 involved the encryption of critical systems as the primary driver of extortion pressure Increasingly actors during this period of time were combining encryption and data exfiltration extortion to compound the pressure on victims to pay At this point in cyber extortion data exfiltration was a very effective pressure tactic Victims lacked confidence in their ability to assess what had been taken regulators were still adapting to breach notification rules and enforcement and many organizations viewed payment as a pragmatic way to make the problem go awayppCL0Ps first campaign was likely very successful financially It was reported that the exploit used traded for a few hundred thousand dollars We estimate that the payment rate on the Accellion campaign was close to 25 Given the volume of organizations impacted 100 it is likely CL0P earned tens of millions of dollars from this single campaign CL0P duplicated this success in March of 2023 by exploiting a vulnerability in GoAnywhere MFT During that incident it is likely 100150 organizations were impacted and close to 20 of them ended up paying A few months later CL0P captivated the enterprise security media with yet another massive campaign Between 20003000 organizations were impacted directly or indirectly by an extortion campaign that exploited a zero day in MOVEit managed file transfer software Despite the daily headlines few organizations ended up paying we estimate 25 By 2024 though when CL0P exploited a vulnerability in the Cleo Managed File Transfer product organizations had matured The propensity to pay a ransom under these circumstances had dropped Despite several hundred downstream organizations being impacted Coveware recorded no victims that opted to pay With each iteration the economics of downstream mass data theft weakened substantially ppStatistics are based solely on cases Coveware handled directly Industry wide statistics and experiences may differ ppThere is no single variable that explains why these campaigns are no longer bearing financial fruit for cyber criminals During MOVEit many victims were able to independently reconstruct what data had been accessed or exfiltrated reducing their reliance on threat actors for visibility In the Cleo campaign the data itself turned out to be of relatively low sensitivity limiting extortion leverage But the Oracle EBS campaign in 2025 disrupted those assumptionsppIn many ways Oracle EBS represented a return to ideal extortion conditions from the attackers perspective Victims generally lacked the forensic ability to reconstruct what had been stolen and the data stored in these environments was often operationally and commercially sensitive In 2021 those factors would have correlated strongly with high threat actor engagement and payment rates Instead the Oracle EBS campaign in 2025 generated one of the lowest levels of victim engagement and monetization observed across any prior CL0P incidentppEnterprises are getting educated on the pros and cons of paying a ransom to suppress the release of already breached data The bullet points on the pro side of the white board are getting increasingly scarce while the cons side is getting crowded ppOver the past several years organizations have matured significantly in their understanding of breach consequences Paying for data suppression does not eliminate legal or regulatory notification obligations It does not meaningfully reduce the likelihood of litigation And experience has shownrepeatedlythat it does not prevent threat actors from retaining the data selectively leaking it or recycling it for future reextortion months or even years later The perceived certainty that once justified nuisance or opportunistic payments has been replaced by a clearer view of the longterm risk Additionally even engaging the threat actors in a dialog now carries substantial risk The harassment tactics used by cyber criminals once they are engaged are getting increasingly bold and kinetically dangerous to the organizations such as SWATTING attacks against executivesppOther threat actors have attempted to replicate CL0Ps model with similarly disappointing financial results The Snowflakerelated breaches in 2024 and the CRMfocused attacks in 2025largely attributed to Shiny Huntersimpacted organizations globally Despite the scale and visibility of these incidents extortion payments remained the exception rather than the rule Most victims received cogent advice from skilled lawyers and incident responders and opted not to even engage the threat actors The ransom notes were tossed in the waste bin after a rational discussion in front of the white board ppAs breach attorneys and defenders become more realistic about what can be achieved from an extortion paymentand organizations become more confident in managing breach fallout without negotiatingthe economics of these data theft campaigns have eroded Exploiting a single vendor flaw to reach hundreds of victims no longer guarantees hundreds of potential paydays For enterprises that realization may be one of the most meaningful defensive evolutions of the past five yearsppLooking ahead ransomware payment rates are at record lows and what worked during the doubleextortion boom of the early 2020s no longer produces consistent or substantial profits for ransomware and extortion actors We expect a pivot threat actors may return to their data encryption roots which has always been a more effective lever than data extortion at increasing the chance of payment They may diversify how they use and monetize access to victim networks beyond direct extortion And we expect they will continue to downsize their respective operations to minimize overhead costs and risks pp
Average Ransom Payment
pp
57 from Q3 2025
pp
Median Ransom Payment
pp
132 from Q3 2025
ppTrend AnalysisppAverage and Median Payments Diverge Reinforcing Skewed Economics Q4 continues to show a pronounced gap between average 591988 57 from Q3 2025 and median ransom payments 325000 132 from Q3 2025 While median payments remain comparatively constrained the average payment exhibits sharp volatility driven by a small number of outsized settlements This reinforces that headline average ransom figures are increasingly influenced by edge cases rather than representative outcomesppLarge Sporadic Payments Drive Spikes Not Broad Willingness to Pay The pronounced spikes in average payment reflect isolated highimpact incidents typically tied to decryptionmotivated settlements where business interruption could not be otherwise mitigated These events are not indicative of a broad resurgence in willingness to pay but rather the residual cost of severe operational disruption in a subset of casesppMedian Payments Remain Anchored to MidMarket Reality Median ransom payments continue to track materially lower than averages aligning with a victim mix dominated by small and midsized organizations These organizations are more likely to pay when impacted but are structurally limited in the amounts they can sustain reinforcing a volumedriven extortion economy rather than a return to biggame hunting economicsppData Theft Alone Rarely Drives Large Settlements Consistent with prior quarters the chart supports the continued decline in highvalue settlements driven purely by data exfiltration pressure Payments remain primarily correlated with operational downtime and recovery constraints not the perceived value of suppressing stolen data an outcome increasingly understood by larger more mature organizationsppImpact Not Size Remains the Primary Cost Driver Despite periodic spikes the underlying trend remains intact company size does not reliably predict ransom size Instead payment magnitude continues to correlate most strongly with incident impact particularly the loss of critical systems ineffective backups and prolonged recovery timelines further undermining the economic assumptions behind traditional biggame hunting strategiesppTrend AnalysisppRansom Payment Rates Continue to Set New Lows Ransom payment rates have continued their longterm decline reaching approximately 20 in the most recent quarter representing a new historical low and extending the multiyear downward trajectory observed since 2020ppOperational Resilience Is Reducing Reliance on Decryption Keys Organizations across both enterprise and midmarket segments are increasingly able to withstand encryptiondriven disruption and restore operations without relying on a threat actors decryption key This reflects tangible improvements in backup integrity recovery planning and incident response executionppThe Plateau is Downward Sloping Where payment rates previously oscillated in the 2535 range the most recent data indicates a clear break below that band Rather than shortterm volatility the trend now suggests a structurally lower equilibrium for ransom payments across impact scenarios including encryption and data exfiltrationppStarving the Extortion Economy Requires Collective Discipline Each avoided ransom payment removes oxygen from the cyber extortion ecosystem The cumulative effect of improved prevention reduced blast radius and disciplined response decisionmaking continues to erode attacker economics particularly for volumedriven RaaS operationsppDecline Reflects Maturity Not Reduced Threat Activity This downward trend should not be misinterpreted as a reduction in attack frequency Instead it reflects improved organizational maturity better preparation stronger recovery options and a growing recognition that ransom payment particularly to suppress stolen data offers diminishing utilityppSustained Pressure Is Essential to LongTerm Impact Contracting the cyber extortion economy requires continued pressure from defenders insurers advisors regulators and law enforcement While zero may remain an asymptote rather than an immediate destination the trajectory demonstrates that coordinated effort can materially weaken attacker incentives over timeppData ExfiltrationOnly Payments Remain Structurally Low Despite ShortTerm Volatility While DXFonly payment rates show quartertoquarter fluctuation the most recent data point sits at approximately 25 remaining well below historical norms and reinforcing that datatheftonly extortion continues to convert poorly for threat actorsppNonPayment Is Now the Default Starting Position The sustained suppression of DXFonly payment rates reflects a meaningful shift in incident response posture Enterprises increasingly begin dataexfiltration incidents from a default assumption of nonpayment rather than treating payment as a primary mitigation leverppGrowing Consensus That Paying Does Not Reduce Risk Experience and investigation continue to validate that ransom payment offers little to no durable benefit in DXFonly casesppStolen data is frequently retained resold or releveraged regardless of paymentppCommitments to suppress or delete data are routinely unverifiableppPayment does not reliably prevent future targeting or secondary extortionppReExtortion and Data Recycling Undermine Cyber Criminal Trust Economics As the pool of highvalue solvent victims contracts threat actors increasingly revisit known victims or resell stolen data to third parties This erodes the already fragile trust model underpinning DXFonly extortion and further weakens payment as a rational controlppThreat Actor Pressure Is Economic Not Reputational DXFonly campaigns persist not because they are highly successful but because they are cheap to execute and scalable Lower operational costs allow actors to tolerate poor conversion rates while applying broad pressure across many victimsppStrategic Implication for Defenders The data reinforces a critical principle DXFonly extortion is best managed as a legal regulatory and communications challenge not a negotiation problem Investments in breach response planning privacy counsel readiness and stakeholder communications continue to deliver higher return than ransom paymentpp
Market Share of the Ransomware attacks
ppConsistent with our discussion of why zeroday downstream campaigns are losing their efficacy it is interesting to note that the top two variants in Q4 who have held that spot for several quarters now both employ encryption as the primary impact driver Both exfiltrate data as well but encryption is the primary source of leverage Slots 36 on the market share board are data exfiltration only actors As data exfiltration only attacks yield less and less financial success we expect Akira Qilin and other actors that rely on encryption to be relatively more successful vs data exfiltration only groups ppRemote access compromise remained the dominant initial access vector in Q4 2025 reaffirming that attackers overwhelmingly favor identitybacked footholds over malwaredriven entry What remote access represents has fundamentally changed beyond VPNs and RDP it now encompasses SaaS administrative access OAuth tokens API integrations and delegated trust relationships Attackers are not breaking controls so much as operating within them logging in being provisioned or inheriting access through workflows designed for legitimate use Most compromises succeeded not because systems were unpatched but because configuration debt persisted stale credentials legacy local accounts after migrations and insufficient visibility into cloud identity and token usageppPhishing and social engineering appeared to decline in Q4 but this reflects absorption into remote access outcomes rather than reduced attacker reliance on human trust Social engineering has become the enabling mechanism for durable access convincing help desks to issue credentials obtaining OAuth consent or legitimizing attacker activity inside SaaS platforms As a result campaigns increasingly register as remote access compromise instead of phishing despite people remaining the critical control failure Q4 activity continued to demonstrate how impersonation vishing SEO poisoning and abuse of trusted vendors or integrations allow attackers to establish longlived platformnative access with minimal technical indicators prior to data theftppSoftware vulnerability exploitation continued its slow but consistent rise in Q4 remaining less frequent than credentialbased access but disproportionately impactful when successful While Cl0ps zeroday campaigns contributed to the rise most exploitation activity was opportunistic capitalizing on delayed patching incomplete migrations exposed management interfaces and residual credentials Even fully patched environments were compromised when legacy access paths remained open Once exploited these footholds often led quickly to data exfiltration or lightweight ransomware deployment reinforcing that exploitation today is less about persistence and more about speed to impactppQ4 2025 reinforces that identity is the primary intrusion surface not endpoints or malware and that social engineering SaaS access and remote footholds are now inseparable elements of the same access problem The majority of successful breaches still stem from failures in process trust and access hygiene rather than missing tools or signatures Defense strategies that prioritize identity controls access governance and visibility across both infrastructure and SaaS alongside patching are better aligned with how attackers actually gain and retain access todayppLateral Movement TA0008ppLateral movement remained one of the most consistently observed tactics in Q4 2025 appearing in 65 of cases and continuing to serve as the operational backbone of modern intrusions The decline from Q3 does not signal reduced adversary reliance but more likely reflects faster containment and improved visibility earlier in the attack lifecycle Threat actors continue to abuse legitimate administrative protocols and tooling eg RDP SSH PSExec and native management utilities to expand access escalate privileges and position themselves for data theft and encryptionppExfiltration TA0010ppExfiltration remained a defining feature of extortion operations in Q4 observed directly in 61 of cases despite a notable decline from prior quarters This apparent reduction masks the underlying reality confirmed data exfiltration occurred in 94 of incidents overall and in 62 of cases where encryption was present The statistical drop reflects quieter faster exfiltration methods increased cloud and SaaSbased intrusions and a continued shift toward extortiononly pressure models rather than reduced attacker interest in data theft ppDefense Evasion TA0005ppDefense evasion reentered the Top 5 in Q4 observed in 43 of cases reflecting attacker prioritization of remaining undetected long enough to complete staging and exfiltration Techniques increasingly targeted endpoint controls identity telemetry and logging gaps allowing adversaries to suppress early warning signals while operating within legitimate tooling and workflows The resurgence of defense evasion aligns directly with the high rate of confirmed exfiltration in Q4 underscoring that successful extortion now depends as much on minimizing detection as it does on gaining access or deploying payloadsppImpact TA0040ppImpact tactics declined again in Q4 appearing in 41 of observed cases but this remains a visibility artifact rather than a reduction in attacker intent Encryption was still confirmed in the majority of incidents with 68 of cases involving encryption As in prior quarters forensic evidence of impact is frequently lost in virtualized and cloudheavy environments where administrative lockouts rapid rebuilds and system reinstalls erase telemetry The data reflects a growing gap between observed impact and realworld disruption not diminished operational damage as attackers continue to manipulate or destroy backups to amplify pressure during negotiationsppCredential Access TA0006ppCredential access appeared in 39 of Q4 cases and remains a consistent enabler tightly coupled with lateral movement defense evasion and exfiltration Credentials are often reused replayed inherited or obtained through trust relationships rather than freshly harvested blurring traditional killchain sequencing This identitycentric access model supports the high rate of confirmed exfiltration by allowing attackers to move and operate without triggering conventional alarms Credential abuse in Q4 reinforces that identity protection is a controlplane problem rooted in access governance lifecycle management and visibility not merely an authentication challengeppIn Q4 2025 ransomware activity was unevenly distributed across industries with a clear concentration in serviceoriented and operationally critical sectors Professional Services experienced the highest share of attacks at 1892 followed by Healthcare at 1532 reflecting attackers preference for targets with high downtime sensitivity and pressure to restore operations quickly Technologyrelated sectors also featured prominently including Technology Hardware Equipment 991 and Software Services 721 alongside Consumer Services 901 Financial Services and Retailing each accounted for 631 of observed attacks while the Public Sector represented 541 In contrast assetheavy or more regulated industries such as Utilities 090 Automotive 180 Transportation 180 and Media 180 saw comparatively lower levels of activity underscoring a continued attacker focus on sectors where disruption translates most directly into leverageppThe Median company size impacted by a ransomware attack in Q4 2025 was 200 employees 45 from Q3 2025 Ransomware incidents in Q4 2025 were most heavily concentrated among small and midsized organizations highlighting attackers continued preference for targets with limited security resources and high operational exposure Companies with 11 to 100 employees accounted for the largest share of attacks at 38 followed closely by organizations with 101 to 1000 employees at 31 Midmarket firms with 1001 to 10000 employees represented another 17 reinforcing that the bulk of ransomware activity sits well below the enterprise tier By contrast very large organizations were attacked far less frequently with companies over 100000 employees accounting for just 2 of cases and those with 50001 to 100000 employees at 3 Notably organizations in the 25001 to 50000 employee range saw no observed incidents underscoring how ransomware campaigns continue to skew toward smaller more numerous and operationally constrained targets rather than the largest global enterprisesppPO Box 621 275 Post Road E STE 10 Westport CT 06881 Copyright 2025 Coveware Inc All Rights Reservedp
Average Ransom Payment
pp
57 from Q3 2025
pp
Median Ransom Payment
pp
132 from Q3 2025
ppTrend AnalysisppAverage and Median Payments Diverge Reinforcing Skewed Economics Q4 continues to show a pronounced gap between average 591988 57 from Q3 2025 and median ransom payments 325000 132 from Q3 2025 While median payments remain comparatively constrained the average payment exhibits sharp volatility driven by a small number of outsized settlements This reinforces that headline average ransom figures are increasingly influenced by edge cases rather than representative outcomesppLarge Sporadic Payments Drive Spikes Not Broad Willingness to Pay The pronounced spikes in average payment reflect isolated highimpact incidents typically tied to decryptionmotivated settlements where business interruption could not be otherwise mitigated These events are not indicative of a broad resurgence in willingness to pay but rather the residual cost of severe operational disruption in a subset of casesppMedian Payments Remain Anchored to MidMarket Reality Median ransom payments continue to track materially lower than averages aligning with a victim mix dominated by small and midsized organizations These organizations are more likely to pay when impacted but are structurally limited in the amounts they can sustain reinforcing a volumedriven extortion economy rather than a return to biggame hunting economicsppData Theft Alone Rarely Drives Large Settlements Consistent with prior quarters the chart supports the continued decline in highvalue settlements driven purely by data exfiltration pressure Payments remain primarily correlated with operational downtime and recovery constraints not the perceived value of suppressing stolen data an outcome increasingly understood by larger more mature organizationsppImpact Not Size Remains the Primary Cost Driver Despite periodic spikes the underlying trend remains intact company size does not reliably predict ransom size Instead payment magnitude continues to correlate most strongly with incident impact particularly the loss of critical systems ineffective backups and prolonged recovery timelines further undermining the economic assumptions behind traditional biggame hunting strategiesppTrend AnalysisppRansom Payment Rates Continue to Set New Lows Ransom payment rates have continued their longterm decline reaching approximately 20 in the most recent quarter representing a new historical low and extending the multiyear downward trajectory observed since 2020ppOperational Resilience Is Reducing Reliance on Decryption Keys Organizations across both enterprise and midmarket segments are increasingly able to withstand encryptiondriven disruption and restore operations without relying on a threat actors decryption key This reflects tangible improvements in backup integrity recovery planning and incident response executionppThe Plateau is Downward Sloping Where payment rates previously oscillated in the 2535 range the most recent data indicates a clear break below that band Rather than shortterm volatility the trend now suggests a structurally lower equilibrium for ransom payments across impact scenarios including encryption and data exfiltrationppStarving the Extortion Economy Requires Collective Discipline Each avoided ransom payment removes oxygen from the cyber extortion ecosystem The cumulative effect of improved prevention reduced blast radius and disciplined response decisionmaking continues to erode attacker economics particularly for volumedriven RaaS operationsppDecline Reflects Maturity Not Reduced Threat Activity This downward trend should not be misinterpreted as a reduction in attack frequency Instead it reflects improved organizational maturity better preparation stronger recovery options and a growing recognition that ransom payment particularly to suppress stolen data offers diminishing utilityppSustained Pressure Is Essential to LongTerm Impact Contracting the cyber extortion economy requires continued pressure from defenders insurers advisors regulators and law enforcement While zero may remain an asymptote rather than an immediate destination the trajectory demonstrates that coordinated effort can materially weaken attacker incentives over timeppData ExfiltrationOnly Payments Remain Structurally Low Despite ShortTerm Volatility While DXFonly payment rates show quartertoquarter fluctuation the most recent data point sits at approximately 25 remaining well below historical norms and reinforcing that datatheftonly extortion continues to convert poorly for threat actorsppNonPayment Is Now the Default Starting Position The sustained suppression of DXFonly payment rates reflects a meaningful shift in incident response posture Enterprises increasingly begin dataexfiltration incidents from a default assumption of nonpayment rather than treating payment as a primary mitigation leverppGrowing Consensus That Paying Does Not Reduce Risk Experience and investigation continue to validate that ransom payment offers little to no durable benefit in DXFonly casesppStolen data is frequently retained resold or releveraged regardless of paymentppCommitments to suppress or delete data are routinely unverifiableppPayment does not reliably prevent future targeting or secondary extortionppReExtortion and Data Recycling Undermine Cyber Criminal Trust Economics As the pool of highvalue solvent victims contracts threat actors increasingly revisit known victims or resell stolen data to third parties This erodes the already fragile trust model underpinning DXFonly extortion and further weakens payment as a rational controlppThreat Actor Pressure Is Economic Not Reputational DXFonly campaigns persist not because they are highly successful but because they are cheap to execute and scalable Lower operational costs allow actors to tolerate poor conversion rates while applying broad pressure across many victimsppStrategic Implication for Defenders The data reinforces a critical principle DXFonly extortion is best managed as a legal regulatory and communications challenge not a negotiation problem Investments in breach response planning privacy counsel readiness and stakeholder communications continue to deliver higher return than ransom paymentpp
Market Share of the Ransomware attacks
ppConsistent with our discussion of why zeroday downstream campaigns are losing their efficacy it is interesting to note that the top two variants in Q4 who have held that spot for several quarters now both employ encryption as the primary impact driver Both exfiltrate data as well but encryption is the primary source of leverage Slots 36 on the market share board are data exfiltration only actors As data exfiltration only attacks yield less and less financial success we expect Akira Qilin and other actors that rely on encryption to be relatively more successful vs data exfiltration only groups ppRemote access compromise remained the dominant initial access vector in Q4 2025 reaffirming that attackers overwhelmingly favor identitybacked footholds over malwaredriven entry What remote access represents has fundamentally changed beyond VPNs and RDP it now encompasses SaaS administrative access OAuth tokens API integrations and delegated trust relationships Attackers are not breaking controls so much as operating within them logging in being provisioned or inheriting access through workflows designed for legitimate use Most compromises succeeded not because systems were unpatched but because configuration debt persisted stale credentials legacy local accounts after migrations and insufficient visibility into cloud identity and token usageppPhishing and social engineering appeared to decline in Q4 but this reflects absorption into remote access outcomes rather than reduced attacker reliance on human trust Social engineering has become the enabling mechanism for durable access convincing help desks to issue credentials obtaining OAuth consent or legitimizing attacker activity inside SaaS platforms As a result campaigns increasingly register as remote access compromise instead of phishing despite people remaining the critical control failure Q4 activity continued to demonstrate how impersonation vishing SEO poisoning and abuse of trusted vendors or integrations allow attackers to establish longlived platformnative access with minimal technical indicators prior to data theftppSoftware vulnerability exploitation continued its slow but consistent rise in Q4 remaining less frequent than credentialbased access but disproportionately impactful when successful While Cl0ps zeroday campaigns contributed to the rise most exploitation activity was opportunistic capitalizing on delayed patching incomplete migrations exposed management interfaces and residual credentials Even fully patched environments were compromised when legacy access paths remained open Once exploited these footholds often led quickly to data exfiltration or lightweight ransomware deployment reinforcing that exploitation today is less about persistence and more about speed to impactppQ4 2025 reinforces that identity is the primary intrusion surface not endpoints or malware and that social engineering SaaS access and remote footholds are now inseparable elements of the same access problem The majority of successful breaches still stem from failures in process trust and access hygiene rather than missing tools or signatures Defense strategies that prioritize identity controls access governance and visibility across both infrastructure and SaaS alongside patching are better aligned with how attackers actually gain and retain access todayppLateral Movement TA0008ppLateral movement remained one of the most consistently observed tactics in Q4 2025 appearing in 65 of cases and continuing to serve as the operational backbone of modern intrusions The decline from Q3 does not signal reduced adversary reliance but more likely reflects faster containment and improved visibility earlier in the attack lifecycle Threat actors continue to abuse legitimate administrative protocols and tooling eg RDP SSH PSExec and native management utilities to expand access escalate privileges and position themselves for data theft and encryptionppExfiltration TA0010ppExfiltration remained a defining feature of extortion operations in Q4 observed directly in 61 of cases despite a notable decline from prior quarters This apparent reduction masks the underlying reality confirmed data exfiltration occurred in 94 of incidents overall and in 62 of cases where encryption was present The statistical drop reflects quieter faster exfiltration methods increased cloud and SaaSbased intrusions and a continued shift toward extortiononly pressure models rather than reduced attacker interest in data theft ppDefense Evasion TA0005ppDefense evasion reentered the Top 5 in Q4 observed in 43 of cases reflecting attacker prioritization of remaining undetected long enough to complete staging and exfiltration Techniques increasingly targeted endpoint controls identity telemetry and logging gaps allowing adversaries to suppress early warning signals while operating within legitimate tooling and workflows The resurgence of defense evasion aligns directly with the high rate of confirmed exfiltration in Q4 underscoring that successful extortion now depends as much on minimizing detection as it does on gaining access or deploying payloadsppImpact TA0040ppImpact tactics declined again in Q4 appearing in 41 of observed cases but this remains a visibility artifact rather than a reduction in attacker intent Encryption was still confirmed in the majority of incidents with 68 of cases involving encryption As in prior quarters forensic evidence of impact is frequently lost in virtualized and cloudheavy environments where administrative lockouts rapid rebuilds and system reinstalls erase telemetry The data reflects a growing gap between observed impact and realworld disruption not diminished operational damage as attackers continue to manipulate or destroy backups to amplify pressure during negotiationsppCredential Access TA0006ppCredential access appeared in 39 of Q4 cases and remains a consistent enabler tightly coupled with lateral movement defense evasion and exfiltration Credentials are often reused replayed inherited or obtained through trust relationships rather than freshly harvested blurring traditional killchain sequencing This identitycentric access model supports the high rate of confirmed exfiltration by allowing attackers to move and operate without triggering conventional alarms Credential abuse in Q4 reinforces that identity protection is a controlplane problem rooted in access governance lifecycle management and visibility not merely an authentication challengeppIn Q4 2025 ransomware activity was unevenly distributed across industries with a clear concentration in serviceoriented and operationally critical sectors Professional Services experienced the highest share of attacks at 1892 followed by Healthcare at 1532 reflecting attackers preference for targets with high downtime sensitivity and pressure to restore operations quickly Technologyrelated sectors also featured prominently including Technology Hardware Equipment 991 and Software Services 721 alongside Consumer Services 901 Financial Services and Retailing each accounted for 631 of observed attacks while the Public Sector represented 541 In contrast assetheavy or more regulated industries such as Utilities 090 Automotive 180 Transportation 180 and Media 180 saw comparatively lower levels of activity underscoring a continued attacker focus on sectors where disruption translates most directly into leverageppThe Median company size impacted by a ransomware attack in Q4 2025 was 200 employees 45 from Q3 2025 Ransomware incidents in Q4 2025 were most heavily concentrated among small and midsized organizations highlighting attackers continued preference for targets with limited security resources and high operational exposure Companies with 11 to 100 employees accounted for the largest share of attacks at 38 followed closely by organizations with 101 to 1000 employees at 31 Midmarket firms with 1001 to 10000 employees represented another 17 reinforcing that the bulk of ransomware activity sits well below the enterprise tier By contrast very large organizations were attacked far less frequently with companies over 100000 employees accounting for just 2 of cases and those with 50001 to 100000 employees at 3 Notably organizations in the 25001 to 50000 employee range saw no observed incidents underscoring how ransomware campaigns continue to skew toward smaller more numerous and operationally constrained targets rather than the largest global enterprisesppPO Box 621 275 Post Road E STE 10 Westport CT 06881 Copyright 2025 Coveware Inc All Rights Reservedp
