The average ransomware payment has increased to $3.6m this year, up from $2.5m in 2024 – a 44% surge despite a decline in the overall number of attacks.

The 2025 Global Threat Landscape Report findings from ExtraHop point to a clear evolution in cybercriminal strategy: fewer, more targeted operations that aim for higher returns and longer-lasting impact.

Fewer Attacks; Higher Stakes

The report surveyed 1800 IT and security leaders across seven countries, who reported an average of five to six ransomware incidents over the past year, down roughly 25% from 2024.

While the number of attacks dropped, the damage intensified. Seventy percent of affected organizations paid the ransom, and payouts in critical sectors were significantly higher than average. Healthcare and government agencies faced the most significant financial burdens, both with payouts of nearly $7.5m, while finance averaged $3.8m per incident.

The report attributes this escalation to increasingly disciplined adversaries. Groups such as RansomHub, LockBit and DarkSide continue to dominate, refining their methods to maximize leverage.

“The combination of sophisticated attackers and a broader attack surface is a dangerous one,” ExtraHop wrote.

“It makes attacks harder to detect and gives criminals a significant head start.”

Expanding Attack Surfaces and Entrenched Threats

The study identified public cloud infrastructure (53.8%), third-party integrations (43.7%) and generative AI applications (41.9%) as the top sources of cybersecurity risk. These interconnected systems are widening the attack surface and complicating defense efforts.