Why Do Ransom Attacks Continue, While Payouts Are Dropping?

By Jesse William McGraw

July 07, 2025

So far, victims paying out to ransomware and data extortion gangs are showing a steady downward trend, compared to 2024, which saw $813 million in ransom payments, which showed a drop of 35% from 2023’s $1.25 billion payouts. Currently, only 47% of victims have opted to pay out.

If the statistics from preceding years are any indication of what the end of 2025 will look like, the trend is clear: organizations are declining to pay even while incidents increase.

This means something has changed the way companies respond to these incidents with a matter of confidence. Even if cybercriminals make their templated threats, these businesses have an ace up their sleeves.

That is due in part to the fact that cyberattacks are often covered by insurance providers, who take care of data recovery, restoring backups, and handling forensic remediation costs to help businesses maintain operational continuity without being forced to pay a ransom.

In addition, companies that find themselves being targeted by these kinds of attacks are becoming more aware of the legal risks posed by U.S. Treasury sanctions, namely, those enforced by the Office of Foreign Assets Control (OFAC), which prohibits making ransom payments to certain entities on its sanctions list. This makes issuing payouts to certain groups prohibited, excluding any possible dealings with them.

However, being afraid of facing civil repercussions from dealing directly with sanctioned cybercrime groups alone isn’t the lone ingredient behind the drop in statistics for ransom payout. Companies are becoming more confident and refusing to buckle under the pressure because they are getting smarter at outwitting cybercriminals.

Cyber Risk Insurance

Companies and cyber risk insurance companies began taking a new approach to ransom incidents between late 2023 and 2025, whereas, between 2020 and 2022, insurance companies were more inclined to simply approve ransom payments in the hope that it would minimize the total damage to the company.

The fact that companies and their insurance providers used to pay off cybercriminals at all really overshadowed the desperation of impacted companies, who simply wanted the threat to go away. Reputational damage is often more difficult to repair than financial loss.

Many insurance companies began excluding ransom payments from their policies, which put companies in a unique situation that demanded a new approach since they were no longer covered.

These insurers require pre-authorization, meaning the impacted company has to contact the insurance company to approve the payment in writing. If the company performs an unauthorized payment, doing so could void coverage entirely.

Payments to any threat actor group on the OFAC sanctions list are out of the question. This takes into account the legal aspect of engaging in any kind of agreement with prohibited parties. The insurer may also bring in a ransomware negotiation firm or legal counsel to assist in negotiations.

Some cyber insurance companies offer lower premiums as an incentive for companies that formally agree to refrain from paying ransoms in the event of a cyberattack. Conversely, those who pay ransoms to sanctioned groups risk violating U.S. Sanction Laws under OFAC regulations, such as specific ransomware groups affiliated with Russia, Iran, North Korea, and others and face a civil penalty of fines up to $330,947 per violation, a figure that is adjusted annually.

Data recovery

The good news is, companies are getting smarter by anticipating the possibility of ransomware and data extortion attacks and building defences that they can fall back on in the event of a worst-case scenario.

In addition to insurance and regulatory guidelines, companies are keeping better backups, allowing them to recover data to keep their operations running. In contrast, companies that used to pay ransoms did it because they had no other way to recover their data. Nowadays, companies have improved their defences across many sectors by arming themselves with the tools and strategies to recover without paying criminals off.