TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Insider Threats Loom while Ransom Payment Rates Plummet

Bill Siegel · 2025-10-24 · Read original ↗

ATT&CK techniques detected

20 predictions
T1486Data Encrypted for Impact
93%
"insider threats loom while ransom payment rates plummet table of contentscyber extortion landscapepayment ratestypes of ransomwareattack vectorsttpsvictimology as we enter the final quarter of 2025, the cyber extortion landscape has split along two clear paths : volume - driven r…"
T1657Financial Theft
92%
"moth ) leverages different flavors of callback phishing, targeting firms narrowly in the insurance and law firm verticals. the bbc story cited in this report reveals how the medusa ransomware gang — a group we would characterize as a traditional opportunistic raas — has pivoted t…"
T1657Financial Theft
92%
"prioritize selective, high - profile targets. other actors get caught up with “ shiny object syndrome ” — an attempt to tailor attacks only to enterprises above a certain size or perceived financial capacity. that latter strategy is substantially more expensive for attackers, res…"
T1486Data Encrypted for Impact
89%
"raas structure rose to prominence and before data exfiltration became adopted as a standard tactic, ransomware actors ran the operation from a to z. they wrote the ransomware code, carried out the attacks, and handled the negotiations themselves. in this era, actors enjoyed relat…"
T1486Data Encrypted for Impact
89%
"was to compromise the organization ’ s systems and hold its data for ransom. the significance of this case study cannot be overstated. while insider threats have always posed risk, they typically manifested as data - theft - only events — for example, disgruntled employees exfilt…"
T1486Data Encrypted for Impact
85%
"rank ransomware type market share % change in ranking from q2 2025 1 akira 34 % - 2 qilin 10 % - 3 lone wolf 6 % - 4 lynx 5 % new in top variants 5 shiny hunters 4 % + 1 5 kawa4096 4 % new in top variants market share of the ransomware attacks akira and qilin retain their # 1 and…"
T1657Financial Theft
80%
"was to compromise the organization ’ s systems and hold its data for ransom. the significance of this case study cannot be overstated. while insider threats have always posed risk, they typically manifested as data - theft - only events — for example, disgruntled employees exfilt…"
T1219Remote Access Tools
79%
"and - control re - entered the top 5 as a dominant supporting tactic, observed in more than half of q3 cases. threat actors increasingly favor commercial and open - source remote - administration and monitoring tools, often hosted on encrypted, cloud - based infrastructure. threa…"
T1486Data Encrypted for Impact
76%
"moth ) leverages different flavors of callback phishing, targeting firms narrowly in the insurance and law firm verticals. the bbc story cited in this report reveals how the medusa ransomware gang — a group we would characterize as a traditional opportunistic raas — has pivoted t…"
T1486Data Encrypted for Impact
74%
"growing focus on “ white whale ” organizations — large - scale, high - value targets. in the past, this wouldn ’ t have been as necessary given the vast availability of mid - market victims. enterprises should re - evaluate the maturity of their insider threat programs — both for…"
T1657Financial Theft
61%
"which is the change in cyber extortion victimology. previously, these groups relied largely on access broker relationships ( e. g., trickbot / emotet ), stolen credentials, and known vulnerabilities to choose victims. this led to a victim landscape that was very much random ( i. …"
T1078.004Cloud Accounts
60%
"— remote access compromise, phishing / social engineering, and software vulnerability exploitation — remain at the core of intrusion activity, but the distinctions between them are increasingly blurred. the modern intrusion no longer begins with a simple phishing email or an unpa…"
T1486Data Encrypted for Impact
59%
", but a widening visibility gap. threat actors remain focused on maximizing disruption, particularly through the manipulation or deletion of backup infrastructure, knowing that undermining recovery amplifies payment pressure. discovery [ ta0007 ] discovery maintained its position…"
T1486Data Encrypted for Impact
59%
"from all industry participants. collectively, we can drive this chart to the zero asymptote over time. for data exfiltration - only incidents ( no encryption, only the threat of public release ), ransom payments fell to 19 % in q3 2025, another record low. while this resolution r…"
T1657Financial Theft
58%
"raas structure rose to prominence and before data exfiltration became adopted as a standard tactic, ransomware actors ran the operation from a to z. they wrote the ransomware code, carried out the attacks, and handled the negotiations themselves. in this era, actors enjoyed relat…"
T1486Data Encrypted for Impact
57%
"which is the change in cyber extortion victimology. previously, these groups relied largely on access broker relationships ( e. g., trickbot / emotet ), stolen credentials, and known vulnerabilities to choose victims. this led to a victim landscape that was very much random ( i. …"
T1078.004Cloud Accounts
49%
"or abusing help - desk processes to gain oauth authorization, demonstrated how human trust can be engineered into a technical foothold. this hybrid technique redefines “ remote access ” as much psychological as technical. software vulnerability exploitation rose modestly but rema…"
T1657Financial Theft
40%
"insider threats loom while ransom payment rates plummet table of contentscyber extortion landscapepayment ratestypes of ransomwareattack vectorsttpsvictimology as we enter the final quarter of 2025, the cyber extortion landscape has split along two clear paths : volume - driven r…"
T1486Data Encrypted for Impact
39%
"proliferation of stolen data has de minimis to zero utilitymid - market attacks ( as profiled with akira ) are relatively more likely to result in a ransom payment of lesser amount. smaller organizations cannot afford large ransoms but remain easier to disrupt. groups like akira …"
T1486Data Encrypted for Impact
38%
"prioritize selective, high - profile targets. other actors get caught up with “ shiny object syndrome ” — an attempt to tailor attacks only to enterprises above a certain size or perceived financial capacity. that latter strategy is substantially more expensive for attackers, res…"

Summary

The percentage of companies choosing to pay ransoms dropped significantly, while threat actors shift their tactics in response to decreasing profits.