Skip to main content

ExtraHop® Report Finds Ransomware Payouts Hit Record Highs as Attackers Adapt

Data reveals a shift from quick-hit attacks to stealthy, persistent threats that are harder to detect

ExtraHop®, a leader in modern network detection and response (NDR), today released the 2025 ExtraHop Global Threat Landscape Report, which offers a comprehensive analysis of the ever-shifting cybersecurity landscape. The report examines the ever-expanding attack surface, detailing the evolving tactics threat actors are leveraging to exploit organizations and carry out lucrative attacks.

According to the findings, threat actors are shifting away from broad, indiscriminate attacks to a more targeted approach that yields more impactful results. As IT environments grow increasingly complex and attack surfaces expand, threat actors are able to capitalize on blind spots, spending more time inside an organization to cause greater damage and achieve higher payouts.

Ransomware payouts skyrocket as attackers evolve their tactics

While the frequency of ransomware attacks has dropped from 8 incidents per organization to 5-6 incidents in the last year, the average ransomware payment has surged by more than a million dollars, from $2.5M to $3.6M.

The offset between frequency and cost comes as attackers have evolved to move undetected within an organization’s environment. According to the data, threat actors had access to networks for nearly two weeks on average before launching an attack. In fact, nearly a third of organizations only noticed they were being targeted by a ransomware attack after data exfiltration had already begun.

Delays in response can translate to more downtime

Organizations take more than two weeks to respond to and contain a security alert. This delay in response can give attackers time to maximize damage, with the research showing organizations experience an average downtime of more than 37 hours after an incident occurs.

Threat actors targeting critical infrastructure and government are among the most active

RansomHub (26.8%), LockBit (26.5%), Darkside (25.7%), APT41 (24%), and Black Basta (23.4%) were the threat actors most detected in organizations’ environments last year. Similarly, LockBit (33.3%), Darkside (33.3%), Black Basta (33.3%), and RansomHub (25.6%), were among the groups most active in the government space.

Old tactics are still a favorite for compromising today's digital landscapes

As attack surfaces expand, organizations say the public cloud (53.8%), third-party services and integrations (43.7%), and generative AI applications (41.87%) pose the most significant cybersecurity risks to their organization. The tactics they’re using to gain network access varies, with the traditional method of phishing and social engineering (33.65%) taking the top spot, followed by software vulnerabilities (19.43%), third-party/supply chain compromise (13.4%), and compromised credentials (12.2%).

Limited visibility undermines security efforts

The top challenges hindering a timely response to security threats include limited visibility into the entire environment (41%), overwhelming alert volume (34%), disparate and poorly integrated tools (34%), and inefficient or manual SOC workflows (34%). Visibility was a top challenge in critical industries such as telecom, finance, and education.

“This research validates what we’ve been seeing firsthand: motivated attackers are exploiting new entry points to bypass traditional defenses and remain hidden inside a network until the time is right to strike,” said Raja Mukerji, Co-founder and Chief Scientist, ExtraHop. “The reality is, threats will always find a way in, and organizations must be able to detect threats as they move laterally between systems to escalate privileges and exfiltrate data. Enterprises that lack the ability to not only see, but also contextualize, every bit of network traffic will continue being targeted and plagued by costly downtime and ransom payments.”

Download the 2025 ExtraHop Global Threat Landscape Report.

*This survey was conducted by Censuswide.*

Additional Resources

About ExtraHop®

ExtraHop empowers enterprises to stay ahead of evolving threats with the most comprehensive approach to network detection and response (NDR).

Since 2007, the company has helped organizations across the globe extract real-time insights from their hybrid networks with the most in-depth network telemetry. ExtraHop uniquely combines NDR, network performance management (NPM), intrusion detection (IDS), and packet forensics in a single, integrated console for complete network visibility and unparalleled context that supports data-driven security decisions. With a powerful all-in-one sensor and cloud-scale machine learning, the ExtraHop RevealXTM platform enhances SOC productivity, reduces overhead, and elevates security postures.

Unlock the full power of network detection and response with ExtraHop. To learn more, visit www.extrahop.com or follow us on LinkedIn.

© 2025 ExtraHop Networks, Inc., RevealX, RevealX 360, RevealX Enterprise, and ExtraHop are registered trademarks or trademarks of ExtraHop Networks, Inc.

Contacts

Recent Quotes

View More
Symbol Price Change (%)
AMZN  222.03
+5.55 (2.56%)
AAPL  262.77
+0.53 (0.20%)
AMD  238.03
-2.53 (-1.05%)
BAC  51.52
-0.52 (-1.00%)
GOOG  251.34
-5.68 (-2.21%)
META  733.27
+1.10 (0.15%)
MSFT  517.66
+0.87 (0.17%)
NVDA  181.16
-1.48 (-0.81%)
ORCL  275.15
-2.03 (-0.73%)
TSLA  442.60
-4.83 (-1.08%)
Stock Quote API & Stock News API supplied by www.cloudquote.io
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the Privacy Policy and Terms Of Service.