Ransomware Payouts Hit Record Highs, ExtraHop Research Finds

ExtraHop, a provider of modern network detection and response (NDR), recently released its threat landscape report, finding that attackers are adapting– leading to record-high ransomware payouts.

2025 threat report shows shift to more targeted attacks

The 2025 ExtraHop Global Threat Landscape Report is an analysis of the shifting cybersecurity landscape. It examines the ever-expanding attack surface, detailing the evolving tactics threat actors leverage to carry out sophisticated and lucrative attacks on organizations.

The 2025 edition of this report details that threat actors are shifting away from broad, indiscriminate attacks to more targeted ones for a greater impact. With increasing and complex attack surfaces becoming more prevalent, threat actors are capitalizing on blind spots, spending more time and being more patient within an organization to cause greater damage and achieve higher payouts.

With threat actors spending more time within an organization, the frequency of ransomware attacks has dropped. The report says that ransomware attacks have dropped from eight incidents per organization to roughly five or six incidents in the last year. Further, the average ransomware payment has surged by more than a million dollars, from $2.5 million to $3.6 million.

“The offset between frequency and cost comes as attackers have evolved to move undetected within an organization’s environment,” ExtraHop said about the report. “According to the data, threat actors had access to networks for nearly two weeks on average before launching an attack. In fact, nearly a third of organizations only noticed they were being targeted by a ransomware attack after data exfiltration had already begun.”

Orgs take over two weeks to contain security alerts and experience more than 37 hours of downtime

The report also found that organizations take more than two weeks to respond to and contain a security alert. This gives attackers more time to maximize damage. The report shows that organizations experience an average downtime of more than 37 hours after an incident occurs.

Other key findings in the report include:

• Threat actors targeting critical infrastructure and government are the most active: RansomHub (26.8%), LockBit (26.5%), Darkside (25.7%), APT41 (24%), and Black Basta (23.4%) were the most detected in organizations’ infrastructure last year. Further, LockBit, Darkside, and Black Basta (33.3% each), and RansomHub (25.6%), were among the threat actor groups most active in government spaces.
• Old tactics are still a hallmark of compromising the digital landscape: Organizations surveyed said that public cloud (53.8%), third-party services and integrations (43.7%), and generative AI (41.87%) are the most significant cybersecurity risks to their organization. The tactics threat actors are using to gain network access vary. Still, traditional methods of phishing and social engineering (33.65%) take the top spot, with software vulnerabilities (19.43%), third-party/supply chain compromise (13.4%), and compromised credentials (12.2%) taking up the next spots on the list.
• Limited visibility impedes security efforts: Among the top challenges hindering a timely response to security threats are limited visibility into the entire environment (41%), overwhelming alert volume (34%), disparate and poorly integrated tools (34%), and inefficient or manual SOC workflows (34%).

ExtraHop’s NDR focus shows path forward

ExtraHop is a leader in modern NDR. As threat actors hide within normal traffic to move laterally throughout the network and expand their control, the organization detects them in real-time with complete visibility into the East-West corridor.

“At ExtraHop, we solve a critical problem for the enterprise: delivering real, undeniable network visibility that gives security teams the confidence and clarity to stop attacks that others simply can’t,” said Raja Mukerji, co-founder and chief scientist at ExtraHop. “We believe that consistent recognition as a leader by analysts is a powerful vote of confidence in our technology, but the real proof is in the results our customers achieve. Our pioneering approach to modern NDR ensures we don’t just lead, we provide the definitive answer to modern threats.”

For organizations in the channel, it’s essential to stay on top of threat intelligence reports to have a broader understanding of the current threat landscape. Read more about ransomware, phishing, and state-aligned threat activity from the first half of 2025.