Coveware by Veeam has reported a significant rise in ransomware activity during the second quarter of 2025, driven largely by targeted social engineering and data theft. The company’s latest quarterly report highlights record ransom payouts and the growing importance of data resilience in defending against increasingly sophisticated attacks.
Social engineering and data exfiltration dominate attacks
According to the report, three ransomware groups — Scattered Spider, Silent Ransom, and Shiny Hunters — were responsible for many of the quarter’s most damaging incidents. These groups have shifted from broad, opportunistic campaigns to highly targeted attacks, using advanced impersonation techniques to deceive help desks, employees, and third-party providers.
Bill Siegel, CEO of Coveware by Veeam, said: “The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook. Attackers aren’t just after your backups – they’re after your people, your processes, and your data’s reputation. Organisations must prioritise employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought.”
The analysis shows that data exfiltration was present in 74% of cases, with many attackers now focusing on stealing sensitive information rather than encrypting systems. Multi-extortion tactics and delayed threats have also become more common, prolonging the risk period for victims.
Record ransom payouts and targeted industries
Ransom demands have climbed sharply, with average payments rising to US$1.13 million — a 104% increase from the previous quarter — and median payments doubling to US$400,000. This surge was fuelled by larger organisations paying after data theft-only incidents, even though the overall proportion of companies paying ransoms remained at 26%.
The most targeted industries were professional services (19.7%), healthcare (13.7%), and consumer services (13.7%). Mid-sized businesses employing between 11 and 1,000 staff accounted for 64% of victims, making them an attractive target due to their potential payout value and often less mature security measures.
Evolving threats and shifting ransomware landscape
Credential theft, phishing, and remote service exploitation remain the most common entry points. Attackers are increasingly bypassing technical controls through human manipulation, while vulnerabilities in widely used platforms such as Ivanti, Fortinet, and VMware continue to be exploited. The report also notes an increase in so-called “lone wolf” attacks, where experienced extortionists operate independently using unbranded tools.
Akira was the most prevalent ransomware variant in Q2, accounting for 19% of cases, followed by Qilin (13%) and Lone Wolf (9%). Silent Ransom and Shiny Hunters entered the top five rankings for the first time, signalling the emergence of new influential players in the ransomware ecosystem.
Coveware by Veeam’s findings draw from its direct involvement in ransomware cases, using real-time incident response, proprietary forensic tools, and detailed tracking of threat actor behaviour. This approach provides a comprehensive and timely view of the threat landscape, helping organisations strengthen their defences and prepare for recovery.
