Coveware by Veeam He has published his report The ransomware of the second quarter of 2025, in which a drastic escalation stands out in attacks directed by social engineering and an increase in rescue payments driven by sophisticated tactics of data exfiltration.
According to Bill Siegel, CEO de Coveware by Weeam«The second quarter of 2025 marks a turning point in the Ransomware panorama, with directed social engineering and the exfiltration of data consolidating as the predominant methods. The attackers not only look for backups: they point to employees, processes and data reputation. Organizations must prioritize the training of their employees, reinforce identity controls and treat data exfiltration as an urgent risk, and not as a secondary one ».
According to the report, social engineering drives the greatest threats. Ransomware Scatrtered Spider, Silent Ransom and Shiny Hunters were the most active in the period, and employed social engineering aimed at infiltrating multi -sectors organizations.
These groups abandoned the mass attacks to perform strokes of greater precision, using novel tactics of impersonation of identity aimed at technical support, employees and external suppliers.
On the other hand, kidnapping payments reach historical maximums. Both the average and average rescue payment shot at 1.13 million dollars (104% more than in the first quarter of 2025) and $ 400,000 (100% more), respectively.
This increase is attributed to the largest organizations are paying bailouts even in incidents where data exfiltration has only occurred. Meanwhile, the total proportion of organizations that pay rescues remained stable at 26%.
Data theft exceeds encryption as the main extortion method. The exfiltration was present in 74% of all cases, with many campaigns that now prioritize the theft of data on traditional encryption. Multi-exortion tactics and prolonged threats are increasing, which keeps organizations as an objective the initial gap.
The most punished sectors have been professional services (19.7 %), Health (13.7 %) and consumer services (13.7 %). Medium -sized companies represented 64 % of the victims, ideal for attackers seeking balance between the payment potential and less developed defenses.
Attack techniques evolve, but the human factor remains the greatest vulnerability. In addition, the commitment of credentials, phishing and the exploitation of remote services remain the main access roads, with attackers that increasingly avoid technical controls through social engineering.
These groups regularly exploit vulnerabilities in widely used platforms, such as Ivanti, Fortinet or VMware, and increase the attacks of “solitary wolves”, experienced extortionists who use generic and unidentified tools.
However, there are new actors who have reconfigured the ransomware panorama, and their most outstanding variants of the quarter went Akira (19 %), Do (13 %) y Lone Wolf (9 %), while Silent Ransom and Shiny Hunters entered the top five for the first time.
