Ransomware now plays a role in nearly half of all breaches, new research finds

An examination of thousands of data breaches last year found that ransomware was involved in 44% of incidents, according to researchers at Verizon.

The telecom giant published its 2025 Data Breach Investigations Report (DBIR) on Wednesday, featuring an analysis of over 22,000 security incidents and 12,195 confirmed data breaches.

Ransomware was featured prominently throughout the 117-page report — which found that generally most hackers are still abusing legitimate credentials or exploiting vulnerabilities to gain access to an organization’s most sensitive files. 

Once hackers are inside a network, Verizon said it is increasingly seeing ransomware present — only one-third of incidents involved ransomware in 2023

But there is good news: more victims than ever are refusing to pay ransoms and those who do are typically paying less. 

Verizon found that 64% of ransomware victims did not pay the ransoms — which was up from 50% two years ago — and the median amount paid to ransomware groups has decreased to $115,000 (from $150,000 last year).

“This could be partially responsible for the declining ransom amounts. Ransomware is also disproportionately affecting small organizations,” the researchers said. “In larger organizations, Ransomware is a component of 39% of breaches, while small and medium-sized businesses experienced ransomware-related breaches to the tune of 88% overall.”

The number of large ransoms paid has also decreased, with Verizon finding that 95% of the ransoms paid coming in at less than $3 million in 2024. That number represents a stark difference from 2023, when the figure was at $9.9 million. 

One section of the report focusing on specific industries noted that ransomware “is a problem across all industries and is only getting worse” — explaining that financial firms, manufacturing and governments have all seen increases in targeting by ransomware groups. 

Verizon found that about 43% of ransomware victims in the government sector represent local governments in in locations such as the Southeast and Midwest. Small councils in Europe, Middle East and Africa also continue to face a deluge of ransomware attacks. 

Craig Robinson, research vice president at IDC, said the report was a mixed bag of successes and failures. 

“Glass-half-full types can celebrate the rise in the number of victim organizations that did not pay ransoms with 64% not paying vs 50% two years ago,” he said. 

“The glass-half empty personas will see in the DBIR that organisations that don’t have the proper IT and cybersecurity maturity — often the SMB sized organisations, are paying the price for their size with ransomware being present in 88% of breaches.”