In Morphisec’s recent CTO Briefing: The State of Ransomware, Morphisec’s CTO Michael Gorelik outlined one of the most striking ransomware trends of 2025: even as fewer victims are paying ransoms, the overall payout amounts continue to grow.
This paradox is reshaping how organizations should think about, and prepare for, modern ransomware. Attackers have shifted from opportunistic “spray-and-pray” campaigns to strategic, business-driven extortion models that pursue fewer but far more lucrative victims.
Why Fewer Victims Are Paying (and Why It Doesn’t Matter)
In the webinar, Michael highlighted a dramatic drop in the percentage of victims who actually pay ransoms—hovering around just 23–26%. This aligns with other industry research and supports what Morphisec has been reporting throughout the year.
However, this drop hasn’t slowed attackers. Instead, it has pushed them to adapt—and evolve.
Key drivers behind the paradox include:
- Backups aren’t as reliable as organizations think — As discussed in the briefing, backups often fail due to misconfigurations, partial corruption, or being stored on the same network segments as production systems. Many organizations only discover backup gaps after they’re encrypted or exfiltrated.
- Data theft is now central to extortion — Even if encryption fails or is blocked, attackers exfiltrate sensitive data—then threaten regulatory, reputational, and legal fallout to force payment.
- Attackers increasingly target high-value environments — As Michael noted, groups like Keeling and Akira prioritize financial institutions, healthcare systems, legal firms, and MSPs where operational downtime is devastating and compliance obligations are tight.
- Executives still face a business decision—not a technical one — Boards may opt to pay if the total cost of damage outweighs the ransom itself.
In other words: ransomware is now less about quantity and more about strategic, high-value strikes.
Ransomware as a Service: The Criminal Business Behind the Breach
One of the strongest points Michael emphasized is that ransomware is no longer just malware—it’s an industry.
Attackers now operate more like a SaaS company than a hacking crew.
RaaS groups operate with:
- Revenue-sharing models (70/30 or 80/20 splits)
- Affiliate pressure systems encouraging high attack frequency
- Customer support functions, including leak site management and negotiation
- Supply-chain targeting to multiply impact
Groups like Keeling, Akira, and DragonForce exemplify this ecosystem. As discussed in the webinar, some even offer “pressure services” calling supply-chain partners or customers to intensify ransom negotiations.
This industrialization explains why ransom amounts are rising: attackers are investing more into each target, and they expect a higher return.
The Professionalization of Extortion
Beyond RaaS, Michael’s briefing outlined several trends that reflect just how sophisticated ransomware has become:
- Attackers are more patient.
Longer dwell times, multi-stage recon, and stealthy lateral movement are now common. - Multi-layer extortion is the norm.
Double extortion (encrypt + steal) has evolved into triple extortion, leveraging supply-chain pressure and even direct customer outreach. - Timing is deliberate and strategic.
Attackers often strike before long weekends, holidays, or fiscal deadlines moments when downtime is most painful, and response capacity shrinks. - Payouts are growing because victims feel cornered.
When exfiltration, regulatory risk, customer impacts, and supply-chain exposure converge, victim organizations often see no choice but to pay.
For a detailed walk-through of these patterns, the on-demand briefing provides examples drawn from real attacks handled by Morphisec.
What CISOs Can Learn from the New Ransomware Economics
The core message from the CTO briefing is clear: If ransomware operators are running like businesses, defenders need to think like business leaders—not just security practitioners.
Here are my top strategic takeaways:
- Understand what makes you valuable to an attacker.
Assess business criticality, data sensitivity, and uptime requirements in the same way attackers do. - Move from reactive to preemptive defense.
Traditional detection approaches cannot stop the modern ransomware kill chain. Michael emphasized the need to block attacks early—before encryption or exfiltration begins. - Harden identity, access, and cloud services.
Many of the 2025 attacks exploited misconfigured firewalls, cloud backups, and Microsoft Teams social engineering—topics Michael covers deeply in the webinar. - Reevaluate backup assumptions.
As discussed, backups often fail during real-world incidents unless rigorously validated and segmented. - Measure cyber risk in business language.
Translate ransomware scenarios into financial, operational, and reputational impacts—this is how attackers model their own ROI.
The Economics of Ransomware Attacks Have Evolved—So Must You
Ransomware is no longer a volume game.
It’s a high-return business run by operators who understand leverage, negotiation, and strategic timing. The fewer victims who pay, the more attackers raise the stakes with those who do.
In the Morphisec CTO Briefing, Michael Gorelik walks through the numbers, real-world cases, and 2026 predictions that every CISO should understand. See the full analysis and prepare your organization for what comes next. Watch the CTO Briefing: The State of Ransomware (On Demand).
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
