Verizon DBIR Shows Ransomware Involved in 44% of Data Breaches

The 2025 Verizon Data Breach Investigations Report (DBIR) highlights a troubling rise in ransomware incidents across organizations of all sizes. In large enterprises, ransomware played a role in 39% of breaches, while small and medium-sized businesses (SMBs) experienced ransomware in 88% of breach cases.  

This surge marks ransomware's overtaking of stolen credentials as the most common action in breaches and brings it nearly on par with denial-of-service (DoS) attacks in terms of overall incident frequency—something previously thought unlikely.

Ransomware was present in 44% of all reviewed breaches, a significant jump from 32% the year before. It also featured in 31% of all reported incidents, more than doubling from 14% in the prior year.  

The DBIR includes both traditional encrypting ransomware and pure extortion attacks (non-encrypting), which had previously been categorized separately but are now grouped together for clarity.

In terms of financial impact, the median ransom payment in 2024 dropped to $115,000, down from $150,000 in 2023. This follows a sharp increase the year before and reflects a notable reduction in high-end ransom demands, with 95% of payments under $3 million—far lower than the $9.9 million cap seen in 2023.

The decline in ransom amounts may be tied to a shift in victim behavior. In 2024, 64% of organizations refused to pay ransoms, up from 50% in 2022. This growing resistance could be one reason behind the lower overall payments.  

The findings align with broader trends observed by other researchers, who also noted a 35% decrease in blockchain-tracked ransomware payments over the past year. While the numbers suggest progress, the continued growth in ransomware incidents signals a threat that remains very much on the rise.

Takeaway: Once again, Halcyon was proud to contribute to the 2025 Verizon DBIR, and while there are a few stats in this year’s report that might make you pause and say, “Hey, maybe things are turning a corner,” let’s not kid ourselves—the ransomware threat is still on a steep upward climb.  

Big orgs, small orgs—nobody’s getting a pass. Ransomware made up nearly 40% of breaches in large enterprises and a staggering 88% in SMBs. That’s not just a trend—that’s an escalation.

And here’s the thing: as comprehensive as the DBIR is, it only scratches the surface of the true cost. It doesn’t capture the brand damage when your company name is splashed across headlines, the production downtime that eats into revenue, or the legal and regulatory nightmares that come knocking after an attack.

Ransomware today isn’t just a technical problem—it’s a business problem. And no one is immune. That’s why the playbook needs to evolve. Prevention is table stakes, but it’s not enough.  

You need behavioral detection that can recognize ransomware before it does real harm, and you need resilience—tools that let you bounce back fast when the worst happens. Because these days, it’s not if you’ll be targeted, it’s when.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.