Ransomware Shifts: Coveware by Veeam Q2 2025 Report Highlights Social Engineering and Data Exfiltration Dominance
Coveware by Veeam, a prominent authority in ransomware response and cyber extortion trends, has released its Q2 2025 ransomware report, which details a significant increase in targeted social engineering attacks and a rise in ransom payments attributed to advanced data exfiltration tactics.
Bill Siegel, CEO of Coveware by Veeam, stated that the second quarter of 2025 represents a pivotal moment in ransomware, with targeted social engineering and data exfiltration emerging as the primary attack strategies. Siegel emphasized that attackers are increasingly targeting personnel, processes, and data reputation, urging organizations to prioritize employee awareness, strengthen identity controls, and treat data exfiltration as an immediate risk rather than an afterthought.
Key findings from the Q2 2025 report indicate that social engineering is a dominant threat. Three major ransomware groups—Scattered Spider, Silent Ransom, and Shiny Hunters—were particularly active, shifting from mass opportunistic attacks to precision strikes. These groups employed novel impersonation tactics against help desks, employees, and third-party service providers across various sectors.
Ransom payments saw substantial increases, with the average payment soaring by 104% from Q1 2025 to $1.13 million, and the median payment doubling to $400,000. This spike is largely attributed to larger organizations making payments following incidents that primarily involved data exfiltration, even as the overall rate of organizations paying ransoms remained constant at 26%.
Data theft has surpassed encryption as the primary method of extortion, being a factor in 74% of all cases. Many campaigns are now prioritizing data theft over traditional system encryption. The report also notes an increase in multi-extortion tactics and delayed threats, prolonging the impact on organizations beyond the initial breach.
Industries most affected included professional services (19.7%), healthcare (13.7%), and consumer services (13.7%). Mid-sized companies, specifically those with 11 to 1,000 employees, constituted 64% of victims, indicating they are a target for attackers seeking a balance between potential payouts and less robust defenses.
Attack techniques continue to evolve, though the human factor remains a key vulnerability. Credential compromise, phishing, and the exploitation of remote services are still common initial access methods. Attackers are increasingly bypassing technical controls through social engineering. The report also highlights the exploitation of vulnerabilities in widely-used platforms such as Ivanti, Fortinet, and VMware, as well as a rise in “lone wolf” attacks by experienced extortionists utilizing generic, unbranded toolkits.
New entrants have reshaped the ransomware rankings for Q2. Akira accounted for 19% of incidents, Qilin for 13%, and Lone Wolf for 9%. Silent Ransom and Shiny Hunters entered the top five variants for the first time.
Coveware by Veeam assists cyber extortion victims through services including rapid forensic triage, extortion negotiation and remediation, cryptocurrency settlements, and decryption. The company utilizes real-time incident response, proprietary forensic tools like Recon Scanner, and comprehensive documentation of threat actor behaviors, attack vectors, and negotiation outcomes to provide insights into the threat landscape. These findings inform customers to help reduce risks, enhance security posture, and ensure rapid recovery.
Select capabilities from Coveware by Veeam are integrated into broader Veeam offerings, including Veeam Data Platform and the Veeam Cyber Secure Program, extending these insights and capabilities to a wider customer base.
Veeam Software, headquartered in Seattle with offices in over 30 countries, focuses on data resilience, offering solutions for data backup, recovery, portability, security, and intelligence. The company protects over 550,000 customers worldwide, including 67% of the Global 2000.
