Fear of regulators outweighed the desire to negotiate with the hackers.
Large-scale data extortion campaigns using zero-day vulnerabilities are gradually losing their effectiveness, even when attackers manage to gain access to valuable corporate systems. A new report from Coveware shows that businesses are increasingly reluctant to pay out, and the economics of such attacks are noticeably declining.
In the fourth quarter of 2025, the CL0P group conducted a large-scale operation , exploiting a previously unknown vulnerability in Oracle E-Business Suite. The scheme follows an approach the group has been using for several years. First, they acquire an off-the-shelf tool for exploiting a popular enterprise solution, then massively hack the installations of clients and their partners, followed by data extraction and payment demands. No system encryption is used, and pressure is based solely on the fact of information theft.
CL0P previously conducted similar operations through Accellion FTA , GoAnywhere MFT , MOVEit Transfer , and Cleo MFT . While the payment rate in 2021 reached approximately 25%, it dropped sharply in later campaigns. In the MOVEit incident, it was around 2.5%, and in the Cleo attacks, according to Coveware, the affected clients did not transfer any money to the attackers. The campaign against Oracle EBS , despite the sensitivity of the stolen data and the complexity of analyzing the leak, also demonstrated one of the lowest response rates from victims.
The report's authors attribute this to a change in companies' attitudes toward such demands. Organizations better understand the legal implications of incidents and the limitations of this "problem-solving" approach. Paying out doesn't waive the obligation to notify regulators and customers, doesn't protect against lawsuits, and doesn't guarantee the destruction of copies of stolen data. Moreover, once dialogue begins, pressure often escalates and extends beyond digital threats.
A similar pattern was observed in other high-profile hacks, including the Snowflake incidents and attacks on CRM platforms linked to the Shiny Hunters group. Despite the widespread and publicized nature of the attacks, fund transfers remained rare, and many companies chose to completely ignore the demands.
Ransomware payment statistics at the end of 2025 also indicate a skew. The average transfer amount rose to $591,988, and the median to $325,000. This increase is not due to widespread willingness to pay, but to isolated, large-scale cases where infrastructure downtime was critical. Overall, the share of payments has fallen to approximately 20% and continues to decline.
The most widespread malware families remain Akira and Qilin, which rely on encryption rather than solely on data theft. The primary initial penetration vector has become the hijacking of remote access and credentials, including for cloud services and SaaS. Social engineering is increasingly being used as an auxiliary tool to gain legitimate login rights.
According to Coveware, the declining profitability of mass data leak campaigns is prompting criminal groups to change tactics. A return to encryption-based attacks and more targeted exploitation of victim network access is likely.
Large-scale data extortion campaigns using zero-day vulnerabilities are gradually losing their effectiveness, even when attackers manage to gain access to valuable corporate systems. A new report from Coveware shows that businesses are increasingly reluctant to pay out, and the economics of such attacks are noticeably declining.
In the fourth quarter of 2025, the CL0P group conducted a large-scale operation , exploiting a previously unknown vulnerability in Oracle E-Business Suite. The scheme follows an approach the group has been using for several years. First, they acquire an off-the-shelf tool for exploiting a popular enterprise solution, then massively hack the installations of clients and their partners, followed by data extraction and payment demands. No system encryption is used, and pressure is based solely on the fact of information theft.
CL0P previously conducted similar operations through Accellion FTA , GoAnywhere MFT , MOVEit Transfer , and Cleo MFT . While the payment rate in 2021 reached approximately 25%, it dropped sharply in later campaigns. In the MOVEit incident, it was around 2.5%, and in the Cleo attacks, according to Coveware, the affected clients did not transfer any money to the attackers. The campaign against Oracle EBS , despite the sensitivity of the stolen data and the complexity of analyzing the leak, also demonstrated one of the lowest response rates from victims.
The report's authors attribute this to a change in companies' attitudes toward such demands. Organizations better understand the legal implications of incidents and the limitations of this "problem-solving" approach. Paying out doesn't waive the obligation to notify regulators and customers, doesn't protect against lawsuits, and doesn't guarantee the destruction of copies of stolen data. Moreover, once dialogue begins, pressure often escalates and extends beyond digital threats.
A similar pattern was observed in other high-profile hacks, including the Snowflake incidents and attacks on CRM platforms linked to the Shiny Hunters group. Despite the widespread and publicized nature of the attacks, fund transfers remained rare, and many companies chose to completely ignore the demands.
Ransomware payment statistics at the end of 2025 also indicate a skew. The average transfer amount rose to $591,988, and the median to $325,000. This increase is not due to widespread willingness to pay, but to isolated, large-scale cases where infrastructure downtime was critical. Overall, the share of payments has fallen to approximately 20% and continues to decline.
The most widespread malware families remain Akira and Qilin, which rely on encryption rather than solely on data theft. The primary initial penetration vector has become the hijacking of remote access and credentials, including for cloud services and SaaS. Social engineering is increasingly being used as an auxiliary tool to gain legitimate login rights.
According to Coveware, the declining profitability of mass data leak campaigns is prompting criminal groups to change tactics. A return to encryption-based attacks and more targeted exploitation of victim network access is likely.
