In an intriguing turn of events, the landscape of ransomware payments is shifting dramatically. While the total number of ransomware incidents reported has surged, with claimed attacks increasing by 50%, the rate at which victims are paying ransoms has plummeted to an all-time low of just 28%. This data comes from the latest annual analysis released by the blockchain research company Chainalysis, shedding light on the evolving dynamics of the ransomware economy.
In 2025, Chainalysis tracked approximately $820 million in payments made to ransomware actors, and they anticipate this figure could rise to $900 million as more incidents and payments come to light. For perspective, payments tracked in 2024 started at $813 million before being revised upward to $892 million, highlighting an upward trend that belies the drop in payment rates.
The marked increase in the number of attacks juxtaposed with the decline in payouts can be attributed to several pivotal factors influencing the ransomware ecosystem. According to Chainalysis, companies are becoming increasingly adept at incident response, bolstered by heightened regulatory scrutiny that discourages ransom payments. This evolving understanding among organizations that paying ransoms often complicates recovery is gaining traction after years of advisories from cybersecurity professionals.
Experts suggest that paying ransoms may not only carry potential legal and regulatory consequences but could also lead to victimization by the same actors again. Cybercriminals often fail to uphold agreements to delete stolen data after payment, leaving paying victims vulnerable to further attacks. As word spreads that certain companies are willing to pay, those firms can become repeated targets for opportunistic criminals.
The disruption of major ransomware gangs by law enforcement has also reshaped the landscape, leading to a fragmented web of smaller, independent operations. Many of these smaller gangs have adopted poor design practices in their malware, sometimes rendering it susceptible to decryption. Consequently, while fewer victims are paying, the median payment size has actually escalated to $59,565, up from $12,738 in 2024, reflecting a strategic shift toward targeting larger organizations.
The year saw several high-profile attacks that left a significant mark on various sectors. For instance, a ransomware attack on Jaguar Land Rover caused over $2.5 billion in economic damage, while businesses like Marks & Spencer and kidney dialysis provider DaVita experienced significant disruptions that impacted lives directly. A ransomware incident involving a major supplier for Whole Foods left stores with empty shelves, underscoring the tangible repercussions of such attacks.
Additional insights from Ontinue’s research corroborate Chainalysis’s findings; ransomware attacks reportedly surged by 132%, even as payments declined by 35% during the second half of 2024 through early 2025. Nathaniel Jones from Darktrace highlighted the rise of ransomware-as-a-service marketplaces, suggesting that cybercriminals no longer need to depend solely on ransom payments, as subscription models are increasingly becoming avenues for revenue generation.
Initial Access
Beyond the direct actions of ransomware actors, Chainalysis has delved into the broader ecosystem of cybercriminals supporting these gangs. They reported approximately $14 million in blockchain payments made to initial access brokers – hackers who gain entry into target systems and sell that access. While this figure has remained stable, Chainalysis anticipates future increases as they refine their tracking methods.
Warnings about the industrialization of the initial access market have emerged as well. Artificial intelligence tools and infostealer logs are making it easier for cybercriminals to offer specific access to large organizations at increasingly competitive prices. According to data from Darkweb IQ, the average price for victim access fell significantly, from around $1,400 in 2023 to $439 by 2026, indicating an oversupply in the market.
Moreover, law enforcement efforts have shown promise in curtailing ransomware activities. Significant operations, like Europol’s Operation Endgame, have focused on dismantling the infrastructures supporting ransomware attacks. In May 2025, several countries arrested key operatives behind prominent malware families and seized vital infrastructures, aiming to disrupt the continuous cycle of cybercrime.
As various law enforcement entities, including U.S. and European agencies, target the infrastructure that supports ransomware operations, successes in prosecuting those running bulletproof hosting services highlight the significant strides being made in combating cybercrime. Individuals linked to these services have faced severe repercussions, including lengthy prison sentences.
While these breakthroughs are encouraging, Chainalysis cautions that the sheer scale and sophistication of ransomware attacks continue to expand. The report emphasizes that the ransomware landscape in 2025 is more a tale of disruption than retreat, with excised extortion tactics evolving to extract value and create damage that transcends traditional payment channels.
Recorded Future
Intelligence Cloud.