Ransomware payments dropped in 2025 as attack numbers reached record levels: Chainalysis

The number of ransomware victims paying up to unlock systems is falling significantly even as the total number of incidents increases.

Blockchain research company Chainalysis released its annual analysis of the ransomware economy on Thursday, finding that while claimed attacks grew by 50%, victim payment rates dropped to a record low of 28%.

Chainalysis tracked about $820 million in payments to ransomware actors in 2025 but noted the figure is expected to rise to $900 million as they attribute more incidents and payments to ransomware gangs. In 2024, the figure was initially tracked as $813 million and eventually grew to $892 million as more payments were discovered. 

The company’s researchers attributed the stark increase in attacks and slowdown in payments to several factors impacting the ransomware ecosystem. 

Companies are getting better at incident response, they said, and regulatory scrutiny has increased to the point where payouts are now heavily discouraged.

Several outside experts told Recorded Future News that after years of preaching from the cybersecurity industry, companies are now finally understanding that paying ransoms rarely bodes well for victims. In addition to the potential legal and regulatory ramifications, cybercriminals often do not honor agreements to delete stolen data. Victims who pay ransoms are also more likely to be attacked again as threat actors now know they will pay. 

Chainalysis also said the law enforcement disruption of several major ransomware gangs has scattered the ecosystem and created a decentralized web of smaller, independent operations — many of which use poorly designed malware that can be resolved with decryptors. 

Despite the decrease in overall payments, Chainalysis noted that the median payment size increased to $59,565, up from $12,738 in 2024, as more gangs focus their efforts on larger victims. 

The report noted that last year saw several massive, sector-defining attacks that had devastating economic impacts. 

The ransomware attack on Jaguar Land Rover inflicted more than $2.5 billion in economic damage while attacks on multinational retailer Marks & Spencer and kidney dialysis company DaVita had significant real-world impact on people’s lives. A ransomware incident involving one of the largest suppliers to Whole Foods left some stores with empty shelves for days. 

The data from Chainalysis is backed up by reports from several other companies. Researchers at Ontinue found that ransomware attacks surged 132% despite a 35% drop in the number of payments in the second half of 2024 and the first quarter of 2025. 

Darktrace’s Nathaniel Jones said the growth of ransomware-as-a-service marketplaces diversifies opportunities for threat actors who no longer need to extract ransom payments to see profit because they are able to use subscription models to generate revenue for their ransomware development and deployment. 

In addition to ransomware actors themselves, Chainalysis tracked the ecosystem of cybercriminals supporting the gangs and the infrastructure that enables their attacks. 

Chainalysis saw about $14 million worth of blockchain payments made to initial access brokers — hackers that gain a foothold into companies and sell that access to the highest bidder. That figure is the same as in previous years but Chainalysis expects it to increase as they attribute more blockchain-based accounts to known actors. 

But the company warned that initial access is increasingly being industrialized through artificial intelligence and infostealer logs offering specific account access to many large companies. The report cited data from the cybercrime prevention firm Darkweb IQ that said the average price for victim access fell from about $1,400 to $439 between 2023 and 2026. 

Darkweb IQ said there is now an “oversupply of cheap but operationally constrained inventory that floods the market and depresses pricing.”

The report touted several successful law enforcement operations that helped limit ransomware activity in 2025, including the long-running Operation Endgame organized by Europol, the FBI and several other countries. 

The operation has targeted the cybercriminals and hackers that create malware used as precursors to ransomware attacks as well as the services that enable data theft and more. In May 2025, several nations arrested leaders of key malware families and seized infrastructure. 

The U.S. and European law enforcement agencies also sanctioned or indicted the people behind several bulletproof hosting providers and laundering services used by ransomware gangs, including AEZA Group, Media Land, Zservers, Lolek Hosted, and others. Several people have been sentenced to years in prison for their roles running the services. 

While Chainalysis lauded such successes, they noted that the “scale, sophistication, and strategic impact of attacks continued to expand.”

“In this context, the ransomware landscape in 2025 is best characterized by adaptation rather than retreat: extortion tactics continue to evolve, enabling actors to extract value and damage beyond traditional payment streams,” they said.