Ransomware payments cratered in 2025, but attacks surged to record highs

Steven

Ransomware payments cratered in 2025, but attacks surged to record highs

Summary

Chainalysis’ 2026 Crypto Crime Report shows on-chain ransomware payments fell to roughly $820m in 2025 (about an 8% drop year-on-year), even as victim counts and leak-site pressure climbed to record levels. The share of victims who paid hit an all-time low of 28%, but median ransom demands jumped from $12,738 in 2024 to $59,556 in 2025. The landscape is fragmenting: established gangs have splintered or rebranded and many smaller, opportunistic groups now drive volume. Meanwhile, a growing initial-access-for-sale market is quietly priming new attacks.

Key Points

  1. On-chain ransomware payments were about $820m in 2025, an ~8% decline versus 2024.
  2. Only 28% of victims ended up paying ransoms in 2025 — the lowest recorded share.
  3. Median ransom demands surged from $12,738 (2024) to $59,556 (2025).
  4. Publicly claimed attacks rose sharply: eCrime.ch reported a 50% YoY increase in claimed victims; Emsisoft recorded over 8,000 organisations named on leak sites.
  5. Old big-name gangs have been disrupted (raids, sanctions, rebrands), and many smaller crews and spin-offs now carry out extortion at scale.
  6. Initial access brokers (IABs) collected at least $14m on-chain in 2025; spikes in IAB payments often precede ransomware activity and leak posts by about 30 days.
  7. Developed economies remain primary targets (US, Canada, Germany, UK, Western Europe) with manufacturing, finance and professional services heavily affected.

Context and Relevance

The report shows ransomware is not shrinking so much as shifting. Fewer payouts do not equal less risk: attackers are increasing demands, the number of incidents is rising, and an active market for buying network access allows many actors to scale attacks quickly. This trend affects CISOs, incident responders and supply-chain teams — preventing access and detecting early signs of compromise are becoming as important as ransom negotiation strategies.

Why should I read this?

Because the headline number (payments down) is misleading. Attacks are up, demands are bigger, and a bustling market for access means more organisations will get hit — possibly ones you work with. We’ve sifted the Chainalysis and Emsisoft figures so you can see the trend fast: it matters to anyone responsible for security or continuity. Don’t snooze on this one.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/02/27/ransomware_chainalysis/