Ransomware payments dropped in 2025 as attack numbers reached record levels: Chainalysis

Steven

Ransomware payments dropped in 2025 as attack numbers reached record levels: Chainalysis

Summary

Chainalysis’s 2025 ransomware report finds a striking divergence: claimed ransomware incidents climbed ~50% while the share of victims who paid fell to a record low of 28%. The firm tracked about $820m in payments for 2025 (expected to rise toward $900m as more payments are attributed), even as median payments jumped sharply to $59,565. The ecosystem is fragmenting — law enforcement pressure, better corporate response and growing regulatory risk are reducing payouts, but attacks are more numerous and often more damaging.

Content summary

Chainalysis reports a big rise in reported ransomware attacks in 2025, yet fewer victims are paying. They tracked roughly $820m in blockchain payments to ransomware actors in 2025, noting that number will likely increase as further payments are attributed — mirroring how 2024’s tracked total later rose as more payments were discovered.

Researchers point to several reasons for the fall in payment rates: improved corporate incident response, stronger regulatory scrutiny that discourages payouts, and growing awareness that paying often leads to repeated targeting or no data deletion by criminals. Law enforcement disruptions of major gangs have fragmented the market into smaller operators, many using poor-quality malware that can be mitigated with available decryptors.

Despite fewer payments overall, the median ransom rose substantially (to about $59,565 from $12,738 in 2024), indicating attackers are increasingly targeting larger victims. Sector-defining incidents in 2025 — such as the Jaguar Land Rover attack causing billions in economic damage and disruptions to retailers and healthcare providers — showed real-world harm beyond immediate ransom dollars.

Chainalysis also tracked roughly $14m paid to initial access brokers and warned that initial access is being industrialised via AI and infostealer log markets; average prices for access reportedly fell from about $1,400 to $439 as oversupply flooded the market. The report highlights major law enforcement successes (eg. Operation Endgame) and sanctions against infrastructure providers, but stresses that adversaries are adapting their extortion strategies beyond straightforward ransom demands.

Key Points

  • Claimed ransomware attacks rose about 50% in 2025 while victim payment rates dropped to a record low of 28%.
  • Chainalysis tracked roughly $820m in ransomware payments for 2025; this may be revised upward toward $900m as more payments are attributed.
  • Median ransom payments surged to approximately $59,565, signalling attackers increasingly focus on larger victims.
  • Improved incident response, regulatory pressure and the risk of repeat attacks have reduced the proportion of victims who pay.
  • Law enforcement takedowns fragmented major gangs into smaller operators; many use lower-quality malware that can be countered with decryptors.
  • Initial access brokers remain profitable (around $14m tracked), but average prices for access have fallen due to oversupply and industrialisation using AI.
  • High-impact incidents in 2025 produced severe economic and public-service disruptions, underlining that societal damage extends beyond ransom figures.
  • Ransomware monetisation is evolving (eg. ransomware-as-a-service subscriptions), meaning criminal revenue streams are diversifying beyond immediate ransom payments.

Context and Relevance

This report matters to CISOs, incident responders, boards, insurers and policymakers. It shows that while paying ransoms is becoming less common — thanks to tougher regulation, better response and greater awareness — attackers keep adapting: they target bigger victims, diversify revenue models and exploit cheaper, commoditised access. That combination raises systemic risk even if aggregate payment totals dip temporarily.

For security teams, the takeaway is twofold: maintain and improve detection/response capabilities to avoid paying, and prepare for high-impact incidents that can cause major operational and economic harm even when ransom payments fall.

Why should I read this

Because this piece explains the weird new normal: more attacks but fewer pay-outs — and why that doesn’t mean the problem’s gone. If you’re responsible for risk, budgets or uptime, this saves you time by boiling down where the threat is moving (bigger targets, cheaper access markets, more fractured gangs) and what actually reduces harm (better response, legal risks of paying, law enforcement pressure).

Source

Source: https://therecord.media/ransomware-payments-chainalysis-cybercrime