Ransomware Landscape Shifts: Fewer Payments Amid Rising Victim Counts
A recent analysis by Chainalysis reveals a significant transformation in the ransomware ecosystem, highlighting a rise in the number of victims while simultaneously reporting a decline in overall revenue generated from ransomware attacks. In stark contrast to previous years, ransomware actors are now extorting larger sums from a smaller pool of victims, indicating a shift in their modus operandi.
In its examination of cryptocurrency payments made to these cybercriminals, Chainalysis reported an 8% year-on-year decline in total ransom payments, bringing the figure to approximately $820 million in 2025. As the year progresses, predictions suggest that this total could “approach or exceed” $900 million, as ongoing events and payments are processed. Despite this potential uptick, the figure still marks the second consecutive year of revenue decline, and it remains considerably lower than the revenues recorded during 2020 and 2021.
In an intriguing twist, the number of ransomware victims surged by 50% in 2025, marking it as the most active year on record for such attacks. This increase in victims is juxtaposed with a dramatic drop in payment rates. In 2024, the payment rate stood at 63%, but it plummeted to an all-time low of just 29% in 2025—an indicator that organizations are increasingly hesitating to give in to demands from cybercriminals.
Chainalysis characterized this trend as a "major win against the ransomware ecosystem," emphasizing that a decrease in victim payments equates to less work for attackers, thereby shifting the economic incentives that drive ransomware schemes. This shift can be attributed to several factors identified in the report:
-
Improved Incident Response and Regulatory Oversight: Organizations are becoming more adept at handling ransomware incidents, bolstered by increased regulatory scrutiny which discourages payouts to cybercriminals.
-
Global Action Against Ransomware Operators: Collaborative efforts to combat ransomware infrastructure and laundering networks have hindered the financial flows that sustain these operations.
-
Cryptographic Weaknesses in Ransomware Strains: Some ransomware variants, such as VolkLocker, possess vulnerabilities that allow victims to recover their data without paying the ransom.
- Fragmentation of Ransomware-as-a-Service (RaaS): The landscape is witnessing a fragmentation of RaaS operations, with an explosion of smaller, independent groups—now numbering as many as 85—resulting in disorganized and less effective attacks.
Increasing Costs for Compliant Organizations
Despite the decrease in overall payments, organizations that still succumb to extortion are increasingly finding themselves facing hefty demands. The median ransom payment skyrocketed by 368%, jumping from $12,738 in 2024 to $59,556 in 2025. Enhanced tactics, such as contacting employees and customers of compromised organizations and meticulously analyzing exfiltrated data to issue more targeted threats, have contributed to this escalation in ransom amounts.
Chainalysis issuance of a cautionary note emphasized the opportunistic nature of ransomware actors. They do not confine their attacks to specific sectors at predetermined times. Instead, they remain agile, exploiting exposed services, misconfigurations, and new vulnerabilities as they arise.
The United States remains the country most frequently targeted by ransomware attacks, followed by Canada, Germany, and the United Kingdom, with various parts of Europe also facing similar threats. In these regions, industries such as manufacturing and finance/professional services bore the brunt of cyber intrusions, while Canada and Germany experienced considerable disruptions in their supply, logistics, and critical infrastructure sectors.
Payments directed towards initial access brokers (IABs)—entities facilitating access to organizations for ransomware groups—remained steady at around $14 million, a historically significant figure. The findings further indicated that a complex web of infrastructure, including bulletproof hosting services, residential proxy networks, and malware loaders, is now utilized not only by financially motivated cybercriminals but also by state-backed actors engaged in espionage and influence operations.
As noted in the report, dismantling or sanctioning key infrastructure nodes can have a ripple effect across the entire cybercrime landscape, affecting ransomware affiliates and state-aligned operators alike.
The Chainalysis report underscored a fundamental dynamic in today’s cyber threat environment: infrastructure serves as the strategic epicenter. Disruption of this infrastructure results in increased costs for offenders, ultimately reshaping the landscape of extortion-driven syndicates and politically motivated threat actors alike. Through concerted efforts to thwart ransomware operations, a more unified front emerges against these ever-evolving cyber threats, signaling a potential paradigm shift in the ongoing battle against cybercrime.