Despite a 50% increase in ransomware attacks, victim payment rates have plummeted to an all-time low of 28% in 2025, while the median ransom payment has skyrocketed by 368%.
The ransomware landscape has reached a critical inflection point, with victim payment rates hitting an all-time low of 28% in 2025, despite a significant surge in attack volume. This dramatic shift represents a fundamental change in how organizations are responding to extortion attempts, according to new data from blockchain intelligence firm Chainalysis.
The payment paradox
The numbers tell a compelling story of adaptation and resilience. While ransomware attacks increased by 50% year-over-year, the total on-chain ransomware payments for 2025 stand at $820 million, with projections suggesting the final total could approach or exceed $900 million. This represents a stark contrast to 2024, when the payment rate was 62.8%, and 2022, when it reached 78.9%.
The data reveals a fascinating paradox: fewer victims are paying, but those who do are paying substantially more. The median ransom payment jumped 368% from $12,738 in 2024 to $59,556 in 2025. This suggests that organizations are becoming more selective about which attacks they choose to pay, focusing their resources on the most critical incidents where data recovery is essential.
Why victims are saying no
Several converging factors have contributed to this dramatic decline in payment rates. Improved incident response capabilities have given organizations better tools to recover from attacks without paying ransoms. Many companies have invested in robust backup systems and disaster recovery plans that allow them to restore operations even when faced with encryption.
Regulatory scrutiny has also played a crucial role. With increasing requirements to report cyber incidents and potential penalties for paying ransoms that may fund criminal organizations, many companies are finding that the legal and reputational risks of payment outweigh the benefits.
International law enforcement actions have disrupted major ransomware operations, creating uncertainty about whether paying will actually result in data recovery. The dismantling of several high-profile ransomware groups has made victims more skeptical of threat actors' promises.
The evolving ransomware economy
Despite the decline in payment rates, the ransomware ecosystem has shown remarkable resilience and adaptation. Chainalysis identified 85 active extortion groups in 2025, a significant increase from previous years when the space was dominated by a handful of major players and ransomware-as-a-service platforms.
This fragmentation suggests that while individual groups may be earning less, the overall ecosystem remains robust. The median payment increase indicates that ransomware operators are targeting higher-value victims and demanding larger ransoms, betting that organizations with more critical data will be willing to pay premium prices.
High-profile incidents underscore the threat
Several major incidents in 2025 demonstrate that ransomware remains a significant threat despite the declining payment rates. The attack on Jaguar Land Rover inflicted an estimated $2.5 billion in damages, while the Scattered Spider group's breach of Marks & Spencer and the DaVita Inc. incident that exposed 2.7 million patient records highlight the ongoing risks to major corporations and healthcare providers.
The geographic distribution of attacks remains consistent, with the United States continuing to be the most targeted country, followed by Canada, Germany, and the United Kingdom. This concentration in developed economies reflects the higher potential payouts and greater reliance on digital infrastructure in these regions.
The initial access market shifts
An interesting development in the ransomware supply chain involves initial access brokers (IABs), who sell compromised network access to ransomware operators. These brokers reportedly made $14 million in 2025, roughly the same as the previous year, representing only 1.7% of total ransomware revenue.
However, the average price for network access has declined dramatically, from approximately $1,427 in Q1 2023 to just $439 in Q1 2026. This price drop suggests increased competition among IABs, greater automation in compromise techniques, and an oversupply of access from info-stealer logs.
Chainalysis analysis reveals that spikes in IAB payment inflows are typically followed by increases in ransomware payments and victim leak posts roughly 30 days later, suggesting that IAB activity can serve as a leading indicator for ransomware campaigns.
Adaptation, not defeat
The data suggests that ransomware is evolving rather than disappearing. While payment rates have declined, the sophistication and real-world impact of attacks continue to grow. Organizations of all sizes and backgrounds globally remain vulnerable to increasingly complex extortion schemes.
Ransomware operators appear to be adapting their tactics to extract more value from a shrinking pool of paying victims. This may include focusing on data theft and extortion rather than encryption, targeting specific industries with critical data, or developing more sophisticated negotiation strategies.
What this means for defenders
The declining payment rate represents a significant victory for cybersecurity efforts, but it shouldn't lead to complacency. Organizations must continue to invest in prevention, detection, and response capabilities. The fact that attacks continue to increase despite lower payment rates suggests that many threat actors are motivated by factors beyond immediate financial gain, including espionage, disruption, or long-term access to valuable networks.
For businesses, the message is clear: preparation and resilience are more important than ever. With fewer organizations paying ransoms, those that remain vulnerable become even more attractive targets. The ransomware ecosystem may be changing, but the threat remains very real.
The evolution of ransomware from a volume-based to a value-based extortion model represents a significant shift in the cyber threat landscape. As organizations become more resistant to payment demands, attackers are forced to become more sophisticated, potentially leading to even more dangerous and targeted campaigns in the future.
Comments
Please log in or register to join the discussion