Ransomware payments fell 8% in 2025 to $820 million, but attacks hit record highs with a 50% year-over-year increase in victims. Smaller groups are flooding the market as established gangs splinter, creating a crowded field of opportunistic attackers.
Ransomware payments dropped by 8% in 2025 to approximately $820 million, marking the second consecutive year of decline, according to Chainalysis' 2026 Crypto Crime Report. However, this apparent progress masks a troubling reality: ransomware attacks surged to record levels, with claimed victims increasing by 50% year-over-year, making 2025 the most active year on record for cyber extortion.
The payment paradox
The decline in actual payments comes as victims become increasingly reluctant to pay ransoms, with the share of victims paying dropping to an all-time low of 28%. This shift in victim behavior has forced attackers to adapt their tactics. While fewer organizations are capitulating to demands, those that do face significantly higher costs. The median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025, representing a nearly fivefold increase.
This payment resistance has created a new dynamic in the ransomware ecosystem. Attackers are casting wider nets, hoping that even if a smaller percentage of victims pay, the higher individual demands will compensate for the reduced success rate.
High-profile incidents underscore the threat
2025 saw several devastating ransomware incidents that highlighted the ongoing threat. Jaguar Land Rover suffered what's been described as the UK's costliest cyber incident, while Marks & Spencer endured prolonged operational disruption after a Scattered Spider-linked breach that wiped hundreds of millions off its market value.
These high-profile cases represent just the tip of the iceberg. Security firm Emsisoft's data shows that more than 8,000 organizations were publicly named on ransomware leak sites in 2025, a sharp increase from previous years. The true number of victims is likely much higher, as many incidents go unreported or undetected.
The rise of opportunistic attackers
The ransomware landscape has fundamentally changed. While established groups like LockBit and BlackCat have faced law enforcement pressure through raids, sanctions, and arrests, they've often reemerged under new branding. This disruption has created space for a new generation of attackers.
Smaller, opportunistic groups now account for a growing share of extortion attempts. These less sophisticated actors are flooding the market with attacks, creating a crowded field of spin-offs and newcomers willing to take their chances. Many of these incidents never result in clean, traceable crypto payments, making them harder to track and combat.
Geographic and sectoral targeting patterns
Developed economies remain squarely in the crosshairs of ransomware attackers. The United States leads the pack in victim counts, followed by Canada, Germany, the United Kingdom, and other Western European nations. The targeting patterns reveal interesting regional variations.
In Canada and Germany, attackers showed particular interest in supply chains, logistics networks, and critical infrastructure. Meanwhile, in the United States, every major sector saw year-over-year increases in claimed victims, including government and critical infrastructure organizations.
Manufacturing, financial services, and professional services sectors took heavy hits across all targeted regions. The broad-based nature of the attacks suggests that no industry is immune from the threat.
The ransomware supply chain
Chainalysis's report offers a revealing look at the infrastructure supporting modern ransomware operations. The ecosystem has evolved into something resembling a legitimate supply chain, with specialized roles and services.
Initial access brokers (IABs) have emerged as crucial middlemen in this ecosystem. These actors sell ready-made footholds into corporate networks to ransomware operators. In 2025, IABs received at least $14 million in on-chain payments – a relatively small amount compared to the $820 million in ransomware payments, but significant in its implications.
What's particularly revealing is the timing relationship between IAB activity and subsequent ransomware attacks. Chainalysis found that spikes in IAB payments often precede increases in ransomware payments and US victim leak posts by roughly 30 days. This suggests a predictable pipeline: access gets purchased, and a few weeks later, victim organizations appear on leak sites.
The shifting nature of the threat
The data paints a picture of ransomware that isn't shrinking so much as transforming. The traditional model of fewer, more sophisticated attacks with higher payment success rates has given way to a volume-based approach. More organizations are getting hit, fewer are paying, but the overall impact on businesses and economies remains severe.
This evolution presents new challenges for defenders. The proliferation of smaller, less sophisticated groups means that ransomware capabilities are more widely distributed than ever before. Organizations that might have previously been considered too small or too well-protected to be targeted now find themselves in the crosshairs.
The thriving access-for-sale marketplace quietly tees up the next wave of attacks, creating a persistent threat that's difficult to eliminate. As long as there's demand for network access and willingness to pay for it, the ransomware ecosystem will continue to evolve and adapt.
The ransomware landscape of 2025 represents a fundamental shift in how cyber extortion operates. While the headline figure of declining payments might suggest progress, the underlying data reveals a more complex and persistent threat that continues to evolve in response to both victim resistance and law enforcement pressure.
Comments
Please log in or register to join the discussion