Ransomware actors are now demanding larger payments from a smaller pool of victims, despite the number of victims increasing significantly. According to an analysis by Chainalysis, overall revenues from ransomware have fallen, even as the number of incidents rises.
The blockchain analytics firm reported that cryptocurrency payments to threat actors decreased by 8% year-on-year, reaching $820 million in 2025. While this figure may eventually rise to around $900 million as more events and payments are processed, it still marks the second consecutive year of decline and remains lower than the revenues seen in 2020 and 2021.
In 2025, the number of ransomware victims surged by 50% year-on-year, making it the most active year on record. This spike in victims coincided with a dramatic drop in payment rates, which fell from 63% in 2024 to just 29% last year the lowest rate ever recorded.
“This overall trend is a major win against the ransomware ecosystem,” Chainalysis noted in its report. “Fewer victim payments mean more work for less for attackers, an important step in shifting the economic incentives.”
The analysis highlighted four notable trends:
- Fewer victims are paying ransoms, thanks to enhanced incident response and increased regulatory scrutiny.
- Global actions against ransomware operators and laundering networks have limited revenue flows.
- Some ransomware strains, such as VolkLocker, exhibit cryptographic weaknesses, allowing for free decryption in certain cases.
- A significant fragmentation in ransomware-as-a-service operations has led to a rise in smaller, independent groups, which may number as many as 85 today.
Increasing Costs of Compliance
Organizations that succumb to extortion in this evolving landscape may face higher costs. The median ransom payment saw a staggering increase of 368%, rising from $12,738 in 2024 to $59,556 in 2025.
Chainalysis pointed out that tactics such as reaching out to employees and customers of targeted organizations, as well as analyzing exfiltrated data for more personalized threats, are driving up ransom amounts.
“Ransomware actors remain highly opportunistic,” the report cautioned. “They do not consistently favor a specific sector at a given time of year. Instead, they exploit exposed services and misconfigurations as they arise, capitalizing on newly disclosed vulnerabilities.”
The United States emerged as the most targeted country last year, followed by Canada, Germany, the UK, and other European nations. The manufacturing and finance sectors were hit hardest, while Canada and Germany experienced significant compromises in supply chains, logistics, and critical infrastructure.
Payments to initial access brokers remained stable at $14 million, maintaining a historically high level. The report also indicated that various infrastructures, including bulletproof hosting and malware loaders, are now utilized by financially motivated cybercriminals as well as state-linked actors engaging in espionage and influence operations.
“Dismantling or sanctioning infrastructure nodes can generate cascading effects across ransomware affiliates, scammers, and state-aligned operators simultaneously,” the report emphasized.
“This convergence reinforces a core dynamic of the modern cyber-threat landscape: infrastructure is the strategic center of gravity. Disrupting it raises costs across the entire ecosystem from extortion-driven syndicates to geopolitically motivated threat actors.”
