The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks.
A downward payment trend has been observed for the past four consecutive years by the blockchain intelligence platform Chainalysis.
At the moment, the total of on-chain ransomware payments in 2025 stands at $820 million, but the company notes that “the 2025 total is likely to approach or exceed $900 million as we attribute more events and payments.”
Chainalysis reports a relative stability in the total number of payments, despite a 50% increase of ransomware attacks year-over-year.
In 2024, the payment rate recorded by Chainalysis was more than double, at 62.8%, while in 2022, it was at 78.9%.
Source: Chainalysis
Data from Chainalysis also aligns with previous reports by Coveware, which showed a steady decline in victim payment rates throughout 2025.
According to the blockchain company, some of the factors that influenced the ransomware economy include improved incident response, regulatory scrutiny, international law enforcement actions, and market fragmentation.
Current Chainalysis data shows that while aggregate revenue from ransomware activity declined, the median ransom payment rose significantly, up 368% from $12,738 in 2024 to $59,556 in 2025.
This indicates that ransomware victims pay larger amounts for the hope that cybercriminals will delete the stolen data and not sell it to other threat actors or trade it.
Source: Chainalysis
In 2025, the analysts observed 85 active extortion groups, far higher compared to previous years, when the ransomware space was dominated by a small number of threat groups and RaaS platforms.
A few high-impact incidents Chainalysis highlights in its report include the attack at Jaguar Land Rover, which inflicted an estimated $2.5 billion in damages, the Marks & Spencer breach by the Scattered Spider threat group, and the DaVita Inc. ransomware breach that exposed 2.7 million patient records.
For another year, the most targeted country was the United States, followed by Canada, Germany, and the U.K., showing threat actors’ preference for concentrating their efforts in developed economies.
Source: Chainalysis
Initial access brokers (IABs), hackers who sell access to compromised endpoints to ransomware operators, reportedly made $14 million in 2025, roughly the same as last year. This is only 1.7% of the total ransomware revenue last year, though initial access is a key enabler.
Analysis shows that spikes in IAB payment inflows are followed by increases in ransomware payments and victim leak posts roughly 30 days later, suggesting IAB activity can act as a leading indicator.
The average price for network access declined from approximately $1,427 in Q1 2023 to just $439 in Q1 2026, indicating that automation, AI-assisted tooling, and oversupply from info-stealer logs have shaped the industry.
Chainalysis says that although ransom payments declined last year, the scale, sophistication, and real-world impact of ransomware attacks continued to grow, impacting organizations of all sizes and backgrounds globally.
The researchers believe ransomware is going through a phase of adaptation, rather than losing the fight, evolving tactics to extract more value from an ever-decreasing number of consenting victims.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
