Ransomware groups collected about $820 million in on-chain payments in 2025, down from $892 million in 2024, according to a report by Chainalysis.
This marks the second straight year of flat or declining totals, even as the number of reported attacks climbed sharply.
Source: Chainalysis
According to eCrime.ch, the number of ransomware victims increased by 50% year over year, making 2025 the busiest year ever. However, only 28% of the victims actually paid the ransom, which is one of the lowest rates recorded.
Source: Chainalysis
This indicates a significant level of resistance, with improved backups, improved security solutions, stricter policies, and worldwide crackdowns that have reduced payments to ransomware gangs.
According to Corsin Camichel, the founder of eCrime.ch, the target is now small and medium-sized enterprises. The logic is simple: smaller companies might pay sooner.
However, the total payments are still going down, which means that attackers have to work harder for less money.
At the same time, the ransomware landscape has diversified. Rather than a handful of large gangs, there were as many as 85 active extortion gangs in 2025.
Also Read: Indiana Plans to Unlock Crypto Access for Public Pension Funds
Median Ransom Payments Jump 368% Despite Revenue Dip
Despite the overall revenue decline, the median ransom payment increased by 368%, from $12,738 in 2024 to $59,556 in 2025. The incident response companies reported that in some quarters, the average payments had more than doubled.
Source: Chainalysis
There were several high-profile events throughout the year. A cyberattack on Jaguar Land Rover brought production to a halt in many parts of the world and resulted in economic losses of around £1.9 billion.
The retailer Marks & Spencer was disrupted for a long time following an attack attributed to the Scattered Spider hacking group, which erased hundreds of millions of market value.
The healthcare industry remained vulnerable. DaVita Inc. disclosed a breach that impacted close to 2.7 million patients’ records.
On the other hand, the Cl0p gang exploited a zero-day vulnerability in the Oracle E-Business Suite. This impacted hundreds of companies.
The United States was the most targeted country, followed by Canada, Germany, and the UK. There were increased attacks on manufacturing, finance, logistics, and critical infrastructure.
Initial Access Brokers Fuel Crypto-Paid Network Breaches
Ransomware has become a service economy. Initial Access Brokers (IABs) have been selling access to networks to their affiliates. In 2025, IABs received a minimum of $14 million in crypto payments.
Source: Chainalysis
This is a small fraction of the total ransom payments, but it illustrates the impact of selling access to larger attacks. Darkweb IQ discovered that the cost of victim access has decreased from $1,427 in early 2023 to $439 in early 2026.
Source: Chainalysis
This is due to automation and AI tools that have saturated the market with lower-priced access, but the best enterprise access is still more expensive.
Also Read: Crypto Surge Strengthens Turkey’s Global Leadership, Ripple Executive Says