Ransomware payments cratered in 2025, but it seems like the cybercrooks launching the attacks didn’t get the memo.
That’s the headline from Chainalysis’ 2026 Crypto Crime Report, which shows total on-chain ransomware payments falling for a second straight year, even as victim counts and leak site pressure continue to climb.
Ransomware gangs pulled in about $820 million in 2025, roughly 8 percent less than the year before, as the share of victims paying dropped to an all-time low of 28 percent. That drop might sound like progress if the wider picture weren’t so bleak: the median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025, and the number of publicly claimed attacks climbed along with it.
“Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50 percent YoY increase in claimed ransomware victims, marking the most active year on record,” Chainalysis said.
2025 delivered plenty of high-profile examples of this “most active” year. Jaguar Land Rover suffered what’s been described as the costliest cyber incident in UK history, and Marks & Spencer endured prolonged operational disruption after a Scattered Spider-linked breach that wiped hundreds of millions off its market value.
While 2025 had its share of mega-breaches, the real story is volume. Smaller, opportunistic groups are behind a growing share of extortion attempts, even as the old guard – LockBit, BlackCat, and friends – have been raided, sanctioned, arrested, or simply popped back up under new logos. What’s left is a crowded field of spin-offs and opportunists taking their chances, and plenty of these incidents never show up as a clean, traceable crypto payout on a blockchain explorer.
Security firm Emsisoft’s 2025 ransomware data reinforces that picture. More than 8,000 organizations were publicly named on leak sites last year – a sharp jump from previous years.
Developed economies are still squarely in the crosshairs. The United States leads the pack yet again, followed by Canada, Germany, the UK, and the rest of Western Europe. Manufacturing, financial, and professional services took plenty of hits, and in Canada and Germany, attackers showed a particular appetite for supply chains, logistics networks, and critical infrastructure. In the US, every major sector – including government and critical infrastructure – saw year-over-year increases in the number of claimed victims.
Chainalysis’s report also offered a glimpse behind the scenes, where ransomware now looks less like a single criminal enterprise and more like a supply chain.
Initial access brokers (IABs) – the middlemen selling ready-made footholds into corporate networks – received at least $14 million in on-chain payments in 2025. That’s small compared to ransomware’s $820 million haul, but Chainalysis found that spikes in IAB payments often precede increases in ransomware payments and US victim leak posts by roughly 30 days. Access gets bought, and a few weeks later, someone’s name appears on a leak site.
The Chainalysis report suggests that ransomware isn’t shrinking so much as shifting, with fewer victims paying but more organizations getting hit, higher demands, and a thriving access-for-sale marketplace quietly teeing up the next wave of leak-site disclosures. ®