Ransomware attacks jumped sharply in 2025, rising by about 50 % compared with the previous year, according to new blockchain-security data. The increase came amid shifting attacker tactics, declining ransom payments, and a more fragmented cybercriminal landscape. Experts say the evolving ransomware economy reflects a mix of attacker adaptation, improved defenses, and increased law enforcement scrutiny.
Despite the surge in incidents, total ransomware payments declined slightly, signaling a disconnect between attack frequency and financial success for criminals. The trend highlights the complex and changing nature of digital extortion, with implications for cybersecurity strategies worldwide.
Record High Incidents, But Lower Aggregate Revenues
Blockchain analytics firm Chainalysis reported that nearly 8,000 ransomware “leak events” or claimed attacks were logged in 2025, a roughly 50 % year-over-year increase. This marks the most active year on record for ransomware incidents.
However, total on-chain ransom payments fell about 8 %, to approximately $820 million in 2025 – the second straight year of decline. Chainalysis noted that this figure may eventually rise to around $900 million as more payments are attributed to known attacks.
The gap between rising attacks and stagnant or declining revenue reflects changing victim responses and enhanced cybersecurity practices. Many organizations are choosing not to pay extortion demands, and regulatory pressure in some jurisdictions explicitly discourages ransom payments.
Smaller Targets, Bigger Median Payments
As high-profile ransom payouts became less common, attackers shifted tactics. Instead of focusing mainly on large corporations, threat actors increasingly targeted small and medium-sized enterprises (SMEs). Experts say this is partly because smaller organizations are more numerous and may lack robust defenses, making them easier and quicker to extort.
This shift is reflected in the median ransom payment, which soared by around 368 % in 2025, rising from roughly $12,700 in 2024 to nearly $60,000 in 2025. Chainalysis analysts attribute this surge to a small number of larger payouts rather than a wholesale return to “big-game hunting” tactics of the past.
Despite this, the payment rate dropped sharply, with only about 28 % of victims agreeing to pay a ransom, a record low. In previous years, a significantly higher share of victims paid extortion demands.
Fragmented Ecosystem and New Attack Patterns
Chainalysis highlighted a broader structural shift in the ransomware economy. In past years, a few major ransomware-as-a-service (RaaS) groups dominated the landscape. In 2025, however, the ecosystem became more decentralized, with up to 85 active extortion groups documented.
This fragmentation has made tracking and attribution more difficult, complicating coordinated defense efforts. Smaller groups often use less sophisticated tools and malware strains that can sometimes be decrypted by victims without paying ransoms.
At the same time, the lower overall “access price” – the cost to purchase initial entry into victims’ networks on cybercrime markets – has dropped significantly, making it easier for less experienced actors to enter the ransomware space.
Security researchers have also observed that ransomware groups are increasingly leveraging AI-assisted tooling and automated attack pipelines, lowering barriers to entry and increasing the volume of attempted breaches.
Initial Access Brokers: A Key Enabler
Underpinning ransomware operations is the growth of the broader cybercrime supply chain, including Initial Access Brokers (IABs) – intermediaries who sell footholds into compromised systems to ransomware affiliates.
In 2025, IABs received at least $14 million in on-chain payments, according to Chainalysis. While modest compared to overall ransomware haul, these payments play a critical enabling role, particularly as ransomware gangs fragment and adopt outsourced access models.
Analysis indicates that spikes in IAB inflows often precede increases in ransomware payouts and publicized leaks by roughly 30 days, making such activity a potential early warning signal in the ransomware economy.
High-Profile Incidents and Industry Impact
Although smaller victims dominate numerically, ransomware continues to inflict significant financial and operational damage on larger targets.
In late 2025, a high-impact ransomware attack on Jaguar Land Rover was linked to billions of dollars in economic losses due to halted production and supply chain disruptions. Instances affecting multinational retailers, healthcare providers, and supply chain partners also underscored the continued strategic risk ransomware poses across sectors.
Healthcare providers, in particular, have faced dual pressures from ransomware: encrypted systems and potential data exposure. One such breach resulted in the compromise of nearly 2.7 million patient records, highlighting the human cost beyond dollars.
Regional Targets and Global Patterns
The United States remained the top target for ransomware attacks in 2025, followed by Canada, Germany, and the United Kingdom, according to multiple research sources. This concentration reflects both the size of these economies and the potential payoff perceived by attackers.
Emerging markets and developed nations alike are vulnerable, with attack vectors ranging from phishing and compromised credentials to supply chain and software vulnerabilities – a trend tracked by cybersecurity firms throughout the year.
Advanced ransomware groups, including Russian-linked outfits like Qilin, continued to operate globally, often claiming responsibility for campaigns in multiple countries.
What’s Driving the Divergence Between Attacks and Payments?
Analysts point to several factors behind the split between rising attack claims and falling ransom payments:
-
Improved incident response: Many organizations now deploy quicker, more effective mitigation measures that reduce the need to pay.
-
Regulatory and legal pressure: Some jurisdictions discourage ransom payments due to compliance, insurance, and legal ramifications.
-
Enforcement actions: International law enforcement operations targeting infrastructure and money-laundering networks have constrained criminal revenue channels.
-
Technical defenses: In occasional cases, defenders have been able to disrupt or decrypt ransomware strains, reducing extortion leverage.
The result is a ransomware landscape where threat actors are working harder for diminishing returns, a dynamic cyber analysts describe as a pivotal shift in the ransomware economy.
The Road Ahead: Adaptation and Resilience
The data from 2025 paints a complex picture. Ransomware remains prolific, but key metrics suggest gradual erosion of criminal leverage. As organizations continue to strengthen defenses and regulators enhance scrutiny, attackers may shift toward more targeted, high-value extortion attempts rather than broad, indiscriminate campaigns.
Cybersecurity experts emphasize the importance of proactive measures – including employee training, robust backup protocols, network segmentation, and incident response readiness – as ransomware tactics continue to adapt in volume and sophistication.
While total ransom revenues fell modestly, the increased frequency of extortion attempts, larger median ransom demands, and expanding ecosystem of threat groups underscore that ransomware is far from a fading threat. For defenders and policymakers alike, the challenge in 2026 will be to deepen cooperation, improve resilience, and continuously adapt in the face of an evolving ransomware economy.
