Ransomware Payments Plummet to Record Low as Attacks Surge—But Costs Skyrocket for Victims

In a stunning twist in the world of cybercrime, ransomware payments have plummeted to their lowest level ever, even as attacks skyrocket. According to a new report from blockchain intelligence firm Chainalysis, only 28% of ransomware victims paid up in 2025—a dramatic drop from 62.8% in 2024 and 78.9% in 2022. This marks the fourth consecutive year of declining payment rates, signaling a seismic shift in how organizations are responding to these digital shakedowns.

But don’t let the numbers fool you—while fewer victims are paying, the stakes have never been higher. The total on-chain ransomware payments for 2025 reached $820 million, with Chainalysis predicting the final tally could approach or even exceed $900 million as more incidents are attributed. And here’s the kicker: the median ransom payment skyrocketed by 368%, from $12,738 in 2024 to a staggering $59,556 in 2025. Why? Victims are betting big that paying up will ensure their stolen data is deleted and not sold to other bad actors or traded on the dark web.

The Ransomware Landscape: More Attacks, Fewer Payers

The data reveals a paradox: while the number of ransomware attacks increased by 50% year-over-year, the number of payments remained relatively stable. This suggests that organizations are getting smarter about how they handle these incidents. Improved incident response strategies, stricter regulatory scrutiny, and aggressive international law enforcement actions are all contributing to this downward payment trend.

But it’s not just about better defenses. The ransomware ecosystem itself is evolving. In 2025, Chainalysis tracked 85 active extortion groups—a significant jump compared to previous years when a handful of dominant threat groups and ransomware-as-a-service (RaaS) platforms ruled the roost. This fragmentation has made it harder for attackers to maintain their grip on the market, but it’s also led to more sophisticated and targeted attacks.

High-Profile Breaches: The Cost of Doing Business

Some of the most notable ransomware incidents of 2025 include the attack on Jaguar Land Rover, which inflicted an estimated $2.5 billion in damages, the Marks & Spencer breach by the Scattered Spider threat group, and the DaVita Inc. ransomware breach that exposed 2.7 million patient records. These high-profile cases underscore the growing sophistication and real-world impact of ransomware attacks, which now target organizations of all sizes and industries.

The United States remains the top target, followed by Canada, Germany, and the U.K. This concentration of attacks in developed economies reflects the attackers’ preference for high-value targets with deep pockets and critical infrastructure.

The Role of Initial Access Brokers: A Lucrative Side Hustle

Initial access brokers (IABs)—hackers who sell access to compromised systems to ransomware operators—made $14 million in 2025, roughly the same as the previous year. While this represents just 1.7% of total ransomware revenue, it’s a crucial enabler of these attacks. Chainalysis found that spikes in IAB payment inflows are often followed by increases in ransomware payments and victim leak posts about 30 days later, making IAB activity a potential leading indicator of future attacks.

Interestingly, the average price for network access dropped from $1,427 in Q1 2023 to just $439 in Q1 2025. This decline is attributed to the rise of automation, AI-assisted tooling, and an oversupply of info-stealer logs, which have made it easier for attackers to gain initial access at a lower cost.

The Future of Ransomware: Adaptation, Not Defeat

Despite the decline in ransom payments, Chainalysis warns that ransomware is far from defeated. Instead, it’s evolving. Attackers are adapting their tactics to extract more value from a shrinking pool of victims, focusing on higher ransom demands and more targeted, damaging attacks. The scale, sophistication, and real-world impact of ransomware continue to grow, posing a significant threat to organizations worldwide.

As ransomware enters this new phase of adaptation, organizations must remain vigilant. Investing in robust cybersecurity measures, improving incident response capabilities, and staying informed about the latest threats are critical steps in the fight against this ever-evolving menace.

Tags: Ransomware, Cybercrime, Blockchain, Chainalysis, Cybersecurity, Data Breach, Initial Access Brokers, Ransomware-as-a-Service, Incident Response, Dark Web, Cyber Attack, Cybersecurity Trends, Ransomware Payments, Data Leak, Threat Actors, Cybersecurity Threats, Ransomware Statistics, Cyber Defense, Ransomware Evolution, Cybersecurity Strategy

Viral Sentences:

• “Ransomware payments hit an all-time low, but the cost of attacks is higher than ever!”
• “Victims are paying bigger ransoms—but fewer are paying at all. What’s going on?”
• “The ransomware ecosystem is fragmenting, but the attacks are getting smarter.”
• “Initial access brokers: The unsung heroes (or villains) of the ransomware economy.”
• “Ransomware isn’t dying—it’s just getting more creative.”
• “Why paying the ransom might not be enough anymore.”
• “The ransomware paradox: More attacks, fewer payouts, higher stakes.”
• “How AI and automation are reshaping the ransomware landscape.”
• “The hidden cost of ransomware: It’s not just about the money.”
• “Ransomware is evolving—are you ready for what’s next?”

,