Ransomware payment rate drops to record low as attacks surge
Source: Bleeping Computer
Payment Rate Decline
- 2024: payment rate of 62.8 % (more than double the 2025 rate)
- 2022: payment rate of 78.9 %
- 2025: record‑low rate of 28 %
Ransomware Payment Volumes
At the moment, the total on‑chain ransomware payments in 2025 stand at $820 million, and Chainalysis notes that “the 2025 total is likely to approach or exceed $900 million as we attribute more events and payments.”
Despite a 50 % year‑over‑year increase in ransomware attacks, the total number of payments has remained relatively stable.
Data Leak Events vs. Payment Rate
Source: Chainalysis
Alignment with Other Research
Data from Chainalysis aligns with previous reports by Coveware, which showed a steady decline in victim payment rates throughout 2025.
Factors Influencing the Ransomware Economy
Chainalysis cites several drivers behind the shifting landscape:
- Improved incident response capabilities
- Increased regulatory scrutiny
- International law‑enforcement actions
- Market fragmentation
Payment Amounts
While aggregate ransomware revenue declined, the median ransom payment rose dramatically, up 368 % from $12,738 in 2024 to $59,556 in 2025. This suggests victims are paying larger sums in hopes that cybercriminals will delete stolen data rather than sell or trade it.
Source: Chainalysis
Active Extortion Groups & High‑Impact Incidents
- 85 active extortion groups were observed in 2025, a sharp increase from previous years when the ransomware space was dominated by a few threat groups and RaaS platforms.
- Notable incidents highlighted by Chainalysis:
- Jaguar Land Rover attack – estimated $2.5 billion in damages
- Marks & Spencer breach by the Scattered Spider group
- DaVita Inc. ransomware breach exposing 2.7 million patient records
Targeted Countries & Industries
For the fourth consecutive year, the United States was the most targeted country, followed by Canada, Germany, and the United Kingdom, indicating a preference for developed economies.
Source: Chainalysis
Initial Access Brokers (IABs)
- IABs, who sell compromised endpoint access to ransomware operators, generated $14 million in 2025—roughly the same as the previous year and 1.7 % of total ransomware revenue.
- Spikes in IAB payment inflows tend to precede increases in ransomware payments and victim leak posts by about 30 days, suggesting IAB activity can serve as a leading indicator.
- The average price for network access fell from ≈ $1,427 in Q1 2023 to $439 in Q1 2026, reflecting automation, AI‑assisted tooling, and an oversupply of info‑stealer logs.
Overall Outlook
Chainalysis concludes that although ransom payments declined last year, the scale, sophistication, and real‑world impact of ransomware attacks continue to grow, affecting organizations of all sizes worldwide. Researchers believe ransomware is adapting rather than losing ground, evolving tactics to extract more value from an ever‑decreasing pool of consenting victims.