Ransomware Revenue Declines for Second Year Despite 50% Surge in Attacks

According to Chainalysis, total on-chain ransomware payments fell by around 8% in 2025, marking the second consecutive annual decline.

Despite this drop, claimed attacks rose 50%. The report notes that the widening gap between the rise in incidents and lower payouts highlights the complex forces reshaping the ransomware economy.

Ransomware Payments Reach $820 Million in 2025

In the ransomware chapter of its 2026 Crypto Crime Report, Chainalysis disclosed that ransomware actors collected more than $820 million in on-chain payments in 2025. The figure represents an 8% year-over-year decline from the firm’s revised 2024 estimate of $892 million.

However, the 2025 total could still rise. Chainalysis noted that the final figure may approach or surpass $900 million, mirroring last year’s adjustment when the initial 2024 estimate of $813 million was later revised upward.

Follow us on X to get the latest news as it happens

Even as total payments showed relative stability, ransomware activity intensified sharply. Data from eCrime.ch indicates that claimed ransomware victims increased 50% year over year in 2025, making it the most active year on record. Despite the surge in attacks, the share of ransoms paid fell to 28%, a record low.

Chainalysis cited several factors behind the divergence. Improved incident response and tighter regulatory oversight have helped reduce the frequency of payouts.

Furthermore, international enforcement efforts against these actors and laundering networks have constrained some revenue flows. 

“In some cases, the introduction of strains like VolkLocker, notable for a cryptographic weakness that allowed free decryption in some cases, illustrates how technical vetting by defenders can occasionally disrupt a ransomware strain,” the report read.

Bitcoin Remains Top Choice as Ransomware Median Payments Soar

While total payments stagnated, median ransom sizes rose sharply in 2025. The median payment surged 368%, climbing from $12,738 in 2024 to $59,556 in 2025.

Jacqueline Koven, Head of Cyber Threat Intelligence at Chainalysis, told BeInCrypto that the median payment is likely driven up by a small number of relatively high outlier payments rather than a return to big-game hunting ransomware tactics that dominated in the past.

“Ransomware actors are opportunistic, and we continue to see victimization of organizations of all sizes,” she said.

Koven also revealed that Bitcoin (BTC) remains the financial rail of choice for ransomware actors. She explained that despite its transparency, which poses a risk to bad actors, they prefer BTC because it is cross-border, instantaneous, liquid, and easy to use.

“Bitcoin is still preferred for ransomware payments,” she added.

$14 Million Paid to Initial Access Brokers as Ransomware Pipeline Expands

The report also explained that ransomware operations are supported by a wider cybercriminal ecosystem that includes Initial Access Brokers and other specialized service providers. These brokers facilitate access to compromised networks, allowing affiliates to deploy ransomware with relative ease.

Chainalysis estimates that Initial Access Brokers received at least $14 million in on-chain payments in 2025, a figure largely unchanged from the previous year. While small compared to overall ransomware revenues, the payments highlight the “critical enabling function.”

“It is important to note that not all IAB payments are made by ransomware operators. IABs certainly trade and buy accesses among themselves and some malicious actors have TTPs and objectives other than ransomware. Another important caveat is that not all ransomware incidents can be traced to initial access brokers – there are a number of different ways to gain access to victim networks. With those caveats in mind, we can draw a connection between criminal investments and the ransomware attacks that follow,” Chainalysis said.

The report added that IAB activity can serve as a leading indicator. According to on-chain analysis, surges in IAB inflows tend to precede increases in ransomware payouts and victim leaks by roughly 30 days.

“IAB payments are a powerful glimpse into the ransomware ecosystem because even as ransomware groups have fragmented and rebranded, as we note in our report, dependencies on IABs remain constant. In that way, IAB and even infrastructure payments can signal attack preparation,” Koven mentioned to BeInCrypto.

Chainalysis stressed the ransomware story of 2025 cannot be understood through revenue figures alone. While total on-chain payments declined modestly, the scale, sophistication, and strategic impact of attacks continued to expand. Organizations of all sizes, from global automakers to regional healthcare providers, faced extortion that disrupted operations, eroded trust, and generated systemic losses far exceeding recorded ransom payments.

The post Ransomware Revenue Declines for Second Year Despite 50% Surge in Attacks appeared first on BeInCrypto.