Research Ransomware payments cratered in 2025, but attacks surged to record highs Smaller crews piled in as old names splintered and rebranded Carly Page Fri 27 Feb 2026 // 16:15 UTC Ransomware payments cratered in 2025, but it seems like the cybercrooks launching the attacks didn't get the memo. That's the headline from Chainalysis' 2026 Crypto Crime Report , which shows total on-chain ransomware payments falling for a second straight year, even as victim counts and leak site pressure continue to climb. Ransomware gangs pulled in about $820 million in 2025, roughly 8 percent less than the year before, as the share of victims paying dropped to an all-time low of 28 percent. That drop might sound like progress if the wider picture weren't so bleak: the median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025, and the number of publicly claimed attacks climbed along with it. "Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50 percent YoY increase in claimed ransomware victims, marking the most active year on record," Chainalysis said. 2025 delivered plenty of high-profile examples of this "most active" year. Jaguar Land Rover suffered what's been described as the costliest cyber incident in UK history , and Marks & Spencer endured prolonged operational disruption after a Scattered Spider-linked breach that wiped hundreds of millions off its market value. While 2025 had its share of mega-breaches, the real story is volume. Smaller, opportunistic groups are behind a growing share of extortion attempts, even as the old guard – LockBit, BlackCat, and friends – have been raided, sanctioned, arrested, or simply popped back up under new logos. What's left is a crowded field of spin-offs and opportunists taking their chances, and plenty of these incidents never show up as a clean, traceable crypto payout on a blockchain explorer. Cops back Dutch telco Odido after second wave of ShinyHunters leaks Ex-L3Harris exec jailed 7 years for selling exploits to Russia Wynn Resorts takes attacker's word for it that stolen staff data was deleted North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware Security firm Emsisoft's 2025 ransomware data reinforces that picture. More than 8,000 organizations were publicly named on leak sites last year – a sharp jump from previous years. Developed economies are still squarely in the crosshairs. The United States leads the pack yet again, followed by Canada, Germany, the UK, and the rest of Western Europe. Manufacturing, financial, and professional services took plenty of hits, and in Canada and Germany, attackers showed a particular appetite for supply chains, logistics networks, and critical infrastructure. In the US, every major sector – including government and critical infrastructure – saw year-over-year increases in the number of claimed victims. Chainalysis's report also offered a glimpse behind the scenes, where ransomware now looks less like a single criminal enterprise and more like a supply chain. Initial access brokers (IABs) – the middlemen selling ready-made footholds into corporate networks – received at least $14 million in on-chain payments in 2025. That's small compared to ransomware's $820 million haul, but Chainalysis found that spikes in IAB payments often precede increases in ransomware payments and US victim leak posts by roughly 30 days. Access gets bought, and a few weeks later, someone's name appears on a leak site. The Chainalysis report suggests that ransomware isn't shrinking so much as shifting, with fewer victims paying but more organizations getting hit, higher demands, and a thriving access-for-sale marketplace quietly teeing up the next wave of leak-site disclosures. ® Share More about Cybercrime Ransomware Security More like these × More about Cybercrime Ransomware Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust More about Share POST A COMMENT More about Cybercrime Ransomware Security More like these × More about Cybercrime Ransomware Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust TIP US OFF Send us news