Ransomware Payments 2025: Less Money, But More Attacks – A Cybercrime Paradox

The on-chain ransomware payments in 2025 reveal a fascinating paradox: while ransom payments to cybercriminals decreased, the industry simultaneously experienced an unprecedented rise in the number of attacks. According to a new analysis by Chainalysis, on-chain ransomware payments last year totaled $820 million — an 8% decline from an estimated $892 million in 2024.

This development shows a significant trend: after reaching a record high of $1.23 billion in 2023, ransomware payments are now falling for the second consecutive year. But this positive news is only half the story. The underlying mechanisms are much more complex and raise new questions about the future of cybercrime.

The Payment Decline: Why On-Chain Ransom Payments Fell in 2025

The reduction in ransomware payments was not due to fewer successful attacks but rather a fundamental restructuring of the ransomware market. The decentralization of cybercriminal networks played a central role. While in previous years dominant ransomware variants like REvil or DarkSide controlled the field, many smaller, independent groups emerged in their place.

This fragmentation has two effects: First, tracking payment flows becomes significantly more difficult. Blockchain analysts find it increasingly hard to definitively link transactions to specific ransomware operations. Second, the spread of smaller groups leads to stagnation in total revenue — an indirect result of intensified law enforcement measures against ransomware networks worldwide.

Interestingly, however, a different picture emerges when looking at the average ransom payment. While fewer victims paid, the average amount increased by an impressive 368% — from $12,738 in 2024 to $59,556 in 2025. This suggests that those who did pay faced substantially higher extortion demands.

Attack Numbers at Record Highs: The Flip Side of the Ransomware Trend

The paradox becomes clearer when examining attack statistics themselves. Reported ransomware victims increased by 50% in 2025 compared to the previous year — a record in documented ransomware history. Despite the decline in payments, 2025 was thus the year with the highest number of attack victims ever.

This increase also led to another remarkable statistic: the average ransom paid relative to victims dropped to a historic low of 28%. In other words, the attack success rate surged while the payment success rate declined. Experts attribute this to the increasingly opportunistic nature of modern ransomware campaigns.

It’s important to note that the total final payments could potentially rise to up to $900 million once additional cases are linked through blockchain analysis. Even with this buffer, the difference between 2024 and 2025 remains minimal, indicating a phase of stagnation in the ransomware business — paradoxically alongside explosive growth in attack numbers.

Cybercriminals’ Strategy Shift: From Large Corporations to Mid-Sized Businesses

One of the most significant shifts in the ransomware landscape is the target audience of attackers. Analysis shows that cybercriminals are increasingly focusing on small and medium-sized organizations rather than large corporations. This strategy is based on a simple but effective calculation: smaller victims are statistically more likely to pay the demanded ransom quickly.

This reorientation partly explains the higher attack volume amid lower overall gains. Large-scale, spectacular attacks on Fortune 500 companies are becoming less frequent and less profitable, as these organizations are better protected and less compelled to pay due to their resources and insurance coverage.

Geographically, the United States remains the most affected region, followed by Canada, Germany, and the United Kingdom. The most common targets in these jurisdictions are manufacturing companies and financial service providers. However, ransomware actors operate highly opportunistically: they choose targets less based on industry and more based on exposed services, misconfigurations, and newly discovered security vulnerabilities as they become available.

Nevertheless, in 2025, several high-profile incidents demonstrated that large-scale ransomware operations have not disappeared. The attack on Jaguar Land Rover caused an estimated $2.5 billion in economic damage and is among the costliest incidents ever. Another attack by the Scattered Spider group disrupted the British retail chain Marks & Spencer, causing multimillion-dollar losses. These cases show that top ransomware groups are still capable of large, highly profitable operations.

The future of the ransomware threat is likely to continue along these lines: a market dominated by decentralized, smaller groups focusing on mass attacks rather than big projects, punctuated by rare but devastating assaults by specialized cybercriminal gangs.