The landscape of ransomware attacks in 2025 has revealed a paradox: while total payments decreased, the frequency of attacks reached record highs. This information comes from Chainalysis’ 2026 Crypto Crime Report, which highlights significant trends in the ransomware ecosystem.
Declining Payments, Rising Attacks
In 2025, ransomware gangs collected approximately $820 million, marking an 8 percent decrease from the previous year. Notably, the percentage of victims who paid ransoms fell to an all-time low of 28 percent. However, the median ransom demand saw a dramatic increase, jumping from $12,738 in 2024 to $59,556 in 2025. This rise in demands coincided with a significant increase in the number of publicly reported ransomware incidents.
Record Victim Counts
Chainalysis reported a staggering 50 percent year-over-year increase in claimed ransomware victims, making 2025 the most active year on record for such attacks. High-profile incidents included a breach at Jaguar Land Rover, described as the costliest cyber incident in UK history, and operational disruptions at Marks & Spencer due to a breach linked to the group Scattered Spider.
Changing Dynamics in Ransomware
The report indicates a shift in the ransomware landscape, with smaller, opportunistic groups increasingly responsible for extortion attempts. Traditional ransomware gangs such as LockBit and BlackCat have faced law enforcement actions, leading to a fragmented environment where new players are emerging. Many of these incidents may not result in clear, traceable cryptocurrency payments, complicating the overall picture.
Access Brokers and Future Trends
Chainalysis also highlighted the role of Initial Access Brokers (IABs), who facilitate access to corporate networks for ransomware actors. In 2025, IABs received at least $14 million in on-chain payments. This figure, while small compared to the overall ransomware payments, suggests a correlation between IAB payments and subsequent ransomware incidents, with spikes in IAB activity often preceding increases in ransomware payments and victim disclosures by about 30 days.
Overall, the report suggests that while fewer victims are paying ransoms, the number of organizations targeted is increasing, along with higher ransom demands. The evolving dynamics of ransomware indicate a thriving marketplace for access to compromised networks, setting the stage for future incidents.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
