Ransomware attacks surge as crypto ransoms fall

Chainalysis said it tracked nearly 8,000 ransomware “leak events” in 2025 – posts on extortion sites where attackers claim to have hit an organization and threaten to publish stolen data – marking the most active year on record by that measure.

The report describes a widening split between attack volume and payout totals that investigators and incident-response firms attribute to stronger defenses, more victims refusing to pay, and intensified disruption efforts aimed at ransomware infrastructure and laundering pathways. In Chainalysis’ view, those pressures have reduced victim payment rates even as attackers keep publishing claims and escalating tactics around data theft and harassment during negotiations.

One signal of that shift is payment behavior. Chainalysis estimates the share of ransoms paid may have fallen to an all-time low of about 28% in 2025. At the same time, the typical payout got much larger: the median ransom payment rose 368% year over year to nearly $60,000, up from about $12,738 in 2024, indicating that attackers increasingly rely on fewer, higher-value payments while many victims pay nothing.

Chainalysis and outside researchers cited in the report also point to changes upstream in the cybercrime supply chain that lower the cost of launching attacks. The average “price for victim access” sold on criminal marketplaces fell from about $1,427 at the start of 2023 to roughly $439 at the start of 2026, as automation and a glut of stolen credentials and “infostealer” logs made it cheaper to buy entry into compromised networks.

The report links that access market to a broader ecosystem of Initial Access Brokers (IABs), specialized sellers who provide entry points into victim networks for downstream criminals. Chainalysis estimates IABs received at least $14 million in on-chain payments in 2025, and said spikes in IAB-related inflows often preceded increases in ransomware payments and leak-site postings by about 30 days, suggesting access-trading can function as an early indicator of future campaigns. 

Geographically, Chainalysis said leak-site disclosures in 2025 continued to concentrate heavily in developed economies, with the United States the most frequently targeted jurisdiction in cases where a clear location tag is available, followed by Canada, Germany, the UK and other parts of Europe. The report said manufacturing and finance/professional services were heavily compromised across many jurisdictions, while supply chains, logistics and critical infrastructure featured prominently in some countries.

Chainalysis also cautioned that leak-site data is imperfect because some postings are disputed, recycled, or copied across groups, meaning a public claim does not always prove a fresh compromise or a ransom payment. Even so, the firm said the scale of postings – and the increased targeting across sectors – shows ransomware actors are maintaining high operational tempo while adjusting monetization tactics.

The report highlighted how individual large incidents can still dominate real-world disruption even if crypto payments do not rise. As one example, Chainalysis pointed to the cyberattack on Jaguar Land Rover, which it said halted production lines across multiple countries and inflicted an estimated £1.9 billion (about $2.5 billion) in economic damage.

Chainalysis said 2025 disruption efforts increasingly focused on shared infrastructure rather than only on named ransomware brands, with law enforcement actions, sanctions and private-sector measures targeting services such as “bulletproof” hosting and other tooling used across multiple actors. The firm also said financially motivated ransomware crews and state-aligned actors are increasingly relying on the same hosting providers and residential proxy networks, blurring the line between conventional cybercrime and geopolitically linked operations at the infrastructure layer.