TL;DR:
- Ransomware attacks grew 50% in 2025, with nearly 8,000 events recorded, according to Chainalysis’s annual report.
- On-chain payments fell 8% to $820 million, while the median payment surged 368% to nearly $60,000.
- Access to compromised networks dropped from $1,427 in 2023 to $439 in 2026, driven by automation and artificial intelligence.
2025 was the most active year in the history of extortive cybercrime,Ā ransomwareĀ has expanded deeply across the industry. According to the annual report published byĀ Chainalysis, attacksĀ increased 50% year-over-year, with nearlyĀ 8,000 leak events recorded. However,Ā on-chain payments totaled $820 million, an 8% decline from the $892 million estimated for 2024, revealing thatĀ there is a growing gap between the volume of attacks and the revenue actually obtained by attackers.
The proportion of victims who paid the ransomĀ reached a historic low, settling at aroundĀ 28%. The report attributes this trend toĀ improved incident response capabilities, increased regulatory scrutiny and coordinated law enforcement actions against money laundering infrastructure. Corsin Camichel, founder of eCrime.ch, noted that “attackers are working harder for diminishing returns.”
Ransomware Market: Cheaper, More Widespread
A structural factor explaining the increase in Ransomware attack volume isĀ the sustained decline in the price of access to compromised networks. According to data from Darkweb IQ, the average priceĀ fell from $1,427 in early 2023 to $439 in the first quarter of 2026.
This reduction reflects theĀ proliferation of automated tools,Ā artificial intelligenceĀ integrations and an oversupply of low-cost access on dark web marketplaces. The result is a more decentralized ecosystem, with up to 85 extortion groups active simultaneously.
Initial Access BrokersĀ āintermediaries who sell access to compromised networksā received at leastĀ $14 millionĀ in on-chain payments during 2025. Although this figure is modest relative to ecosystem totals, Chainalysis’s analysis indicates thatĀ spikes in flows toward these criminals anticipate increases in ransomware payments with a window of approximately 30 days.
The Institutional Response Targets the Infrastructure
Law enforcement agenciesĀ are targeting the infrastructure behind ransomware, rather than focusing solely on specific groups.Ā OperationĀ Endgame, coordinated by Europol, the FBI, Germany’s BKA and the UK’s NCA in May 2025, resulted in theĀ seizure of servers and the disruption ofĀ malwareĀ familiesĀ used as entry points in multiple campaigns. In addition, OFAC sanctioned hosting providerĀ AEZA GroupĀ in July and providerĀ ZserversĀ in February, the latter linked to theĀ LockBitĀ group.
Although payments moderated their growth,Ā the operational and reputational damage from attacks continued to expand.Ā High-profile cases included the attack onĀ Jaguar Land Rover, which generated estimated losses ofĀ Ā£1.9 billion, and the exposure of 2.7 million patient records from dialysis companyĀ DaVita.
