Ransomware Payments 2025: Less Money Despite Record Number of Attacks

The cybersecurity landscape in 2025 presents a paradoxical picture: while ransomware attacks reached their highest levels ever, the actual ransom payments decreased. According to Chainalysis, a total of $820 million was paid in on-chain transactions to ransomware attackers last year — an 8% decline compared to the estimated $892 million in the previous year.

The Numbers Game: More Victims, Less Capital Gain

The most shocking aspect of the 2025 data is the discrepancy between attack frequency and actual revenue for criminals. Reported ransomware victims surged by 50% — making this year a record for attacks. Yet, ransom payments remained well below expectations.

This resulted in the average ratio of ransom paid to the number of victims dropping to just 28% in 2025 — an all-time low. However, the Chainalysis report notes that final payment figures could still rise to as much as $900 million once more cases are documented and attributed. Even in this scenario, the difference from 2024 would be marginal, reflecting stagnation.

A particularly interesting phenomenon is seen in the median ransom demand: it skyrocketed by 368% in 2025 — from $12,738 the previous year to $59,556. This suggests that while fewer victims paid overall, those who did transfer significantly larger amounts. This development indicates a shift in ransomware tactics.

Why Attackers Changed Their Strategy

Experts attribute this trend to multiple overlapping factors. First, global countermeasures against ransomware infrastructure and operators have intensified considerably. Second, the ransomware market itself has decentralized: instead of a few dominant variants and centrally organized groups, numerous smaller, independent collectives have emerged. This fragmentation makes tracking and reliably attributing payment flows to specific attack groups more difficult.

Cybercriminals responded to this pressure with a strategic shift: they increasingly target small and medium-sized organizations rather than large corporations. The logic is simple — smaller targets are more cooperative with ransom demands and attract less public attention. The result: fewer spectacular large-scale attacks, but a broader attack surface.

Geographical and Sectoral Distribution of Threats

Geographical analysis shows that the U.S. remains the primary target region, followed by Canada, Germany, and the United Kingdom. Manufacturing and financial/services sectors are particularly frequent targets in these countries. However, Chainalysis warns that ransomware actors are generally opportunistic — they focus less on specific industries or seasons and more on exploiting available vulnerabilities, misconfigurations, and newly disclosed security gaps immediately.

Despite this trend toward smaller targets, several notable large-scale incidents occurred in 2025. The attack on Jaguar Land Rover caused estimated economic damages of around $2.5 billion. The Scattered Spider group also launched an attack on the British retail chain Marks & Spencer, disrupting operations and causing significant multimillion-dollar losses. These incidents underscore that larger organized groups still have the capacity and interest to target high-value targets.

Outlook: The Evolving Ransomware Landscape

The 2025 data depict a threat landscape that is becoming more diversified. With more attacks but lower average payments, alongside rising median demands, combating ransomware is becoming an even more complex task. Organizations of all sizes must strengthen their defenses, as the decentralized nature of the modern ransomware market means threats can originate from anywhere — not just from established, large actors.