Synopsis: Ransomware attacks surged 50% to 8,000 in 2025, targeting small businesses more. Yet payments dropped 8% to $820M as victims refused, restored backups, and used decryption tools.
The numbers tell a strange story. Ransomware attacks exploded in 2025, hitting record highs. However, the criminals behind those attacks earned less than the year before. For the first time in years, victims are fighting back and winning.
A new report from blockchain analytics firm Chainalysis breaks down exactly what happened. The findings reveal a major shift in how cybercriminals operate, who they target, and how much money they actually collect.
Attacks Hit an All-Time High
Ransomware incidents jumped 50% in 2025 compared to 2024. Chainalysis recorded nearly 8,000 total leak events during the year. That figure marks the most active year for ransomware on record.
The rise in attacks wasn’t accidental. Hackers deliberately changed their approach. Instead of targeting massive corporations, they shifted focus to smaller businesses. Small and medium enterprises became the primary victims.
The reason is simple. Smaller companies pay faster. They often lack strong cybersecurity teams. They have fewer resources to fight back or negotiate.
Corsin Camichel, founder of eCrime.ch, explained it clearly in the report. “We’re seeing a structural shift in targeting,” he said. “Fewer large, headline-grabbing intrusions and more volume focused on small and medium enterprises.”
Additionally, hacking tools became dramatically cheaper. The average price for victim access on the dark web dropped from $1,427 in early 2023 to just $439 in early 2026. That’s a steep fall. Cheaper tools meant more hackers could enter the game.
Artificial intelligence also played a role. AI-assisted tools helped criminals streamline attacks. Combined with cheap software and ransomware strains flooding the market, hackers increased their output significantly.
Payments Actually Dropped Despite More Attacks
Here’s the twist. Despite the record number of attacks, total ransom payments fell by 8% in 2025. Victims paid a combined $820 million down from $892 million in 2024. That gap between attack volume and actual payments signals something important. Victims are getting better at saying no.
The victim payment rate hit a record low of 28% in 2025. In 2024, that rate sat at around 63%. Just three years ago, nearly 79% of victims paid. The shift is dramatic and fast.
More companies now restore their systems from backups. Others use decryption tools made available by law enforcement. Many simply refuse to pay, guided by regulatory advice and insurance policies that discourage payments.
Chainalysis put it plainly. Attackers are “working harder for diminishing returns.” More attacks, more effort, less reward.
Bigger Demands, Fewer Payers
When victims did pay, the amounts were much larger. The median ransom payment surged by 368% in 2025. In 2024, the median payment was roughly $12,738. By 2025, it climbed to around $59,565.
Attackers inflated their demands. They targeted higher-value victims more precisely. They calculated that fewer, larger payments might compensate for lower overall success rates.
That strategy only partially worked. The total payout still dropped. Furthermore, the number of active extortion groups grew to 85 in 2025, up sharply from prior years. More criminals were competing for a shrinking pool of payments. The ransomware landscape increasingly resembles a crowded, cutthroat market. Supply outpaced demand. Prices fell. Margins thinned.
Also Read: Binance Investigators Uncover $1.7 Billion Flowing to Iranian Groups
Law Enforcement and Better Defenses Are Working
Behind these numbers is a broader story of progress. Governments and law enforcement agencies have stepped up pressure on ransomware groups. International operations targeted major players in prior years, including takedowns that disrupted groups like LockBit.
Regulatory guidance has also shifted behavior. Many organizations now have formal policies against paying ransoms. Cyber insurance companies increasingly discourage payments as well. Consequently, fewer victims are writing checks to criminals.
Improved cyber hygiene has made a difference too. More companies back up their data regularly. Incident response teams work faster. Recovery times have shortened, reducing the leverage attackers hold over their victims. Meanwhile, 2026 has already brought fresh challenges. According to cybersecurity firm CertiK, crypto exploits and scams stole $370.3 million in January alone. Phishing attacks accounted for $311.3 million of that total.
The fight against cybercrime is far from over. Nevertheless, the data from 2025 shows that defenders are gaining ground. Ransomware attackers launched more attacks than ever before and still came away with less. That, for now, counts as progress.
Written By Fazal Ul Vahab C H
