Crypto-ransomware 2025: $820M in payouts, rising Attacks, and a new ransomware economy

Key Takeaways

• Despite a record number of reported attacks, ransomware payments barely increased. The total amount of ransomware-related payments recorded on-chain fell by about 8% to roughly $820 million in 2025, even as the number of reported incidents rose by 50%.
• At the same time, the typical ransom size surged. Even with overall revenue stagnating, the median payment jumped 368% year over year, reaching nearly $60,000.
• Activity by so-called Initial Access Brokers (IABs) may serve as an early indicator of future attacks. Blockchain transaction analysis shows that spikes in payments to these intermediaries typically precede increases in ransomware payouts and victim disclosures by about 30 days.
• Criminal groups and state-linked actors are increasingly using shared infrastructure. Financially motivated cybercriminals and nation-state operators rely on the same hosting services and anonymization networks to conceal their operations.
• In 2025, countermeasures targeted not only specific ransomware groups but also the infrastructure enabling them. Law enforcement agencies and private companies increasingly focused on hosting providers and malware distribution tools to disrupt the broader ecosystem.

Today, ransomware should be viewed not as isolated attacks but as part of an interconnected marketplace, where some actors sell access to compromised systems, others provide technical infrastructure, and still others facilitate payments. GetBlock AML Research has published a detailed report on crypto-related ransomware.

In 2025, total on-chain payments remained relatively stable despite a rise in reported attacks and higher average ransom demands. At the same time, international law enforcement and regulators increasingly struck at infrastructure — including so-called “bulletproof” hosting providers — raising costs for both criminal groups and state-linked entities.

Ransomware operators received more than $820 million in on-chain payments in 2025, down 8% from $892 million the year before. As in previous years, final figures may rise as additional data is verified, potentially pushing the 2025 total closer to or above $900 million.

Total crypto-ransomware losses from 2020 to 2025. Visualization: Chainalysis

Despite relatively stable overall payments, the number of attacks surged in 2025. According to monitoring data from specialized resources, reported victims increased by 50% year over year, making 2025 the most active year on record. Meanwhile, the share of companies that actually paid a ransom likely fell to a historic low of around 28%.

This divergence — more reported attacks but lower total payouts — reflects complex shifts in the ransomware economy.

Improved incident response and tighter regulatory oversight helped reduce payment frequency. International operations targeting ransomware operators, their infrastructure, and money-laundering networks curtailed part of the financial flows.

In some cases, newly released malware strains contained technical flaws, allowing victims to decrypt their data without paying and thereby reducing attacker revenues. The market also fragmented significantly: instead of a handful of dominant “ransomware-as-a-service” platforms, dozens of smaller independent groups emerged. Some analysts estimate that up to 85 groups were active.

This shift from a few dominant players to a more fragmented and unstable landscape has made investigations and long-term monitoring more difficult. Experts point to a structural change: fewer high-profile mega-attacks and more mass targeting of small and mid-sized businesses. The attackers’ logic is simple — smaller firms are more likely to pay quickly. Yet data shows that despite record incident volumes, overall payments continue to decline. In effect, criminals are working more for less.

Overall, this is a positive trend: fewer payments reduce the economic appeal of ransomware.

Rising Median Ransoms and Evolving Pressure Tactics

While total payouts remained stable, the size of individual payments increased sharply in 2025. The median payment rose 368%, from $12,738 in 2024 to $59,556 in 2025. This aligns with incident response firms reporting more than a twofold increase in average payments in certain quarters.

Ransomware payment activity by year. Visualization: Chainalysis

High-Profile Incidents Shaped the Landscape

Several major cyber incidents in 2025 amplified the global impact of ransomware.

One of the costliest was a cyberattack on Jaguar Land Rover, which halted production lines across multiple countries and caused approximately £1.9 billion (about $2.5 billion) in economic damage — the largest cyber incident in UK history.

The retail and services sectors were also hit. UK retailer Marks & Spencer suffered prolonged disruptions following an attack attributed to the Scattered Spider group, resulting in substantial financial losses and a decline in market value.

Healthcare remains a prime target. DaVita Inc., a dialysis services provider, experienced a significant data breach affecting nearly 2.7 million patients, with approximately 1.5 terabytes of medical data stolen.

Beyond individual companies, mass exploitation of software vulnerabilities continued. For example, the Cl0p group leveraged a previously unknown vulnerability in Oracle enterprise software to conduct a large-scale extortion campaign affecting hundreds of organizations.

Ransomware operators remain highly opportunistic. They do not limit themselves to specific industries or seasons, instead exploiting any discovered vulnerabilities or misconfigurations.

Identifying Groups by Financial Behavior

Analysis of fund withdrawal patterns among the ten largest ransomware groups of 2025 reveals distinct financial “signatures.” Even when malware code appears similar, methods of receiving and distributing funds differ.

These distinctions help investigators differentiate groups not only by attack techniques and negotiation tactics, but also by their blockchain behavior. It is also possible to identify actors working across multiple ransomware programs by tracking unique fund transfer patterns.

Geography of Data Leaks

Analysis of leak site publications shows a persistent concentration of attacks in developed countries. Reported incidents rose 50% year over year, reaching record levels.

Among countries with clearly identified victims, the United States leads, followed by Canada, Germany, the United Kingdom, and other European nations. Manufacturing and financial-professional services were most frequently targeted. In Canada and Germany, supply chains, logistics, and critical infrastructure saw particularly high attack volumes.

Not all claims on leak sites are accurate. Publication does not necessarily mean a victim refused to pay. Incident response specialists note that some groups recycled old data or copied other victims to create the appearance of activity. At the same time, more organizations are implementing robust backups and modern security systems, reducing actual payments.

Some groups responded to declining payments with more aggressive negotiation tactics, including contacting employees and customers of victim companies. Others focused more on data theft and analysis to craft targeted threats about the consequences of publication.

The United States remains the most targeted country, with incident growth spanning nearly all sectors. Reported victims in critical infrastructure, logistics, and government rose 45–56% year over year. U.S. organizations continue to be viewed as high-revenue targets.

The Ransomware Supply Chain: Initial Access Brokers

Ransomware does not operate in isolation. It is supported by a broader cybercriminal supply chain that includes Initial Access Brokers, who sell access to already compromised networks, enabling other actors to deploy malware more quickly.

In 2025, these intermediaries received at least $14 million in on-chain payments. While small compared to the $820 million in ransomware payouts, this segment plays a critical role. Ransomware payments were nearly 58 times larger than broker revenues, highlighting the high return on investment within this segment of the criminal chain.

Not all broker payments are tied directly to ransomware. Access may be resold between intermediaries, and some actors pursue different objectives. Not all attacks rely on brokers. Still, a correlation is evident between investment in access purchases and subsequent attack waves.

Thirty-day analyses following major payment spikes to access brokers show increases in both global ransomware payouts and reported U.S. victims, suggesting a potential causal link.

According to dark market research, the average price of network access fell from about $1,427 in early 2023 to $439 in early 2026, driven by rising competition and automation. At the same time, verified access to large enterprise systems continues to command premium prices, indicating a split between mass-market and high-end segments.

New Tools and Automation

New tools are emerging that automate not only intrusions but also ransom negotiations. In mid-2025, researchers observed groups experimenting with AI-driven negotiation interfaces — mirroring trends seen in AI-enabled fraud schemes.

Infrastructure for Criminal and State Actors

Ransomware infrastructure — hosting, anonymization networks, malware loaders — is used not only by criminals but also by state-linked actors. The same services support espionage and influence operations.

According to 2025 leaks, Iranian groups, including those linked to intelligence units, actively use commercial hosting services and proxy networks to conceal their origins and blend in with ordinary cybercrime. Similar tactics have been observed among actors linked to Russia and China.

In 2025, sanctions were imposed on Media Land, also known as Yalishanda, a hosting provider associated with cybercriminal activity. These measures signal growing attention not only to specific groups but also to the infrastructure that amplifies their capabilities.

Targeting infrastructure increases pressure across the ecosystem: disabling or sanctioning it can simultaneously affect ransomware operators, fraudsters, and state-backed actors.

Public and Private Sectors Intensify Countermeasures

In 2025, anti-ransomware efforts expanded beyond pursuing individual groups. In May, international law enforcement broadened Operation Endgame, targeting key malware distribution tools and shared infrastructure. Servers were seized, arrests were made, and multiple malware families were disrupted.

Pressure also increased on hosting providers and money-laundering services. Sanctions and criminal cases raised risks for those enabling attack infrastructure.

The private sector contributed by dismantling major proxy networks used for anonymization and attacks. Blockchain financial analysis revealed links between services, shared wallets, and overlapping funding channels.

Although attack volumes remain high, these measures increase operational costs and complicate attacker activity.

Lower Revenues, Greater Damage

The story of 2025 cannot be measured by ransom payments alone. While ransomware revenues dipped slightly, the scale and consequences of attacks continued to grow. From major automakers to regional healthcare systems, organizations faced severe disruptions, reputational damage, and massive indirect costs that far exceeded ransom amounts.

In short, 2025 was defined not by retreat but by adaptation. Ransomware operators continue to evolve, extracting value and causing harm even without direct payments. Effective defense now requires not only technical controls but also strategic resilience to minimize the broader impact of these multi-layered threats.