Total on-chain ransomware payments fall about 8% to $820 million in 2025, even as claimed ransomware attacks rise 50% year over year. The analysis pegs 2024 at $892 million as an updated estimate, and notes the 2025 total could still approach or exceed $900 million as additional incidents and payments get attributed over time.
At the same time, the typical payment gets much larger when victims do pay. The median ransom payment rises 368% from $12,738 in 2024 to $59,556 in 2025, which lands near the $60,000 mark that is now getting repeated across security desks.
Those two numbers can coexist because the market is bifurcating. More victims get hit and threatened, but fewer pay, while the subset that does pay tends to pay more.
A rising attack count with flat or lower aggregate payments suggests ransomware operators are working harder for less total revenue. The on-chain analysis frames the share of ransoms paid as potentially reaching an all-time low, around 28%, as attackers publish more leak claims while payout frequency falls.
Several mechanisms can push the payout rate down.
Better incident response and stronger backup discipline reduce the urgency to pay. Regulatory scrutiny also changes decision-making, especially where sanctions risk and reporting obligations make “quiet settlements” harder.
Law enforcement and private sector disruption efforts increasingly focus on the enablement layer, not only individual gangs. When infrastructure and laundering rails get pressured, converting extortion into spendable funds gets harder, slower, and riskier.
The ransomware ecosystem also fragments. Instead of a small set of dominant ransomware-as-a-service brands, defenders track a wider set of smaller groups that rebrand and splinter, which makes operations less predictable and can reduce conversion efficiency even when attack volume rises.
Median ransoms rising does not mean victims are paying more often. It means that when payment happens, the negotiation outcome is more extreme.
One driver is targeting mix. Threat actors increasingly squeeze smaller and mid-sized organizations, which often have weaker incident response depth and less legal bandwidth. Another driver is extortion style. Data theft and multi-extortion tactics turn a ransomware incident into a reputational and regulatory crisis, which can push certain victims to settle even when restoration is possible.
This aligns with incident response data showing sharp jumps in payouts in certain quarters, even when annual totals do not explode.
A more useful indicator than daily ransom totals may be the flow into initial access brokers (IABs). IABs sell entry into compromised networks, which shortens the path from credential theft to full extortion.
On-chain analysis estimates IABs receive at least $14 million in 2025, roughly flat year over year, but with an outsized role in the pipeline because ransomware payments are about 58 times larger than IAB inflows.
The key insight is timing. Spikes in IAB inflows typically precede increases in ransomware payments and leak-site victim posts by roughly 30 days. That lead time matters because it turns IAB activity into a forward-looking risk gauge rather than a backward-looking damage tally.
The most actionable shift is the convergence of infrastructure used by financially motivated cybercriminals and state-linked operators. Bulletproof hosting providers and residential proxy networks increasingly serve as shared utilities across the ecosystem, helping actors evade takedowns and attribution.
A recent example is a coordinated U.S., U.K., and Australia action targeting Russian bulletproof hosting provider Media Land, LLC and an associated network, framed as part of an infrastructure-first disruption strategy. When infrastructure providers get sanctioned or seized, it can disrupt multiple ransomware groups at once, raising operating costs and increasing friction across the kill chain.
This also explains why ransomware “revenue” can understate harm. Even if fewer victims pay, attacks still disrupt operations, expose sensitive data, and generate long-tail costs that far exceed the on-chain payment total.
The near-term picture is paradoxical but clear: ransomware extracts less total on-chain revenue than before, yet it escalates in frequency and pressure, with access brokers and shared infrastructure acting as the real
The post Ransomware Payments Stay Flat as Attacks Surge, Median Ransoms Jump in 2025 appeared first on Crypto Adventure.
