Ransomware payments dropped 8% in 2025 even as the number of attacks rose about 50%, according to reporting on new Chainalysis findings. The same data also showed a sharp increase in the median payment size, suggesting that while fewer victims may be paying overall, those that do are often paying more.
The split points to a ransomware economy that is getting busier but less efficient. More organizations are being hit, yet aggregate criminal revenue is slipping. That can happen when victims recover from backups, refuse to negotiate, or face legal and insurance pressure not to pay. At the same time, attackers appear to be extracting larger sums from a smaller pool of victims under the most operational pressure.
For defenders, the numbers are a reminder that lower total revenue does not mean lower risk. A surge in incidents still means more outages, more data theft, and more disruption across healthcare, local government, education, manufacturing, and other sectors commonly targeted by extortion crews. Many intrusions still begin with stolen credentials, exposed remote access systems, or unpatched edge devices, including enterprise VPN infrastructure.
The rise in median payment size also suggests a more selective approach by attackers. Rather than relying only on broad encryption campaigns, many groups now mix data theft, leak-site pressure, and business disruption to force higher-value victims into negotiations. That shift can make the overall market look weaker on paper while leaving individual victims exposed to larger losses.
There are limits to the data. Chainalysis typically tracks cryptocurrency flows to known or suspected ransomware wallets, which means totals may miss payments made through other channels or incidents that never become attributable on-chain. Even so, the trend matches a broader pattern seen across the ransomware market: more attacks, more fragmentation, and less certainty that criminals will get paid.
The practical takeaway is blunt. Refusal-to-pay strategies and recovery planning may be cutting into attacker profits, but ransomware operators are compensating with higher volume and bigger demands where they think leverage is strongest.
