PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2026-02-26T14:00:59+00:00

Ransomware payment rate drops to record low as attacks surge

The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks. [...]

Ransomware payment rate drops to record low as attacks surge

Bill Toulas

  • February 26, 2026
  • 09:00 AM
  • 0

[Ransomware payment rate drops to record low despite attack surge]

The number of ransomware victims paying threat actors has dropped to 28% last year, an all-time low, despite a significant increase in the number of claimed attacks.

A downward payment trend has been observed for the past four consecutive years by the blockchain intelligence platform Chainalysis.

At the moment, the total of on-chain ransomware payments in 2025 stands at $820 million, but the company notes that "the 2025 total is likely to approach or exceed $900 million as we attribute more events and payments."

Chainalysis reports a relative stability in the total number of payments, despite a 50% increase of ransomware attacks year-over-year.

In 2024, the payment rate recorded by Chainalysis was more than double, at 62.8%, while in 2022, it was at 78.9%.

[Data leak events (bars) and payment rate (line)]

*Data leak events (bars) and payment rate (line)
Source: Chainalysis*

Data from Chainalysis also aligns with previous reports by Coveware, which showed a steady decline in victim payment rates throughout 2025.

According to the blockchain company, some of the factors that influenced the ransomware economy include improved incident response, regulatory scrutiny, international law enforcement actions, and market fragmentation.

Current Chainalysis data shows that while aggregate revenue from ransomware activity declined, the median ransom payment rose significantly, up 368% from $12,738 in 2024 to $59,556 in 2025.

This indicates that ransomware victims pay larger amounts for the hope that cybercriminals will delete the stolen data and not sell it to other threat actors or trade it.

[Payment amounts graph]

*Payment amounts graph
Source: Chainalysis*

In 2025, the analysts observed 85 active extortion groups, far higher compared to previous years, when the ransomware space was dominated by a small number of threat groups and RaaS platforms.

A few high-impact incidents Chainalysis highlights in its report include the attack at Jaguar Land Rover, which inflicted an estimated $2.5 billion in damages, the Marks & Spencer breach by the Scattered Spider threat group, and the DaVita Inc. ransomware breach that exposed 2.7 million patient records.

For another year, the most targeted country was the United States, followed by Canada, Germany, and the U.K., showing threat actors’ preference for concentrating their efforts in developed economies.

[Targeted countries and industries]

*Targeted countries and industries
Source: Chainalysis*

Initial access brokers (IABs), hackers who sell access to compromised endpoints to ransomware operators, reportedly made $14 million in 2025, roughly the same as last year. This is only 1.7% of the total ransomware revenue last year, though initial access is a key enabler.

Analysis shows that spikes in IAB payment inflows are followed by increases in ransomware payments and victim leak posts roughly 30 days later, suggesting IAB activity can act as a leading indicator.

The average price for network access declined from approximately $1,427 in Q1 2023 to just $439 in Q1 2026, indicating that automation, AI-assisted tooling, and oversupply from info-stealer logs have shaped the industry.

Chainalysis says that although ransom payments declined last year, the scale, sophistication, and real-world impact of ransomware attacks continued to grow, impacting organizations of all sizes and backgrounds globally.

The researchers believe ransomware is going through a phase of adaptation, rather than losing the fight, evolving tactics to extract more value from an ever-decreasing number of consenting victims.

Red Report 2026: Why Ransomware Encryption Dropped 38%

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Canada Goose investigating as hackers leak 600K customer records

Crypto wallets received a record $158 billion in illicit funds last year

From Cipher to Fear: The psychology behind modern ransomware extortion

QuickLens Chrome extension steals crypto, shows ClickFix attack

$4.8M in crypto stolen after Korean tax agency exposes wallet seed

Original source

Reply