Chainalysis’ 2026 Crypto Crime Report assessed the 2025 ransomware economy and found that on-chain ransomware payments fell ~8% year-over-year to about $820M, even as claimed attacks increased ~50%. The report also observed a sharp rise in the median ransom payment (to roughly $60K, up several-fold from 2024), suggesting attackers are concentrating on larger, higher-value victims even as fewer victims pay overall. Chainalysis highlighted Initial Access Broker (IAB) activity as a potential leading indicator, noting that spikes in IAB-related inflows often precede increases in ransomware payments and victim leak activity by ~30 days, and it described increasing convergence in the “enablement” layer (e.g., shared use of bulletproof hosting and residential proxy services) across financially motivated and state-linked actors.
Recorded Future News’ The Record reported additional metrics from the same Chainalysis analysis, including that the victim payment rate dropped to a record low (~28%) and that the $820M figure may rise toward ~$900M as attribution improves (mirroring how 2024 totals increased after initial reporting). The article attributed the divergence between rising incident volume and falling payments to improved incident response, increased regulatory scrutiny discouraging payments, and law-enforcement disruption that has fragmented major ransomware operations into smaller groups—some using poorly designed malware that can be addressed with decryptors. Other items provided (a UAE claim of thwarting a “terrorist” ransomware campaign and a CSIS incident timeline covering multiple unrelated 2025 events) are not part of the Chainalysis 2025 ransomware-payment findings and do not materially corroborate that specific report’s conclusions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
11 events from the most recent confirmed update back to the earliest known activity.
By the first quarter of 2026, average prices for initial access had fallen markedly, according to Chainalysis. The trend was presented as evidence of a glut in the access-for-sale market supporting ransomware operations.
On February 26, 2026, Chainalysis published findings that ransomware was shifting rather than shrinking: more attacks, fewer payments, higher median demands, and growing dependence on access brokers and shared criminal infrastructure. The report also emphasized overlap between criminal and state-linked actors at the infrastructure layer.
During 2025, sanctions and coordinated law-enforcement actions, including Operation Endgame expansion, increasingly targeted loaders, hosting providers, proxy services, and other enabling infrastructure. The report said these actions raised attacker costs even if overall attack volume remained high.
Chainalysis found that the median ransom payment rose 368% from $12,738 in 2024 to about $59,556 in 2025. The increase suggested fewer but larger payments and a focus on bigger or more heavily pressured victims.
Chainalysis estimated that on-chain ransomware payments fell about 8% year over year to roughly $820 million in 2025, with the final attributed total potentially approaching or exceeding $900 million. The drop came even as attack volume and extortion pressure increased.
Despite the rise in attacks, only about 28% of victims paid ransomware demands in 2025, the lowest rate recorded by Chainalysis. The decline was attributed to improved incident response, regulatory pressure, reduced trust in criminals, and law-enforcement disruption.
Chainalysis said initial access brokers received roughly $14 million in on-chain payments in 2025. The report linked spikes in IAB inflows to later increases in ransomware payments and leak-site victim postings, often by about 30 days.
Chainalysis highlighted several high-impact 2025 incidents, including attacks affecting Jaguar Land Rover, Marks & Spencer, DaVita, and a key Whole Foods supplier. The report also referenced alleged Cl0p exploitation of an Oracle E-Business Suite zero-day during the year.
During 2025, claimed ransomware victim counts rose about 50% year over year to a record level, while the ecosystem splintered into as many as 85 active extortion groups. Reporting also described a shift toward more opportunistic and higher-volume attacks, including data-theft-only extortion in some cases.
Chainalysis reported that ransomware actors received about $892 million in 2024. The 2024 payment rate was cited as 64%, providing a comparison point for the much lower rate seen in 2025.
Chainalysis cited 2023 as a recent high-water mark for ransomware revenue, with on-chain payments totaling about $1.023 billion. This serves as the baseline for the subsequent multi-year decline in payments.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
hipaajournal.com
Open sourcecsoonline.com
Open sourcescworld.com
Open sourcego.theregister.com
Open sourcechainalysis.com
Open sourcebleepingcomputer.com
Open sourcetherecord.media
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.