Chainalysis: Ransomware Attacks Surge 50% in 2025, but Crypto Payouts Fall to $820M as Median Ransom Jumps 368%

Screens lit up, incident rooms filled, and yet the wallets did not. That is the 2025 ransomware trade in a nutshell: more victims, fewer paid-up transactions.

Chainalysis says on-chain ransomware revenue slipped to $820 million in 2025, down about 8% year over year, even as claimed attacks jumped 50% and the median ransom payment ballooned 368%. ^[1] If you are trying to reconcile those numbers, you are not alone. The gap is the story, and it is getting wider.

U.S. Treasury Sanctions Exploit Broker Network Allegedly Funded by Millions in Crypto to Target American Software

Enjoy articles without ads?

The headline numbers, with the boring bits that matter

Chainalysis published the data in the ransomware section of its 2026 Crypto Crime Report. The firm estimates ransomware actors received more than $820 million in on-chain payments during 2025, compared with a revised 2024 estimate of $892 million. ^[1]

One important caveat: ransomware totals often get revised upwards as additional addresses are attributed and more victim payments are identified. Chainalysis explicitly flags that 2025's figure could still climb toward, or even beyond, $900 million, similar to 2024's revision (which moved from an initial estimate near $813 million to $892 million). ^[1]

So yes, revenue is down, but it is not collapsing. Think "sticky" rather than "solved".

On activity, the picture is far noisier. Data cited from eCrime.ch indicates claimed ransomware victims rose 50% in 2025, making it the most active year on record. Yet the share of ransoms paid fell to 28%, a record low. ^[2]

That combination is the paradox: more break-ins, fewer successful cash-outs.

Why attacks are up while payouts are down

Ransomware is not a single market, it is a messy stack of operators, affiliates, access brokers, and laundering services. Chainalysis points to several forces that are pulling payments down even as incidents rise:

Better incident response and "don't pay" muscle memory

Victims have improved at containment, backups, segmentation, and recovery playbooks. A lot of organisations are now rehearsed for the nightmare scenario, and many have external response partners who push hard against paying. The result is fewer transactions that actually hit the chain. ^[3]

Tighter regulatory and compliance pressure

Boardrooms and insurers are more cautious about paying into potentially sanctioned entities, and compliance teams are more willing to say "no" when the counterparty looks radioactive. That does not stop attacks, but it can stop the final step: the transfer.

US law enforcement seizes $61M in USDT tied to 'pig butchering' romance-investment crypto scam

Law enforcement and disruption of laundering routes

Chainalysis also credits enforcement efforts aimed not just at ransomware crews, but at the infrastructure that makes them solvent: laundering networks. When off ramps and cash-out pipelines get squeezed, ransomware becomes harder to monetise at scale. That can reduce the number of payments demanded in crypto that are actually safe to accept, and it can increase the risk of accepting funds that cannot be cleaned. ^[1]

Occasionally, the malware is simply bad

Chainalysis highlights one example that will make defenders quietly smile: strains like VolkLocker reportedly had a cryptographic weakness that allowed free decryption in some cases. That is not the norm, but it is a reminder that "ransomware" includes plenty of slapdash code shipped by opportunists.

Net effect: the top of the funnel (attempts) is growing, but the bottom of the funnel (successful payments) is leaking.

Median ransom up 368%: not a return of "big game", more like fat-tail chaos

Here is the number that should make risk teams sit up: the median ransomware payment rose to $59,556 in 2025, up from $12,738 in 2024, a 368% increase. ^[1]

At first glance that reads like a throwback to "big game hunting", where large enterprises get hit for seven-figure demands. Chainalysis offers a more nuanced take. The firm's Head of Cyber Threat Intelligence, Jacqueline Koven, told BeInCrypto that the median is likely being pulled higher by a smaller number of large outlier payments, rather than a broad-based shift back to mega-ransoms.

That distinction matters. If the median is moving because a few whales paid, then the average victim is still resisting. But the tail risk is worsening, and tails are what bankrupt firms.

Bitcoin still dominates, but the real story is the cash-out

Chainalysis notes Bitcoin$62,481.47 remains the top choice for ransomware payments. That is not surprising. Bitcoin$62,481.47 is liquid, globally understood, and operationally simpler for attackers than juggling niche chains. ^[1]

The more interesting question is what happens after the Bitcoin$62,481.47 hits a wallet.

Bitcoin Depot Mandates ID Verification for Every Transaction at Its U.S. Crypto ATMs

Chainalysis has repeatedly framed ransomware as a laundering problem as much as an intrusion problem. When the ecosystem for cashing out is under pressure, ransomware actors face an ugly menu of options: hold volatile assets longer, split flows into smaller chunks, route through more intermediaries, or take worse exchange rates via riskier venues.

Even without getting lost in the weeds of specific services, the directional takeaway is clear: the harder it is to convert ransom crypto into spendable money, the more likely victims are to refuse payment, and the less predictable the attackers' revenue becomes. That unpredictability can drive more attacks (spray-and-pray) as crews try to maintain income with lower conversion rates.

What this means for crypto, beyond the usual "crime bad" headlines

Crypto's ransomware problem has always been a reputational debt. The 2025 numbers give the industry a mixed scorecard:

Good news: overall ransomware payments appear to be declining for a second year, and the paid rate is at a low.
Bad news: ransomware is more active than ever, and the amounts that do get paid can be meaningfully larger.
Messy reality: estimates are dynamic. Chainalysis may revise 2025 upward, so anyone dunking on a single datapoint is doing vibes analysis, not risk analysis.

For exchanges, stablecoin issuers, and compliance teams, the report reinforces a familiar point: the battleground is attribution, monitoring, and off-ramp controls. For corporates, it underlines a less fashionable truth: resilience beats negotiation. The cheapest ransom is the one you never need to consider.

What to watch next (checklist)

Revisions to 2025 totals: Chainalysis has a track record of upward adjustments. Watch whether 2025 creeps toward $900 million.
Paid rate trend: the 28% paid share is key. If that ticks up, attackers will notice quickly.
Outlier payments: monitor for a cluster of very large ransoms that could keep the median elevated.
Enforcement pressure on laundering networks: more seizures, sanctions, or off-ramp disruptions could further reduce successful monetisation.
New strain quality: technical weaknesses like the one cited in VolkLocker can materially change outcomes for victims, but only if defenders move fast.
BTC rails and cash-out behavior: shifts in where ransom funds move after receipt will signal whether attackers are adapting or getting boxed in.

Ransomware did not get quieter in 2025. It just got worse at getting paid, and that is progress of a sort, the grimly practical kind.