Ransomware in 2025: attacks up, payments flat, median up 368%
Executive Summary
In 2025, ransomware economics and operations diverged: reporting and analysis indicate claimed victims rose ~50% year-over-year, while total on-chain ransomware payments fell ~8% to ~$820M. At the same time, the median ransom payment increased ~368% to nearly $60k, suggesting attackers are pushing harder for fewer payers — and focusing on victims more likely to pay quickly.
For defenders, the practical takeaway is: expect higher-volume extortion pressure alongside more aggressive negotiation and data-leak tactics. This is a year to treat ransomware as a supply chain problem — especially where Initial Access Brokers (IABs) precede victim spikes by about a month in some datasets.
What changed in 2025?
- Payments: On-chain ransomware payments were reported at ~$820M for 2025 (with the caveat that attribution can lift totals over time).
- Volume: Leak-site claimed victim counts were reported as ~50% higher YoY in some tracking datasets.
- Deal size: Median ransom payment was reported as +368% YoY to ~$59,556.
- Early signals: Spikes in IAB inflows were described as leading ransomware payment/leak activity by ~30 days in on-chain analysis.
Confidence note: The figures above are sourced from public reporting/analysis; different trackers measure “victims” and “payments” differently. Use them as directional signals, not absolutes.
Who is affected?
Ransomware targeting remains broad, but analysis highlighted strong concentration in developed economies (especially the U.S.), with manufacturing and professional services frequently impacted in leak-site reporting. The key risk driver is usually exposed access + credentials rather than any single sector.
Initial access & kill chain (MITRE-friendly)
A defender-useful way to frame ransomware in 2025 is as a marketplace:
- Initial access (IABs selling footholds) →
- Privilege escalation + lateral movement →
- Exfiltration + impact (encryption and/or pure extortion) →
- Negotiation + laundering (on-chain cash-out patterns).
Quick ATT&CK mapping (illustrative)
| Tactic | Technique | Why it matters |
|---|---|---|
| Initial Access | Valid Accounts | Credential theft/reuse is a common entry path |
| Lateral Movement | Remote Services | Fast spread across Windows estates |
| Impact | Data Encrypted for Impact | Operational disruption + extortion leverage |
Indicators and detection
If you want one high-yield detection focus for this trend: catch the pre-encryption phase.
Look for:
- new privileged sessions from unusual locations/devices
- rapid AD discovery + share enumeration
- remote service creation / scheduled task bursts
- backup deletion attempts and security control tampering
Example hunt (generic pattern)
textHunt for: anomalous admin login -> discovery burst -> lateral movement burst -> backup tampering indicators. Tune to your identity provider + EDR + Windows + backup telemetry.
Containment & remediation checklist
🔴 Immediate containment (0–24h)
- Lock down external access (VPN/RDP/admin portals) and enforce MFA.
- Rotate privileged credentials and audit dormant accounts.
- Validate backups (restore test) and isolate backup control planes.
🟠 Hardening (24–72h)
- Reduce admin sprawl; implement LAPS and tiered admin.
- Segment east-west traffic (SMB/RPC/WinRM) to limit blast radius.
- Tighten email security + endpoint hardening (common initial access paths).
🟡 Longer-term controls (1–4 weeks)
- Build repeatable ransomware playbooks and run restore drills.
- Improve logging coverage for identity + remote execution events.
Strategic analysis (what this signals)
The market is fragmenting into more groups and more claimed victims, but many victims are resisting payment — so attackers compensate with higher asks, pressure tactics, and faster campaigns. If IAB activity is a reliable leading indicator for your org’s industry, treat IAB chatter and credential theft as “upstream” ransomware risk.
Frequently Asked Questions
Are ransomware payments going up or down?
Some analysis indicates total on-chain payments dipped in 2025, even as attack claims rose. Attribution lag can change totals, so treat this as directional.
Why would median ransom rise if total payments fall?
Fewer payers plus higher pressure tactics can push the “middle” deal size up while the total stays flat.
What should we do first?
Secure initial access paths (MFA, remote access posture) and focus detections on pre-encryption lateral movement and backup tampering.
References
- Chainalysis — Crypto Crime Report 2026: ransomware payments stagnate while attacks escalate (Feb/2026). https://www.chainalysis.com/blog/crypto-ransomware-2026/
- BlackFog — The State of Ransomware 2026 (ransomware incident roundup and group activity). https://www.blackfog.com/the-state-of-ransomware-2026/