Ransomware Payments Drop 8% Despite 50% Attack Surge, Median Ransom Size Climbs

Payment Trends Diverge from Attack Volume

Chainalysis blockchain analysis reveals a paradoxical shift in the ransomware landscape during 2025: while attack volumes surged 50%, total payments to ransomware operators declined 8%. The cryptocurrency intelligence firm's latest findings indicate threat actors are adapting their strategies amid increased organizational resilience and law enforcement pressure.

Median Ransom Sizes Climb Despite Revenue Drop

The most striking trend identified by Chainalysis researchers is the significant increase in median ransomware payment sizes throughout 2025. This data suggests ransomware groups are pivoting toward targeting fewer, higher-value organizations rather than casting wide nets across smaller entities.

Several factors likely contribute to this strategic shift:

• Improved organizational defenses forcing threat actors to be more selective
• Enhanced backup and recovery capabilities reducing payment likelihood for smaller incidents
• Increased law enforcement scrutiny pushing groups toward higher-impact, lower-frequency operations
• Resource concentration on victims with demonstrated ability and willingness to pay substantial ransoms

Implications for Enterprise Security

The divergence between attack frequency and payment success rates indicates that current defensive strategies are having measurable impact on ransomware economics. Organizations implementing comprehensive backup strategies, network segmentation, and incident response capabilities appear to be successfully disrupting the traditional ransomware business model.

However, the increase in median payment sizes suggests that when ransomware groups do succeed, they are extracting significantly higher values from their victims. This trend underscores the importance of preventing initial compromise rather than relying solely on post-incident recovery capabilities.

Threat Landscape Evolution

The Chainalysis data reflects a maturing threat landscape where both attackers and defenders are adapting their approaches. Ransomware operators are demonstrating increased sophistication in target selection and valuation, while organizations are showing improved resilience through better preparation and response capabilities.

This evolutionary pressure is likely to continue driving changes in ransomware tactics, techniques, and procedures throughout 2026, with groups potentially focusing even more heavily on high-value targets and developing new methods to bypass improved organizational defenses.

Sources

• Ransomware Payments Decline 8% as Attacks Surge 50% - Infosecurity Magazine