Ransomware actors are extorting bigger payments from a smaller number of victims, as the number of those victims surges but overall revenues fall, according to Chainalysis.

The blockchain analytics firm revealed in its analysis of cryptocurrency payments to threat actors that the overall figure tumbled 8% year-on-year (YoY) to $820m in 2025.

Although the figure is likely to “approach or exceed” $900m as new events and payments are attributed over the coming months, it still represents the second consecutive year of overall decline, and sits somewhat below ransomware revenues for 2020 and 2021.

It also came as victim numbers surged by 50% YoY in 2025, making 2025 the most active year on record.

It reflects the fact that payment rates plummeted from 63% in 2024 to just 29% last year – the lowest on record.

Read more on ransomware: Record Number of Ransomware Victims and Groups in 2025.

“This overall trend is a major win against the ransomware ecosystem,” said Chainalysis in its report. “Fewer victim payments mean more work for less for attackers, an important step in shifting the economic incentives.”

The analytics firm pointed to four trends reflected in the data:

• Fewer victims are paying, thanks to improved incident response and increased regulatory scrutiny
• Global action against ransomware operators, infrastructure and laundering networks has helped to limit some revenue flows
• Some strains like VolkLocker contain cryptographic weaknesses that allow free decryption in some cases
• Marked fragmentation of ransomware-as-a-service (RaaS) operations means a surge in smaller, independent groups, which may number as many as 85 today

Turning Up the Heat

However, organizations that do give in to extortion in this new landscape may find that it’s costing them more. The median payment increased 368%, from $12,738 in 2024 to $59,556 in 2025.

Tactics such as contacting employees and customers of victimized organizations, and analyzing exfiltrated data to make more targeted threats may be helping to ramp up media payment further, Chainalysis said.

“Ransomware actors remain highly opportunistic,” the report warned. “They do not consistently favor a specific sector at a given time of year. Instead, they exploit exposed services and misconfigurations as they arise, and capitalize on newly disclosed vulnerabilities.”

The US was the most heavily targeted country last year, followed by Canada, Germany, the UK, and other parts of Europe. Manufacturing and finance/professional services were the most heavily hit in most of these countries, although Canada and Germany had a high compromise rate in supply chains, logistics and critical infrastructure.

Payments to initial access brokers (IABs) remained relatively flat from 2024, at $14m, but historically high.

The report also claimed that infrastructure such as bulletproof hosting, residential proxy networks, and malware loaders is now used by financially motivated cybercrime groups as well as state-linked threat actors conducting espionage and influence operations.

“As a result, dismantling or sanctioning infrastructure nodes can generate cascading effects across ransomware affiliates, scammers and state-aligned operators simultaneously,” the report noted.

“This convergence reinforces a core dynamic of the modern cyber-threat landscape: infrastructure is the strategic center of gravity. Disrupting it raises costs across the entire ecosystem – from extortion-driven syndicates to geopolitically motivated threat actors.”