Ransomware Payments Fell to $820 Million in 2025, but the Cost per Victim Soared – Chainalysis Report
Global ransomware activity hit a new high of claimed incidents in 2025, while the amount of cryptocurrency paid out by victims dropped modestly. The median ransom, however, jumped dramatically, underscoring a widening gap between the frequency of attacks and the financial impact on those who choose to pay.
A mixed picture for 2025
Chainalysis, the blockchain analytics firm, released its annual ransomware ledger at the start of the year. The data show that on‑chain ransom payments in cryptocurrency declined by roughly 8 % compared with 2024, totaling about $820 million. At the same time, the number of ransomware incidents that were publicly reported rose by an estimated 50 %, marking the highest level of claimed attacks on record.
Only 28 % of organizations that were hit chose to remit a ransom, the lowest payment rate ever observed. The drop in the proportion of paying victims is being hailed by law‑enforcement and policy circles as a “win” for the broader effort to disrupt the ransomware economy.
Median payouts exploded
While the aggregate sum of payments shrank, the median ransom payment surged 368 % year‑over‑year, climbing from roughly $12,700 in 2024 to nearly $60,000 in 2025. Chainalysis’ head of cyber‑threat intelligence, Jackie Koven, said the spike is not driven by a change in the way attackers price their extortion. “Ransom demands are anchored in fiat currencies—dollars, euros, etc.—so the price in Bitcoin or other tokens is a by‑product of the market,” she explained. “The rise in the median reflects a handful of very large payouts rather than a systematic shift back to high‑value ‘big‑game‑hunter’ operations.”
In other words, while fewer victims are paying, those that do are often those facing the most severe disruptions, prompting outlier payments that lift the median dramatically.
Hotspots and high‑profile breaches
The report also identified geographic and sectoral trends. The United States remained the most targeted country, followed by Canada, Germany and the United Kingdom. Within the industrial landscape, manufacturing, finance, supply‑chain services and critical infrastructure saw the sharpest increases in attack volume.
Several high‑impact incidents punctuated the year:
- Jaguar Land Rover – A ransomware strike in August forced production shutdowns across multiple facilities, inflicting an estimated $2.5 billion in losses, the costliest cyber event in United Kingdom history.
- Marks & Spencer – The British retailer experienced prolonged system outages after a gang linked to the Scattered Spider group compromised its network, disrupting sales and supply‑chain operations.
- DaVita – The global healthcare provider reported exposure of close to 2.7 million patient records following a ransomware intrusion, highlighting the continued vulnerability of medical data.
These cases illustrate how ransomware remains a potent threat to both commercial and public‑sector entities, even as the overall propensity to pay declines.
Implications for the crypto ecosystem
For a DeFi‑focused audience, the findings carry several takeaways:
- Continued reliance on crypto for ransom – Despite law‑enforcement warnings, cyber‑criminals still favour cryptocurrencies for their pseudonymous nature and speed of transfer. The $820 million paid in 2025 underscores the ongoing demand for illicit crypto use cases.
- Pressure on privacy‑enhancing tools – Large, outlier payments are often routed through mixers or privacy‑preserving protocols to obscure the trail. Recent regulatory moves in the U.S. and EU to restrict these services may affect how ransomware gangs launder proceeds.
- Economic incentive shift – The declining payment rate suggests that deterrence strategies—such as public‑private information sharing, faster incident response, and the growing adoption of cyber‑insurance policies that exclude ransom payouts—are beginning to alter attacker calculations.
- Potential for “double‑dip” attacks – As attackers recognize that fewer victims are willing to pay, they may double‑down on extortion tactics that combine ransomware with data‑leak threats, which could drive future payment amounts even higher.
Key takeaways
| Insight | What it means |
|---|---|
| Total crypto ransomware payouts ↓ 8 % | Attack volume grew, but fewer victims are paying, indicating a shift in attacker ROI. |
| Median ransom ↑ 368 % | Outlier, high‑value payments are inflating the middle point, suggesting that only the most critical incidents result in payment. |
| Payment rate at 28 % (record low) | A growing proportion of organizations are either recovering without paying or opting to absorb the loss. |
| U.S. remains top target, with manufacturing & finance most hit | Critical sectors should prioritize hardened security postures and incident‑response planning. |
| High‑profile breaches still cause multi‑billion dollar damage | ransomware remains a systemic risk to global supply chains and public safety. |
Looking ahead
Chainalysis projects that the ransomware landscape will continue to evolve as defenders refine detection and response capabilities and regulators tighten the financial pathways used by attackers. For the DeFi community, this underscores the importance of robust compliance frameworks, ongoing monitoring of illicit transaction patterns, and cooperation with law‑enforcement agencies to mitigate the flow of stolen crypto assets.
The 2025 data point to a paradox: more attacks, less money paid overall, but higher costs for those who do pay. Whether this trend will translate into a sustained reduction in ransomware profitability—or simply push cyber‑criminals toward new extortion methods—remains to be seen. Stakeholders across the blockchain, financial and security ecosystems will need to stay vigilant as the threat model continues to adapt.
Source: https://thedefiant.io/news/research-and-opinion/ransomware-payments-topped-usd800-million-in-2025-chainalysis
