The number of ransomware attacks skyrocketed by 50% in 2025, yet the total amount paid in ransoms decreased, according to a new report from blockchain analytics firm Chainalysis. The shift in tactics is evident: attackers are now focusing on smaller and medium-sized businesses, which are perceived as easier targets that pay faster, despite the overall decline in ransom payments.
A Year of Increased Volume and Decreased Payments
In 2025, there were nearly 8,000 total leak events, marking a 50% increase from the previous year. However, the total on-chain ransom payments amounted to $820 million, an 8% decrease from 2024. This divergence highlights a significant shift in the ransomware landscape, where the volume of attacks has surged, but the average payout has dropped.
Regulatory Scrutiny and Refusal to Pay
Chainalysis attributes the decline in ransom payments to several factors, including increased regulatory scrutiny, enforcement actions against laundering networks, and a growing reluctance among large organizations to pay ransoms. These measures have forced attackers to pivot towards smaller targets, which are more likely to capitulate quickly to demands.
“We’re seeing a structural shift in targeting: fewer large, headline-grabbing intrusions and more volume focused on small and medium enterprises. The assumption is simple — smaller victims pay faster,” said Corsin Camichel, founder of eCrime.ch, in the report.
The Dark Web and the Commoditization of Cybercrime
The increase in the number of attacks is also linked to a significant reduction in the cost of gaining access to victim networks on the dark web. The average price for victim access dropped from $1,427 at the start of 2023 to just $439 by the beginning of 2026. This decline has made it easier for a broader range of cybercriminals to launch attacks, leading to an oversupply of cheap but operationally constrained inventory.
“We are seeing industrialized access pipelines, AI-assisted tooling, and a proliferation of infostealer logs that lower the barrier to entry, which has resulted in an oversupply of cheap but operationally constrained inventory that floods the market and depresses pricing,” the Chainalysis report notes.
Crypto Exploits and Scams on the Rise
Despite the modest reduction in blockchain ransomware payments, 2026 has seen a surge in crypto-related exploits and scams. According to cybersecurity firm CertiK, January 2026 saw a staggering $370.3 million worth of crypto stolen, with phishing scams accounting for the majority of the losses at $311.3 million.
“The combination of cheap software, ransomware strains, and AI integrations has led to increased output by hackers, making it easier for them to execute attacks at scale,” said a spokesperson from CertiK. “However, the decreasing value of individual ransom payments suggests that the attackers are working harder for diminishing returns.”
Looking Forward
As the ransomware landscape continues to evolve, the focus on smaller targets is likely to persist. However, the increasing regulatory pressure and the development of more robust cybersecurity measures may eventually force attackers to seek new strategies. Organizations, particularly small and medium-sized businesses, must remain vigilant and invest in comprehensive security solutions to protect against these evolving threats.
About the Author
