Ransom Demands Increase as Ransom Payments Fall to Record Low
Faced with diminishing returns from their attacks, ransomware groups conducted attacks in greater volume in 2025 and increased their ransom demands. In 2025, the number of claimed attacks increased by 50% year-over-year to the highest ever level; however, ransomware payments decreased by 8% year-over-year to $820 million, down from $892 million in 2024 and $1,023 million in 2023, according to the blockchain analytics firm Chainalysis.
The analysis reveals that ransomware groups are having to work much harder due to fewer victims choosing to pay ransoms. In 2024, 64% of victims of ransomware attacks paid the ransom to recover their data, prevent a data leak, or both. In 2025, the percentage of victims paying ransoms fell to a record low of just 28%. In addition to conducting more attacks, ransom demands have increased. Chainalysis reports a 368% increase in median payment size, rising from $12,738 in 2024 to $59,556 in 2025.
Law enforcement operations appear to be having a positive effect, with ransom payments falling for two consecutive years. While there have been major operations targeting specific ransomware operations, law enforcement operations are increasingly targeting the infrastructure used by ransomware groups, such as bulletproof hosting providers and money laundering services. These services are used by financially-motivated threat actors and state-sponsored hacking groups alike, and targeting these services and imposing sanctions has increased the attack costs for threat actors.
The ransomware ecosystem has evolved, in part due to law enforcement operations and efforts by private sector companies targeting major players. There has been a shift from a handful of dominant strains to a much more fragmented ecosystem, with large numbers of smaller ransomware groups now operating, which find it easier to remain under the radar and avoid law enforcement takedowns. While the number of active ransomware and extortion groups varies across different analyses, there are thought to have been up to 85 distinct active ransomware groups in operation in 2025.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There has also been a change in the companies being targeted. Attacks on larger organizations can result in a bigger payday; however, the attacks need to be more sophisticated to breach defenses, and when attacks are successful, it can take longer for larger companies to pay the ransom. Ransomware groups appear to now favor small- to medium-sized organizations and are concentrating on conducting attacks in greater volume. While the ransom payments are much lower, attacks require less effort, and victims tend to pay up more quickly.
Another response to diminishing returns is more aggressive tactics, such as contacting patients, customers, and employees of an attacked organization directly. Some groups have abandoned data encryption altogether and are now solely focused on data theft and extortion. In some cases, these threat groups have analyzed the exfiltrated data to determine its sensitivity, which has allowed them to make highly specific threats about the consequences of a data leak.
“The ransomware narrative of 2025 cannot be told through revenue figures alone. While payments declined modestly, the scale, sophistication, and strategic impact of attacks continued to expand,” explained Chainalysis. “Organizations large and small — from global automakers to regional healthcare systems — faced extortion that disrupted operations, eroded trust, and faced systemic costs that far exceeded on-chain ransom totals.”
