Although hackers made less money overall last year, victims who paid faced far higher bills than a year earlier.
Ransomware crypto payments stalled for a second year in 2025, even as attacks hit record levels and ransom demands jumped. Data from Chainalysis shows that total on-chain payments fell about 8% from a year earlier to roughly $820 million, while claimed attacks rose by about 50%.
The biggest shift was in how much victims paid when they did give in. The median ransom payment surged 368% year-over-year to nearly $60,000 from about $12,700 in 2024.
Jackie Koven, head of cyber threat intelligence at Chainalysis, told The Defiant that the surge in median payment is “likely not related to price,” adding that ransomware actors “anchor their extortion demands in USD or other fiat currencies, not BTC.”
“So if they are demanding $1M, as an example, it doesn’t matter whether BTC is priced at 1M or 10k. The increase in median ransom is more likely related to high outlier payments rather than a return to big-game hunting ransomware tactics that dominated in the past,” Koven explained.
Only 28% of victims paid a ransom in 2025, the lowest rate on record.
“This overall trend is a major win against the ransomware ecosystem. Fewer victim payments mean more work for less for attackers, an important step in shifting the economic incentives,” the report reads.
There were still several high-impact incidents that shaped the year. A cyberattack on Jaguar Land Rover in late August 2025 halted production across multiple countries and caused an estimated $2.5 billion in damage, the costliest cyber incident in UK history.
Retailers and hospitals were also hit hard. Major British multinational retailer Marks & Spencer suffered long outages after an attack tied to the Scattered Spider group, while global healthcare provider DaVita reported exposure of nearly 2.7 million patient records.
The U.S. stayed the top target worldwide, with Canada, Germany, and the UK behind it, and attacks rose sharply in manufacturing, finance, supply chains, and critical infrastructure, Chainalysis says.
