Ransomware transforms: fewer victims pay, but the bailouts are getting higher

Just a few years ago, the classic image of the ransomware was that of a digital cartel: many attacks, many victims paying and a constant flow of money to criminals. The latest public data, however, paint a more complex and, to some extent, more worrying picture. According to the analysis of the intelligence platform in lockchain Chainalysis the proportion of victims who end up paying the extortors fell to 28% last year, the lowest percentage recorded to date, although the volume of attacks claimed has been fired.

The fall in the payment rate - from almost 79% in 2022 to only 28% recently - does not mean that the ansomware has been defeated. What it shows is a criminal economy in transformation: more actors, more refined tactics and a capacity to extract more money from less victims. Chainalysis estimates that, at the time of its latest records, Ransomware chain payments in 2025 amounted to about $820 million, and warns that this figure could be close to or even over $900 million as more incidents and transactions are identified. You can see the report and its figures in detail on the Chainalysis site: Chainalysis - Ransomware report.

There is a clear paradox: while the number of attacks announced increased by approximately 50% per year, the number of total payments has remained relatively stable. That means that criminals have changed their approach. Instead of relying on a large number of small payments, some groups focus on victims who can pay much higher amounts. In fact, the median paid rescue grew significantly: according to Chainalysis, it increased by 368 per cent, from about $12,738 in 2025 to about $59,556 in 2025. Less victims pay, but those who pay deliver much larger amounts.

Behind this change are multiple factors. Chainalysis points to improvements in the response to incidents by cybersecurity companies and teams, increased regulatory and operational pressure by national and international authorities, and a fragmentation of the Ransomware market that has made it possible not only to have one or two dominant families, but also to have dozens of active groups. This observation is aligned with reports from other consultants such as Coveware which have also documented the sustained reduction in payment rates during 2025.

A striking data from the report is the number of active extortion groups: 85 identified in 2025, compared to the previous dynamics in which few bands controlled much of the market through RaaS platforms (ransomware- as- a- service). This fragmentation, paradoxically, increases the risk to organizations because it multiplies the variants and the means of attack. Chainalysis also highlights high-impact incidents that continue to show that the destructive potential of Ransomware has not diminished: from gaps affecting large companies and exposing millions of records to attacks that generate multi-billion economic damage.

Another essential link in this criminal chain is the so-called initial access brokers (IABs), actors who specialize in selling access to committed networks. In 2025, the revenues of the IABs were relatively modest compared to the total of the Ransomware business - about 14 million dollars, just 1.7% - but their activity seems to function as an advance indicator: the peaks in payment entries to IABs often precede an increase in ransom payments and in publications with filtered data about four weeks later. In addition, the average price for access to a network has fallen steadily, suggesting that automation, the use of IA-assisted tools and the excess supply of filtered credentials have covered that market. Chainalysis has recorded a fall from approximately $1,427 in the first quarter of 2023 to about $439 in the first quarter of 2026.

What does all this mean for an organization concerned about its cybersecurity? First, that the risk is measured not only in the probability of being attacked, but in the ability of the attacker to inflict real and monetary damage. Although fewer victims pay today, those who do so can face much higher demands for rescue and relevant regulatory, contractual and reputational consequences. In this context, prevention remains crucial: good back-up practices, network segmentation, early detection and well-tested response plans reduce the likelihood of an intrusion ending in extortion. For practical guidance and resources, public agencies provide updated guides: the US Infrastructure and Cybersecurity Agency. (CISA) maintains materials on Ransomware and incident response in https: / / www.cisa.gov / ransomware and Europol publishes analysis on cyberthreats and trends on its reporting portal.

In addition, joint pressure from regulators and law enforcement agencies has contributed to reducing the will to pay: international operations, sanctions and the ability to follow money flows in lockchain have increased the operational cost for criminals. However, Chainalysis researchers warn that this does not mean that the ansomware will disappear; rather it is in an adaptation phase. The groups are refining their techniques: more accurate victim selections, combined extortion (data blocking + filtered) and greater demands to ensure that negotiation is worth it.

From a defensive perspective this involves two clear lessons. The first is that organizational resilience - the ability to detect, contain, recover and communicate - is more valuable than ever. The second, perhaps the hardest, is that the cost of a successful attack is moving: it matters both to reduce the likelihood of intrusion and to minimize the economic and operational impact when the worst scenario occurs.

If you are looking to deepen the figures and methodologies behind these conclusions, the Chainalysis report provides a breakdown of chain payments, active groups, significant incidents and market trends, while specialized companies in response to such incidents as Coveware they publish analyses on rescue prices, market dynamics and real cases. To complement these studies with the recommendations of agencies such as CISA and international agency reports help build a more holistic and resilient security strategy.

In short, the decrease in the payment rate is not a reason for relaxation. It is the sign of a transformation of the criminal ecosystem: fewer victims pay, you rescue higher for those who do, and a more fragmented and automated market that forces companies and security officials to update their defenses urgently. The battle against the Ransomware is not over; it has changed shape, and requires a mix of technical preparation, coordinated response and collaboration with the authorities to mitigate its impacts.