You might think that “more attacks” = “more money”. In 2025, reality has taken a more twisted turn. According to Chainalysis, ransomware groups have increased intrusions (nearly 8,000 leak events, +50% year-on-year), but on-chain payments have fallen to around $820 million (≈ -8%). In other words: they become more agitated… for a less generous harvest.
In brief
- In 2025, ransomware attacks will increase by 50% while on-chain ransoms fall overall.
- Under regulatory pressure, groups mainly target SMEs, because they pay quickly, often still.
- Cheaper access to victims, infostealers and AI automate, multiplying intrusions and phishing massively.
An industry that produces volume (and aims smaller)
The most important change is not “technical”. He is commercial. Chainalysis describes a shift: fewer spectacular strikes against giants, more serial attacks against SMEs/ETIs. The idea is simple: a small structure has less time, fewer own backups, fewer lawyers… so it “pays off quickly”.
This movement says something quite cold: ransomware increasingly resembles a production line. We are not necessarily looking for the jackpot. We are looking for a regular fund. And when the “big guys” refuse to pay, the machine falls back on more vulnerable targets.
Even specialist observers are moving in this direction: Corsin Camichel (eCrime.ch) speaks of a crypto structural shift towards less “headline”, but more numerous, intrusions. It's not a detail. It's a strategy.
Why ransoms are falling despite the explosion of crypto attacks
First explanation: pressure. Chainalysis highlights regulatory oversight, enforcement actions targeting laundering rails, and above all a very human thing: more organizations refusing to pay. When the probability of cashing out drops, the model weakens.
Second (important) nuance: “on-chain” figures are often revised. Chainalysis reminds that the amounts awarded may increase over the months, as new addresses and flows are identified (as happened for 2024). So “$820 million” is not a truth set in stone: it is a photo at that moment.
Third point, more paradoxical: the report also notes that the median ransoms have increased significantly (nearly $60,000, +368% over one year). Translation: fewer payments (or fewer big payments), but when it pays… it can sting. An economy of extortion, rarer, more expensive.
Discount access + AI: the recipe for an easier attack
Where the system becomes worrying is upstream. The “price of access” to a victim, sold on underground markets via access brokers, would have fallen from around $1,427 at the start of 2023 to $439 at the start of 2026. When entry costs less, more people try their luck.
And while we look at ransomware, the Crypto ecosystem is also experiencing something else: social engineering. CertiK estimates that as of January 2026, approximately $370.3 million was stolen via exploits and scams, with $311.3 million attributed to phishing. It's the same logic as ransomware: industrialize access, then monetize quickly.
Chainalysis speaks of a flooded market: cheap tools, multiple ransomware strains, and above all infostealer logs that reduce the work needed to launch an attack. Add to that AI bricks to automate the writing of lures, sorting of identifiers, or personalization… and you obtain a mechanical increase in “operational efficiency”. And, at the same time, Chainalysis also observes an 85% increase in the use of crypto in trafficking networks, a sign that these same “rails” are used for several crimes.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
