Blockchain analysis firm Chainalysis has released new data indicating that ransomware activity in 2025 featured reduced overall revenue alongside increased disruption and economic damage. Globally, on-chain payments to attackers totaled approximately $820 million, an 8% decline from the previous year, yet the number of attacks claimed rose by 50%, and the UK emerged as one of the most targeted nations with severe impacts on major organizations.[1]
The use of blockchain technology in tracking ransomware payments has become increasingly important for cyber intelligence efforts. By analyzing cryptocurrency transactions on public blockchains, investigators are able to trace the flow of funds from victims to attacker wallets, identify laundering patterns, and monitor the movement of illicit proceeds across exchanges and mixers. This capability supports law enforcement and cybersecurity professionals in attributing attacks, freezing assets, and understanding the broader ransomware economy.
Ransomware actors received more than $820 million in cryptocurrency payments during 2025, down 8% year-on-year from a revised $892 million in 2024. This figure may increase to around $900 million as additional incidents are attributed to ransomware operations. Despite the drop in total revenue, the median ransom payment surged 368% from $12,738 to nearly $60,000, reflecting a focus on higher-value targets. The victim payment rate fell to a record low of 28%, driven by greater reluctance to pay and improved defensive measures.
Claimed ransomware incidents increased by 50% year-on-year, marking one of the most active years on record according to data from sources like eCrime.ch. Attacks became more fragmented, with smaller, decentralized groups targeting a broader range of victims, including small and medium-sized enterprises. This shift contributed to sustained pressure despite lower aggregate payments.
The UK ranked among the top targeted countries globally, behind the United States, Canada, and Germany. High-profile incidents have amplified economic harm. The cyberattack on Jaguar Land Rover halted production lines across multiple countries for several weeks, resulting in an estimated £1.9 billion (approximately $2.5 billion) in economic damage, described as the costliest cyber event in UK history. The breach caused significant revenue declines, pre-tax losses, and supply chain disruptions.
Retail giant Marks & Spencer also suffered prolonged operational outages following a breach attributed to the Scattered Spider group, leading to substantial financial losses and market value erosion. These cases, among others, positioned 2025 as one of the most damaging years for ransomware in the UK.
See replated article: https://redskyalliance.org/xindustry/the-uk-ransomware-crisis
Payments to initial access brokers, who sell entry points into compromised networks, frequently preceded spikes in ransomware demands and victim postings on leak sites by about 30 days. Ransomware operators and state-linked actors increasingly relied on the same hosting providers and proxy networks, prompting governments to focus enforcement on these shared services.
The data illustrates a ransomware ecosystem adapting through larger individual demands and broader targeting, even as total revenue contracted for the second consecutive year. The combination of declining payment rates and rising attack sophistication highlights ongoing challenges for organizations and policymakers.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/ransomware-revenue-contracts-while-harm-expands--9159.html
Comments