KEY TAKEAWAYS
- Total on-chain ransomware payments fell 8% to roughly $820 million in 2025, even as claimed attacks rose around 50% year on year globally.
- Only 28% of identified victims paid a ransom in 2025, the lowest rate on record, as more organizations refused to fund the criminal ecosystem.
- The FBI and CISA publicly state they do not support paying ransoms because payment rarely guarantees decryption and often invites repeat extortion attempts.
- Median ransom demands jumped to nearly $60,000 in 2025 as attackers focused on higher-value victims with weaker backup and response capabilities.
- Offline backups, multi-factor authentication, rapid patching, and a tested recovery plan remain the most cost-effective defenses against ransomware attacks today.
The instinct during a ransomware attack is to pay, fast, and hope the decryptor works. The math behind that instinct is changing. Data from blockchain analytics firm Chainalysis shows that in 2025, only 28% of identified victims paid a ransom, an all-time low, even as the median ransom demand jumped to nearly $60,000.
Attacks are up, payments are down, and the official guidance from US authorities has hardened into a clear position: do not pay. Understanding why the calculus has shifted, and what the FBI and Cybersecurity and Infrastructure Security Agency (CISA) actually recommend instead, is now a board-level question for any organization with digital assets to protect.
The Changing Shape of Ransomware Economics
Ransomware actors received more than $820 million in on-chain payments in 2025, according to the Chainalysis 2026 Crypto Crime Report, an 8% year-on-year decline. The decline came even as claimed attacks rose by roughly 50%, a paradox the firm attributes to more frequent strikes, higher demands, and fewer successful extractions.
Corsin Camichel, a threat researcher cited in the Chainalysis report, says loyalty and brand names now matter less than access, tooling, and negotiation capability, which means the most effective pressure points against ransomware are upstream, at the level of initial access brokers and shared infrastructure, rather than individual groups.
Why the FBI and CISA Warn Against Paying
Both agencies have been unambiguous. The FBI states plainly on its public ransomware guidance page that the FBI does not support paying a ransom in response to a ransomware attack.
In a joint advisory with CISA and international partners, the same position appears alongside every ransomware variant they publish: payment does not guarantee that files will be recovered, may embolden adversaries to target more organizations, and could fund further criminal or sanctioned activity.
The “payment may not work” warning is supported by real evidence. A CISA advisory on the Medusa ransomware documents cases in which a victim who paid was then contacted by a separate Medusa actor claiming the original negotiator had stolen the funds and demanding half the payment again for the ‘true decryptor’, a pattern the agency flagged as a possible triple-extortion scheme.
What the 2025 Data Actually Tells Us
Several structural shifts are visible in the latest numbers. The median ransom demand climbed from $12,738 in 2024 to $59,556 in 2025, according to Chainalysis, as attackers focused their efforts on victims deemed more likely to pay.
Initial access brokers, who sell entry into corporate networks, saw average prices fall from roughly $1,427 in early 2023 to $439 by the first quarter of 2026, a sign of industrialization and oversupply rather than weakening demand.
Leak-site data compiled in the same report identified manufacturing, financial services, and professional services as the most targeted sectors, with the United States, Canada, Germany, and the United Kingdom accounting for the largest share of claimed victims globally.
The Hidden Costs Beyond the Ransom
Paying a ransom does not end the crisis. Organizations still face forensic investigation costs, legal review, regulatory notification in jurisdictions such as the EU and California, and potential class-action exposure if customer data is exfiltrated. If the ransom is sent to a sanctioned entity, the payer can separately face OFAC enforcement action in the United States.
Double and triple extortion, where attackers encrypt files, threaten to leak stolen data, and then demand further payment to delete it, has become the default model. Chainalysis noted that in 2025, the ransomware landscape was best characterized by adaptation rather than retreat, with extortion tactics continuing to evolve beyond the traditional single decryption-key payment.
A Better Response Playbook
The FBI and CISA’s joint #StopRansomware Guide recommends a set of practical measures that cost far less than a single ransom demand: maintaining offline backups, enforcing multi-factor authentication, patching known-exploited vulnerabilities quickly, and building a tested recovery plan.
Organizations are also urged to report incidents to ic3.gov, even when they choose not to pay, to help investigators track actor infrastructure.
Chainalysis data suggests the public-private disruption strategy is working. The 2025 takedowns of LockBit, coordinated between the UK National Crime Agency, the FBI, and partners, helped cut that group’s payments by roughly 79% in the second half of 2024. Operation Endgame, expanded in May 2025, further disrupted malware loaders used across multiple ransomware families.
FAQs
Is it illegal to pay a ransomware ransom in cryptocurrency?
It is not automatically illegal, but US sanctions laws can penalize payments to designated groups, which is why many organizations now consult OFAC guidance before sending any funds.
Why do ransomware attackers prefer Bitcoin?
Bitcoin remains liquid, widely understood, and easy to convert, though blockchain analytics firms can often trace it, which is why some criminal groups now experiment with privacy-focused alternatives.
Does paying a ransom guarantee my files will be restored?
No, the FBI and CISA warn that payment does not guarantee recovery, and several documented cases show victims who paid still received broken decryptors or faced new demands.
What is double extortion in ransomware attacks?
Double extortion is when attackers encrypt files and steal data, threatening to publish or sell the stolen information unless an additional ransom is paid.
Are ransomware attacks decreasing in 2026?
Total payments are falling, but attack volumes are rising, suggesting more organizations are being hit while fewer are paying, which shifts the burden toward recovery and resilience.
Should I contact the FBI if I experience a ransomware attack?
Yes, the FBI urges victims to report incidents to ic3.gov regardless of whether they pay, as reports help investigators disrupt infrastructure and sometimes recover funds.
How can small businesses protect themselves from ransomware?
Maintain offline backups, enforce multi-factor authentication, patch critical vulnerabilities promptly, train staff on phishing, and regularly build and test an incident response plan.
References
Click Here For The Original Source.
