According to Chainalysis, a blockchain analytics firm that tracks illicit activity, the amount of ransomware payments decreased by roughly 35% in 2024. In the prior year, ransomware entities extorted $1.25 billion from victims; however, in 2024, that number dropped to $813.5 million.
The steep decline in payouts can be attributed to successful international law enforcement efforts, sanctions against cryptocurrency tumblers, and victims’ increased reluctance to pay. That said, attacks are still rampant in the first half of 2025.
The ransomware ecosystem in 2025
Given the inherently shadowy nature of the ransomware landscape, aggregating the data is an imperfect science. Through its cyber threat intelligence division, Chainalysis combs the blockchain for financial signatures of bad actors, monitors crypto mixing activities, and tracks data leak sites.
Comparitech, a U.K.-based research firm, also tracks the ransomware landscape by analyzing leak sites and corresponding directly with targets. In the first six months of 2025, Comparitech found that there have been 3,627 ransomware attacks—a 47% increase from the first two quarters of 2024. Of these 3,627 attacks, Comparitech was able to confirm 445 successful attacks and over 17 million breached records.
Law enforcement activity has fragmented the ransomware landscape
In 2024, there were several high-profile, successful law enforcement operations that drastically changed the ransomware ecosystem. Operation Cronos, a joint venture between the U.K.’s National Crime Agency and the FBI, disrupted LockBit RaaS in February 2024, resulting in an 80% decrease in LockBit profits and a splintering of LockBit affiliates.
Three months later, in May 2024, a multinational initiative, Operation Endgame, successfully dismantled BlackCat/ALPHV, further disrupting the ransomware ecosystem. Speaking to Chainalysis, Lizzie Cookson, a senior director of incident response at the ransomware incident response firm Coveware, directly attributes the current fragmentation to Operations Cronos and Endgame.
“The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV,” says Cookson. “We saw a rise in lone actors, but we did not see any groups swiftly absorb their market share, as we had seen happen after prior high-profile takedowns and closures. The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small-to-mid-size markets, which in turn are associated with more modest ransom demands.”
Additionally, in the wake of these successful enforcement efforts, bad actors are now increasingly operating multiple strains of ransomware simultaneously—so as not to put all their eggs in one basket.
The number of data leak sites has doubled
New data leak sites—websites where criminals disclose and sell stolen data—have proliferated. In an interview with Safe Mode podcast host Greg Otto, Jackie Burns Koven, the cyber threat intelligence leader at Chainalysis, explains, “The number of leak sites doubled last year. You know, that’s intentional, right? Data leak sites are meant for advertising. They’re being used by threat actors to show their virility and to twist the knife.”
According to Allan Liska, a threat intelligence analyst at Recorded Future, there were 56 new data leak sites in 2024, which is more than double the number that existed a year prior. Of course, given that criminals are inherently untrustworthy, these bad actors could be overstating the number of victims in an effort to market their wares.
Ransomware burnout is resulting in lower payouts
Victims understand that there is never a guarantee of data recovery from these criminals; this is factoring into victims’ calculus and resulting in fewer—and lower—ransom payments. As Burns Koven says, “[Victims] may ultimately determine that a decryption tool is their best option and negotiate to reduce the final payment, but more often, they find that restoring from recent backups is the faster and more cost-effective path.”
In addition to monitoring ransomware groups’ illicit activity on the blockchain, Burns Koven’s team has corresponded with incident response firms to confirm the findings that victims are, indeed, paying out less money, and less often.
“We’ve spoken with incident response firms in the space to run our data against what they’re seeing—and we’re getting confirmation from those on the front lines in negotiations for payment—that yes, indeed, they are paying less often—not only less often, but less. We’re seeing averages in the low-six figures,” says Burns Koven.
Sanctions against cryptocurrency mixers are causing laundering issues
Although they may have some legitimate, non-criminal uses, cryptocurrency mixers and tumblers are frequently used to disrupt the blockchain analysis process, which helps bad actors obscure the sources of their illicit proceeds.
Mixers and tumblers are a vital part of the ransomware landscape. In fact, many RaaS entities market their built-in mixing capabilities in an effort to lure new affiliates to their ransomware programs. However, government sanctions against mixers and tumblers have led to a decline in mixing activity. As Burns Koven explains, “We did see a decline in mixing activity this year as a ransomware off-ramp, which was pretty surprising. Mixing had become such an essential part of the ransomware ecosystem.”
While sanctions on mixers like Chipmixer and Sinbad are in place, bad actors have a more difficult time laundering their funds. Without knowing which centralized exchanges, cryptocurrency bridges, and mixing services they can trust, some criminals are now opting to hold their cryptocurrency in personal wallets. This is the modern-day equivalent of stuffing cash under a mattress. In a tale as old as time, it appears that many of the criminals in the ransomware ecosystem are distrustful of one another.
Ransomware attackers are accepting lower payments
Given the crackdown on LockBit and BlackCat/ALPHV, we’ve seen new, less experienced players enter the ransomware space. Moreover, the larger entities have either gone underground or have split into smaller entities to hedge their bets.
Burns Koven says, “[Ransomware entities] are finding that there’s security in obscurity. The groups that have really stuck out their necks and had those massive breaches, had those record payments—a lot of them don’t exist anymore. Or they’ve gone underground, be it temporarily.”
Also, the successful attackers are now settling for lower payouts.
“We’re seeing ransomware actors willing to take far, far less than the initial demands with individual victims,” says Burns Koven.
Put simply, ransomware fatigue, improved cyber hygiene, and stronger cybersecurity initiatives have all played a role in the reduction in payments across the board. In 2025, organizations are more likely than ever to use MFA, keep important data backed up, provide employees with phishing education, and have incident response plans in place.
The cyber insurance industry is likely playing a role as well; when insurance companies have stricter security requirements, organizations’ cybersecurity postures improve, which helps in the fight against ransomware attacks.
Key takeaways
We’re seeing a decline in ransomware payments due to a host of issues—successful law enforcement efforts, increased international cooperation, sanctions against mixers and tumblers, ransomware fatigue, and organizations improving their cybersecurity hygiene. This decline in payments is a welcome development; however, whether the trend continues remains to be seen.
