The numbers seem to contradict themselves. In 2025, ransomware attacks hit record highs — 4,701 confirmed incidents, a 50% increase from 2024. Attackers claimed breaches at an unprecedented pace. Yet on-chain ransomware payments fell to $820M, down 8% from $892M in 2024. More attacks than ever. Fewer victims paying. This isn't a security victory disguised as a problem. It's a market in structural collapse, and almost nobody's noticed.
The real story is stranger than "ransomware is getting worse." It's that ransomware economics are inverting — and the inversion reveals something important about how infrastructure, not malware, is now the actual battleground.
The Bifurcation: Two Markets, Opposite Trajectories
The payment data tells a bifurcated story. According to Chainalysis' 2026 Crypto Crime Report, the share of victims paying ransom potentially reached an all-time low of 28% in 2025 — down from the typical 50%+ range of previous years. But for those who did pay, the cost exploded: the median ransom payment surged 368% to $59,556 in 2025, up from $12,738 in 2024.
This creates two distinct markets. In one tier, small and medium enterprises are increasingly refusing to pay — backed by better backups, incident response plans, and the simple realization that downtime costs are often lower than ransom demands. In the other tier, large enterprises and Fortune 500 companies are paying massive amounts: the average ransom for those who do pay sits around $2.0M, with the largest single payment recorded at $75M by an unnamed Fortune 50 company in 2024.
Attackers have noticed. They're abandoning the mid-market and hunting exclusively for high-value targets. The assumption driving this shift is straightforward: smaller victims pay faster. But Corsin Camichel, founder of eCrime.ch, which tracks ransomware incidents globally, points out the flaw: "We're seeing a structural shift in targeting: fewer large, headline-grabbing intrusions and more volume focused on small and medium enterprises. The assumption is simple — smaller victims pay faster. However, Chainalysis' data shows payments trending downward despite an all-time high in public claims. That divergence is important. It suggests attackers are working harder for diminishing returns."
This is the paradox at the heart of the 2025 ransomware landscape. Attackers are making a strategic bet that's contradicted by the data they're generating.
Why Payment Rates Collapsed
The 28% payment rate isn't random. Three structural shifts converged in 2025:
Backups became standard. According to Sophos' 2025 State of Ransomware data, 97% of organizations with encrypted data recovered it — through backups, recovery tools, or payment. For most organizations, backups now work. This is unsexy infrastructure news, but it's revolutionary: when you can recover your data without paying, ransom demands become unenforceable. The economics of extortion depend on scarcity. Backups destroyed that scarcity.
Law enforcement disrupted the infrastructure layer faster than criminals could rebuild. The takedowns of LockBit and ALPHV in 2024 fractured the ransomware-as-a-service ecosystem. Instead of a handful of mega-gangs controlling the market, there are now 85+ active extortion groups tracked globally. This fragmentation raised the operational cost of monetizing attacks. Chainalysis notes that "disruption efforts focused on the enablement layer" — bulletproof hosting, malware loaders, residential proxies — have made it harder and more expensive to actually collect ransom payments, even when victims are willing to pay.
Victims learned to refuse. Varonis data shows that 64% of victims refused to pay in 2024, up from 50% in 2022. Organizations are increasingly following incident response playbooks that explicitly reject negotiation. The logic is simple: paying doesn't guarantee clean recovery. 80% of victims who paid ransom experienced another attack soon after, and 46% got access to their data only to find most of it corrupted. Paying is expensive, unreliable, and often illegal (especially for government contractors and regulated industries). Not paying is increasingly the rational choice.
The Cost Inversion: Why Victims Still Pay Despite Everything
Here's where the story gets counterintuitive. Even though payment rates collapsed, organizations still pay when they do get hit — and they pay enormous amounts. Why?
Because downtime costs exceed ransom costs. According to Astra Security's 2026 analysis, the average total cost per incident is $4.54M to $5.13M, including ransom, downtime, recovery, and reputational damage. But the real killer is downtime. In healthcare — the most targeted industry with 238 ransomware threats in 2024 — downtime costs $1.9M per day. A single day of downtime in a hospital system can exceed a multi-million-dollar ransom.
This is why large enterprises sometimes pay even though they have backups. The backup might take weeks to restore. The ransom payment might buy access to decryption keys that restore systems in hours. The math is brutal: if your hospital loses $1.9M per day in downtime costs, a $5M ransom that buys you 24 hours of recovery time is economically rational.
Manufacturing shows the clearest pattern. 62% of manufacturing firms pay ransoms — the highest willingness-to-pay rate of any industry. Why? Because manufacturing downtime is measured in lost production, supply chain disruption, and customer penalties. A factory that can't ship products loses more money per hour than almost any other business type.
The Infrastructure Layer: The Real Battleground
Here's what separates 2025 from previous years: law enforcement and cybersecurity firms are no longer primarily targeting individual ransomware groups. They're targeting infrastructure.
Chainalysis notes that Initial Access Broker (IAB) activity can serve as a leading indicator — spikes in IAB payments precede ransomware attacks by approximately 30 days. This means blockchain analysis firms have essentially created a ransomware early-warning system. Law enforcement can now predict where attacks are coming from before they happen, and they're using that intelligence to disrupt bulletproof hosting providers, malware distribution networks, and proxy services before attacks scale.
The report also reveals something significant: "Criminal and state-linked actors share infrastructure." The distinction between financially-motivated cybercriminals and nation-state actors is increasingly meaningless operationally. They use the same hosting providers, the same proxy networks, the same malware loaders. The convergence of infrastructure means that disruptions to one layer affect both. When law enforcement takes down a bulletproof hosting provider, it doesn't just slow down ransomware gangs — it slows down state-sponsored actors too.
This explains the 8% revenue decline despite 50% more attacks. Attackers are launching more campaigns, but the cost to monetize each one has risen because the infrastructure layer is getting disrupted faster than it can be rebuilt.
The SME Paradox: Why Volume Targeting Isn't Working
Qilin, the most active ransomware group by mid-2025, exemplifies the shift. The group launched 81 attacks in a single month by June 2025, a 47.3% rise year-over-year. But more attacks doesn't mean more revenue — it means more attacks against smaller targets that are less likely to pay.
The strategic assumption is that SMEs pay faster than enterprises. The data says otherwise. SMEs are refusing to pay at higher rates, backing up their systems more consistently, and following incident response plans that explicitly reject negotiation. Yet attacks on SMEs continue, suggesting either that attackers are slow to adapt strategy, or that volume attacks on SMEs are still profitable despite lower individual payouts.
The most likely explanation: attackers are trapped in a transition. The old model — targeting Fortune 500 companies with patient, sophisticated intrusions — is harder now because law enforcement is better at disrupting infrastructure. The new model — volume targeting of SMEs — should work, but the data shows it doesn't. Attackers are stuck in between, working harder for diminishing returns.
Field Notes
I've been digging through ransomware data for weeks, and the most striking thing isn't what's happening — it's what everyone's missing about why it's happening.
The narrative around ransomware is always about malware, zero-days, and attack sophistication. But the real story is that malware sophistication stopped mattering in 2025. The bottleneck isn't malware anymore. It's infrastructure. Law enforcement learned to disrupt the enablement layer faster than criminals can rebuild it, and that single shift — boring, unglamorous, infrastructure-focused — is collapsing the entire ransomware business model.
Here's what I think is actually happening: ransomware isn't dying. It's bifurcating into two incompatible markets. One market is small-scale volume attacks on SMEs that mostly fail because backups work. The other market is high-value targeting of Fortune 500 companies where downtime costs exceed ransom demands. The middle market — where ransomware used to be most profitable — is gone. And the infrastructure layer is the reason.
The organizations winning against ransomware aren't buying fancy EDR tools or AI-powered detection systems. They're using tested backups, incident response plans, and refusing to negotiate. The economics now favor resilience over prevention. That's a fundamental inversion, and it's barely being discussed.
The other thing: the infrastructure convergence between state-linked actors and financially-motivated criminals is significant in ways that go beyond ransomware. If law enforcement can disrupt bulletproof hosting and proxy networks faster than they can be rebuilt, that affects everything — not just ransomware, but all financially-motivated cybercrime. The real security win in 2025 wasn't a new detection method. It was learning to disrupt the infrastructure that enables crime, period.
What Happens Next
The bifurcation is unsustainable. Ransomware only works if you can reliably target high-value victims. If law enforcement keeps disrupting infrastructure faster than it rebuilds, the cost of targeting Fortune 500 companies will rise until even $2M ransom payments don't cover operational expenses. At that point, the market either collapses entirely or consolidates into a handful of sophisticated groups that can afford to rebuild infrastructure as fast as it gets disrupted.
Government and public sector agencies are learning this lesson the hard way — they suffered 208 attacks in H1 2025 alone, a 65% year-over-year increase, with $1B+ in cumulative downtime losses since 2018. But they're also learning to refuse payment, which removes the financial incentive for attackers to target them.
The real question isn't whether ransomware attacks will continue. They will. The question is whether they'll remain profitable. The data from 2025 suggests the answer is no — not for most attackers, anyway. The ones who do stay profitable will be those targeting the rare Fortune 500 company that still thinks paying a ransom is cheaper than rebuilding systems. That's a thin market. And it's getting thinner.
For most organizations, the ransomware threat has already inverted. It's no longer about preventing infection. It's about having backups that work, incident response plans that don't include negotiation, and infrastructure resilient enough to survive the attack. The malware is almost irrelevant now. The infrastructure is everything.
Originally published on Derivinate News. Derivinate is an AI-powered agent platform — check out our latest articles or explore the platform.
Top comments (0)