Ransomware theft reportedly exploded last year, yet the cash flowing to cybercriminals barely moved. Why does this twisted shift matter, and does it signal for businesses everywhere?
According to data from blockchain trackers at Chainalysis, ransomware theft incidents jumped a staggering 50% in 2025. Hackers claimed nearly 8,000 leak events, up sharply from the year before, as they pivoted hard away from massive, splashy targets toward smaller and mid-sized companies.
What is the logic behind this, you may ask? Turns out smaller outfits often cave quicker to save their operations.
Despite ransomware theft activity hitting record highs, total on-chain ransom payments actually dipped 8% to around $820 million. That’s a clear sign the old playbook is cracking.
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
Tougher regulations, aggressive crackdowns on money-laundering channels, and more big players flat-out refusing to pay have squeezed the profits out of these schemes.
Corsin Camichel, founder of eCrime.ch, said in the report that they are “watching a major pivot in who gets hit and fewer blockbuster breaches, with way more volume aimed at small and medium businesses.”
Their thinking is that smaller victims pay faster. Yet the numbers tell a different story. Ransomware theft claims are at an all-time peak, but actual payments are trending down. Attackers are grinding harder for less reward.
The flood of heap entry points helps explain the surge in ransomware theft attempts. Dark web prices for victim access have plummeted from about $1,427 in early 2023 down to just $439 by the start of 2026. Throw in a glut of ready-made ransomware kits, plus AI tools making attacks smoother and faster, and you’ve got an industrialized pipeline churning out more hits than ever. Chainalysis calls it an “oversupply of cheap but limited inventory” that’s driving prices into the ground.
Ransomware theft isn’t going anywhere, but the economics are shifting!
This structural change in ransomware theft tactics shows cybercriminals adapting fast but hitting walls.
Fewer victims are paying overall (some estimates put the payment rate at a historic low around 28%), and when they do, the median demand has climbed sharply to nearly $60,000.
Nevertheless, even with ransomware payments cooling slightly in 2025, 2026 opened with heavy hits. CertiK tracked $370.3 million stolen in January alone through exploits and scams, with phishing scams swallowing the biggest chunk at $311.3 million.
