Ransomware's ROI Crisis: Hackers Grind Harder for Fewer Sats

Ransomware crews had a weird 2025, like a degen who aped into a memecoin only to watch the chart go sideways. According to Chainalysis, total on-chain ransomware payments dipped by roughly 8%, marking the second year in a row these digital extortionists saw their top-line revenue shrink. This decline happened while claimed attacks absolutely mooned, surging by 50%—talk about a brutal compression of margins.

This growing chasm between more break-ins and smaller paydays underscores the messy, multi-front war now reshaping this grimy corner of the crypto economy. In the end, the ransomware racket still hauled in over $820 million in on-chain payments for the year. That's an 8% drop from a revised 2024 estimate of $892 million, though Chainalysis notes the final 2025 number might still creep up, potentially flirting with or even breaking past the $900 million mark—not exactly a bear market, but hardly a euphoric bull run for crime.

Data from eCrime.ch reveals that claimed ransomware victims jumped 50% year-over-year, making it the busiest year for breach announcements on record. Yet, despite this explosion in "customer" outreach, the conversion rate absolutely tanked; the share of ransoms actually paid fell to a pathetic all-time low of just 28%. It seems even digital hostage-takers are facing a brutal bear market for their "services."

Chainalysis points to a few reasons for this painful divergence. Better corporate incident response, tighter regulatory handcuffs, and global cop collaboration have all helped slash payout frequency and put a squeeze on revenue streams. The report even throws shade at strains like VolkLocker, which had a cryptographic oopsie that allowed for free decryption in some cases—a perfect example of how shoddy code review can completely rug-pull your own criminal operation.

While total payments stagnated, the median ransom size absolutely pumped. The median payment skyrocketed 368%, launching from $12,738 in 2024 to $59,556 in 2025. Jacqueline Koven, Head of Cyber Threat Intelligence at Chainalysis, told BeInCrypto this is likely fueled by a handful of massive outlier payments—the crypto equivalent of a lucky wallet hitting a life-changing jackpot—rather than a full-scale return to 'big-game hunting' tactics. She noted the actors remain glorified opportunists, happy to phish a small clinic or a Fortune 500 company with equal enthusiasm.

Koven also confirmed that Bitcoin remains the undisputed financial rail of choice for these digital bandits. Despite its very public and immutable ledger, they still prefer BTC for being borderless, near-instant, liquid, and frankly, easy to use—a sobering reminder that the original crypto is still the king of censorship-resistant settlement, for better or worse.

The entire ransomware ecosystem is propped up by Initial Access Brokers (IABs), the shadowy real estate agents of the dark web who sell keys to already-compromised networks. Chainalysis estimates IABs pocketed at least $14 million in on-chain payments in 2025, a figure that barely budged from the year before. While a rounding error compared to overall extortion revenues, these payments highlight a 'critical enabling function'—the essential, if unglamorous, infrastructure layer of the crime stack.

IAB activity can actually serve as a leading on-chain indicator, like a weird, inverted fear-and-greed index for cybercrime. According to the analysis, spikes in IAB inflows tend to foreshadow increases in ransomware payouts and victim data dumps by about 30 days. Koven noted that even as ransomware groups fragment and rebrand with the frequency of failed DAOs, their dependency on these access brokers remains a constant, making these payments a clear signal that attack prep is underway.

The full narrative