Ransomware Payment Rate Drops to Record Low as Attacks Surge

The declining payment rate signals a strategic shift in the ransomware economy. As organizations improve incident response and face tighter regulatory scrutiny, attackers are forced to extract more value per breach, driving the median ransom to nearly $60,000. This trend underscores the growing importance of proactive defenses, cyber‑insurance negotiations, and rapid containment capabilities to deter payments and limit exposure.

Simultaneously, the ransomware ecosystem is fragmenting. Chainalysis identified 85 active extortion groups in 2025, a stark contrast to the previous dominance of a handful of RaaS platforms. This diversification, coupled with the rise of initial access brokers, creates a more volatile market where threat actors compete on price and speed. The observed 30‑day lag between IAB activity and ransom payments offers a predictive signal that security operations centers can exploit for early warning and threat hunting.

For businesses, the implications are twofold. First, the financial impact of attacks is no longer measured solely by the frequency of payments but by the magnitude of each payout and the collateral damage, as illustrated by the $2.5 billion loss at Jaguar Land Rover. Second, the concentration of attacks on developed economies, especially the United States, demands tailored risk assessments and sector‑specific resilience planning. Companies that invest in comprehensive breach response playbooks, threat intelligence integration, and continuous employee training will be better positioned to navigate this evolving ransomware landscape.