Here is a question worth sitting with: what does it mean when a criminal industry records its busiest year ever, yet earns less money doing it? For the ransomware economy, the answer is both reassuring and deeply alarming at once.
New data from blockchain analytics firm Chainalysis, published in its 2026 Crypto Crime Report, shows that ransomware gangs collected roughly $820 million in cryptocurrency payments during 2025. That is an 8% decline from the previous year and the second straight annual fall in on-chain ransomware revenue. On the surface, it reads like a win. Strip away the headline figure, however, and what remains is a picture of a criminal marketplace that is not shrinking but reorganising at speed.
Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50% year-on-year increase in claimed ransomware victims, marking the most active year on record. Rather than a handful of large gangs, there were as many as 85 active extortion groups operating during the year. Old names such as LockBit and BlackCat were raided, sanctioned, or simply rebranded, and into the gap poured a sprawling cohort of smaller, opportunistic crews.
The arithmetic here is worth examining carefully. Despite the overall revenue decline, the median ransom payment increased by 368%, from $12,738 in 2024 to $59,556 in 2025. Fewer victims are paying, but those who do are being hit far harder. The share of ransoms paid potentially reached an all-time low of 28%, a divergence that reflects improved incident response and increased regulatory scrutiny helping to reduce payout frequency. The fundamental question is whether a world with more attacks and higher demands but fewer payments actually represents progress, or simply a different kind of danger.
The counter-argument deserves serious consideration. There is genuine evidence that law enforcement pressure and better corporate cyber hygiene are making a dent. Coordinated law enforcement actions and sanctions increasingly targeted the infrastructure layer in 2025, including bulletproof hosting providers, increasing costs across both cybercrime syndicates and state-linked actors. Organisations that invest in resilient backups and rehearsed incident response plans are demonstrably less likely to capitulate. The falling payment rate is not accidental; it reflects real defensive progress across parts of the economy.
For Australia, though, the comfort in those global numbers is limited. Australia has emerged as one of the top five most targeted nations for cyber threats against critical infrastructure, ranking fourth globally behind the United States, Sweden and Germany. More troubling still is the payment culture. Research by Rubrik Zero Labs found that Australia recorded one of the highest rates of ransom payment globally, with 95% of Australian organisations that experienced a ransomware attack in the past 12 months saying they paid. When attackers know a country tends to pay, they keep coming back.
According to the Cyble Global Threat Landscape Report for the first half of 2025, ransomware attacks in Australia and New Zealand doubled year-on-year, with healthcare, professional services, and small-to-medium enterprises among the hardest hit. The Australian Signals Directorate's Annual Cyber Threat Report 2024-25 confirms the broader trend: the frequency of ransomware attacks and the number of reported data breaches both increased throughout FY2024-25.
Part of what makes the current moment so structurally challenging is that ransomware is no longer a product sold by a few large criminal enterprises. Ransomware today is best understood not as isolated attacks, but as an interconnected marketplace of access, infrastructure, and monetisation services. Chainalysis identified so-called initial access brokers (IABs) as a revealing indicator of this dynamic. These middlemen, who sell ready-made footholds into corporate networks, received at least $14 million in on-chain payments in 2025, and Chainalysis found that spikes in IAB payments often precede increases in ransomware payments and victim leak posts by roughly 30 days. Access gets purchased quietly on a dark web forum, and a month later an organisation's name appears on a leak site.
The cost of that access has also been collapsing. Cybercrime prevention firm Darkweb IQ reported that from Q1 2023 to Q1 2026, the average price for victim access declined from approximately $1,427 to $439. This drop reflects a market shaped by competitive pressure and automation, with industrialised access pipelines and AI-assisted tooling lowering the barrier to entry. When it costs less than a restaurant dinner to buy a corporate network's front door, the volume of would-be attackers is constrained only by ambition.
The Chainalysis data also revealed a deliberate strategic shift in targeting. Instead of focusing primarily on large corporations capable of writing massive cheques, many groups shifted toward smaller and mid-sized businesses that often lack full-time security teams or robust recovery systems, calculating that a smaller company might feel cornered and pay quickly. The Australian Competition and Consumer Commission and other regulators have long flagged that small businesses remain the most exposed segment of the economy to cyber threats, precisely because their risk management resources are thinnest.
History will judge this moment by whether governments treated the falling payment figures as a reason for complacency or as a window for structural reform. On that count, there are some encouraging signs from Canberra. On 30 May 2025, the Australian government introduced a mandatory ransomware reporting regime for businesses with annual turnovers of $3 million or more and for entities responsible for critical infrastructure, with the aim of enhancing government visibility of ransomware threats and improving operational responses. That is a meaningful step. Transparency about the scale of the problem is the precondition for any serious policy response, and mandatory reporting makes it far harder for organisations to quietly pay ransoms and move on.
This is not a left-right issue; it is a competence issue. Cybersecurity funding, reporting obligations, and international law enforcement cooperation require sustained political will and institutional capacity that transcends electoral cycles. The Albanese government's mandatory reporting regime is a sensible foundation. Whether it is adequately resourced and enforced is the question that deserves scrutiny at the next budget.
The global data from Chainalysis ultimately tells a story that resists easy interpretation. Victims are paying less often, which is genuinely good news. But more organisations are being hit, demands are higher, the criminal infrastructure is cheaper to access than ever, and Australia is paying with conspicuous frequency. If we accept that premise (and the evidence suggests we should), then the policy response needs to match the actual threat, not the headline payment number. A falling revenue figure for criminals is not the same thing as a safer country.