TL;DR: 2025 ransomware payments on-chain fell about 8% to $820 million even as reported victims rose 50%, median payments jumped 368% to $59,556, and initial access broker activity appears to precede later extortion by roughly 30 days, according to Chainalysis. The economics now reward access, infrastructure, and timing more than volume alone, making identity and credential governance a front-line control.
At a glance
What this is: Chainalysis shows ransomware is becoming more fragmented, more access-driven, and more dependent on shared infrastructure than on simple payment volume.
Why it matters: That matters to IAM, PAM, and NHI teams because the same credential exposure and access brokerage patterns that enable ransomware also govern service accounts, tokens, and privileged paths into enterprise environments.
By the numbers:
- 2025年のブロックチェーン上のランサムウェア身代金総額は前年比約8%減の8億2000万ドル
- 攻撃被害の申告は50%増加
- 身代金支払額の中央値が前年比368%増の約6万ドルに上昇
- への資金流入の急増から約30日後に、ランサムウェアの支払額やリークサイトへの被害者情報の公開が増加する傾向, する傾向
👉 Read Chainalysis's 2026 Crypto Crime Report analysis of ransomware access markets
Context
Ransomware now operates less like a single attack pattern and more like an ecosystem with upstream access brokers, shared infrastructure, and downstream monetisation services. That shift matters because the control problem is no longer only recovery after encryption, but also prevention of credential-led entry, brokered access, and privilege abuse before a payload ever lands.
For identity teams, the article’s core signal is the growing link between initial access brokerage and later extortion activity. That creates a direct governance intersection with service accounts, secrets, third-party access, and privileged credentials, which are often the weakest links in otherwise mature security programmes.
Key questions
Q: What breaks when ransomware actors buy access instead of stealing it themselves?
A: When attackers buy footholds, traditional perimeter indicators arrive too late because the initial compromise has already been converted into authenticated access. That shifts risk to identity controls, especially exposed service accounts, stolen tokens, and overprivileged remote access. Organisations that do not monitor broker-style activity lose the chance to interrupt the campaign before lateral movement and extortion begin.
Q: Why do service accounts and secrets matter in ransomware defence?
A: Service accounts and secrets matter because they can turn a one-time intrusion into repeatable authenticated access. If those credentials are long-lived, overprivileged, or poorly monitored, attackers can move, persist, and escalate without needing to trigger obvious malware-based alerts. Ransomware resilience depends on shrinking that usable access window.
Q: How can security teams tell whether MFA and SSO are actually reducing ransomware exposure?
A: Look for fewer user-entered passwords, fewer password reset events triggered by suspicious activity, and a narrower set of workflows that still depend on manual credential entry. If remote and privileged access still fall back to passwords, the programme has not removed the most important exposure points.
Q: Who is accountable when compromised credentials are used to trigger ransomware?
A: Accountability usually spans identity, infrastructure, and security operations because the failure chain includes authentication design, network trust boundaries, and detection gaps. Frameworks such as NIST CSF and Zero Trust Architecture place responsibility on governance that limits blast radius, not only on the team that owns the portal.
Technical breakdown
How initial access brokers feed the ransomware economy
Initial access brokers, or IABs, specialise in obtaining and selling footholds into compromised environments. They reduce the work required for downstream operators by packaging access, often with details about environment type, privileges, and persistence. In practice, ransomware groups can buy ready-made entry rather than burn time on reconnaissance and exploitation. The article’s data suggests IAB activity can act as a leading indicator for later extortion and leak-site pressure. That is important because the control boundary moves upstream from intrusion detection to identity and credential exposure management.
Practical implication: Track access brokerage as an upstream risk signal and prioritise exposed credentials, third-party access, and high-value entry paths.
Why infrastructure reuse changes ransomware attribution and disruption
The report shows that ransomware actors, fraud services, and state-linked operators increasingly rely on the same bulletproof hosting and residential proxy layers. This convergence means the infrastructure itself becomes the shared dependency, even when motives differ. From an operations perspective, shared infrastructure blurs actor boundaries and makes disruption more efficient when focused on services rather than individual groups. For defenders, it also means that detection, blocking, and intelligence enrichment need to account for infrastructure patterns, not just known actor names.
Practical implication: Correlate infrastructure indicators across campaigns so blocklists, detections, and threat intelligence do not stop at one brand or one group.
The identity angle in ransomware is access, not just encryption
Ransomware is often described as a malware problem, but the article makes clear that access creation, credential abuse, and privilege pathing are central to how campaigns scale. That makes identity a governance layer in the attack chain, especially where service accounts, API keys, and third-party credentials create standing access. Once an attacker can authenticate, the difference between a contained event and a large-scale extortion campaign is frequently the quality of privilege segmentation and monitoring. This is where NHI governance becomes materially relevant to ransomware resilience.
Practical implication: Map service-account and token exposure into ransomware readiness, because authenticated access is what converts intrusion into impact.
Threat narrative
Attacker objective: The attacker’s objective is to monetise access by turning a purchased foothold into data theft, operational disruption, and ransom leverage.
- Entry begins with access brokers harvesting or purchasing footholds into real enterprise environments, often through exposed credentials or compromised remote access.
- Escalation follows when ransomware affiliates use brokered access, shared loaders, and privileged credentials to move from entry to execution and lateral movement.
- Impact comes when the operator encrypts systems, exfiltrates data, and uses leak sites or negotiated extortion to pressure payment.
NHI Mgmt Group analysis
Ransomware has become an access market, not just a malware market. The report’s most important signal is the growing importance of Initial Access Broker activity as a precursor to later extortion. That changes the governance question for identity teams from “how do we recover?” to “where are we creating saleable access?” Practitioners should treat exposed credentials and brokerable entry paths as early-stage ransomware enablers.
Access-broker lead indicators should reshape NHI governance: when stolen service-account credentials, API keys, or remote-access tokens can be monetised before a payload is deployed, standing access becomes a direct business risk. This aligns closely with OWASP Non-Human Identity Top 10 concerns around unmanaged secrets and overprivilege, and it argues for lifecycle controls that shorten the usable window of every NHI credential. The practical conclusion is that identity telemetry has to feed threat hunting, not only access reviews.
Infrastructure disruption is now a control strategy, not a side effect. The report shows why law enforcement and sanctions are increasingly aimed at hosting, proxy, and loader ecosystems rather than single ransomware brands. That approach recognises a shared-services economy in which criminal and state-linked actors exploit the same technical stack. For defenders, the implication is that supply-chain style resilience thinking belongs in ransomware governance, especially where third-party infrastructure supports authentication, delivery, or monetisation.
Median payment growth signals pressure concentration, not broad success for attackers. While total on-chain ransomware revenue fell, the median payment rose sharply, which suggests a narrower set of high-pressure cases is driving larger individual payouts. That pattern matters because it can distort programme metrics if teams focus only on aggregate loss. The better governance lens is exposure severity by identity path, privilege level, and recovery dependency. Practitioners should report ransomware risk in terms of access criticality, not just incident counts.
The named concept here is access monetisation latency. The article shows a measurable delay between brokered access investment and downstream extortion activity, with IAB inflows preceding payment and leak-site increases by about a month. That lag creates a detection opportunity for defenders who can connect early access signals to later abuse. Identity and SOC teams should use that window to isolate brokers’ likely targets and harden the credentials most likely to be resold.
What this signals
Access monetisation latency is becoming a useful planning concept for identity and SOC teams. The article shows that brokered access can sit dormant for weeks before it turns into extortion, which means early credential exposure is not a contained event but a delayed business risk. Teams that can tie identity telemetry to threat intelligence gain a window for containment before the ransomware operator converts access into impact.
From our research: When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs. That pace is consistent with the article’s broader message that saleable access moves faster than many governance workflows. For practitioners, the operational answer is to make exposed credentials unusable as quickly as possible, then verify that revocation and rotation actually close the window.
The post also reinforces why identity metrics should be reported as exposure duration, privilege depth, and brokerability rather than just account counts. Those measures are more useful for ransomware preparedness because they describe how quickly an attacker can turn an identity into leverage. For IAM and PAM leaders, that is the difference between a control inventory and a risk model.
For practitioners
- Monitor access-broker indicators as an upstream ransomware signal Correlate exposed credentials, suspicious remote access, and broker-market intelligence with high-value systems that could be resold to affiliates. Feed those signals into threat hunting and incident prioritisation before encryption or exfiltration occurs.
- Reduce the resale value of NHI credentials Inventory service accounts, API keys, tokens, and certificates that can create authenticated footholds, then shorten their lifespan and remove standing privilege wherever possible. If an attacker can authenticate quickly, they can monetise the access quickly.
- Treat third-party infrastructure as part of ransomware governance Review hosted dependencies, proxy exposure, and loader-adjacent services that support authentication, delivery, or data transfer. Shared infrastructure can amplify multiple threat types at once, so supplier risk reviews should include abuse potential as well as availability.
- Align backup testing with identity recovery paths Test whether restoration can proceed when domain access, vault access, or privileged service accounts are unavailable or compromised. Recovery plans that assume healthy identity services often fail at the point ransomware teams exploit.
Key takeaways
- Ransomware is increasingly powered by access markets, where brokered footholds matter as much as malware delivery.
- The article’s figures show a smaller overall revenue pool but faster, more concentrated pressure on specific victims and faster downstream monetisation after access brokerage.
- Identity teams should focus on reducing the resale value and usable lifetime of credentials, tokens, and standing privilege.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | The report centers on exposed NHI credentials and brokered access. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article tracks credential abuse, movement, and extortion outcomes. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control are central to the ransomware entry path. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management is directly implicated by brokered access and secret exposure. |
| CIS Controls v8 | CIS-5 , Account Management | Account lifecycle control is a direct counter to saleable access. |
Strengthen PR.AC-1 by limiting external access paths and reviewing exposed credentials continuously.
Key terms
- Initial access broker: An initial access broker is an attacker or criminal intermediary that acquires footholds, such as stolen credentials, and then passes them to other threat actors. This role turns access into a commodity and increases the likelihood that simple credential exposure will become a broader breach.
- Access Monetisation Latency: Access monetisation latency is the delay between when compromised access is obtained and when it is used for extortion, theft, or disruption. In practice, that delay creates a short but valuable detection window for defenders who can connect credential exposure to later attack activity.
- Standing Privilege: Standing privilege is persistent access that remains available when no active task requires it. For non-human identities, this often takes the form of long-lived service accounts, tokens, or certificates that can be reused by an attacker once stolen or brokered.
- Saleable Foothold: A saleable foothold is an authenticated path into an environment that has enough value to be traded on criminal markets. It may include VPN access, a compromised account, or a token with useful privileges, and it becomes more dangerous when lifecycle controls are weak.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- Blockchain attribution methods for separating ransomware flows from access-broker payments and other adjacent cybercrime revenue.
- Year-over-year victim distribution and regional leakage patterns that show which sectors and geographies absorbed the most pressure.
- Case-by-case financial tracing of major ransomware ecosystems and their monetisation channels.
- Law-enforcement and sanctions actions against hosting, proxy, and loader infrastructure that sit behind the headline figures.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity lifecycle controls to ransomware resilience and broader access-risk reduction.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org