TL;DR: Ransomware payments fell about 8% to $820 million in 2025 even as claimed attacks rose 50%, median payments jumped 368% to nearly $60,000, and initial access broker inflows often preceded payment and leak-site spikes by roughly 30 days, according to Chainalysis. The market is shifting from isolated extortion events to an access-and-infrastructure economy where disruption, not just response speed, determines defender outcomes.
At a glance
What this is: Chainalysis says ransomware revenue flattened in 2025 even as attack volume, median payments, and enabling infrastructure pressures all moved in different directions.
Why it matters: For IAM, PAM, NHI, and wider security teams, the report shows that standing access, exposed credentials, and brokered initial access remain central to ransomware economics and response priorities.
By the numbers:
- Total on-chain ransomware payments fell by approximately 8% to $820 million in 2025.
- Claimed ransomware victims rose 50% year-over-year in 2025.
- The median ransom payment grew 368% year-over-year to nearly $60,000.
- Initial access broker inflows typically preceded ransomware payment and leak-site spikes by roughly 30 days.
👉 Read Chainalysis's 2026 crypto crime report on ransomware and access markets
Context
Ransomware has become an access economy, not just a malware problem. The article shows that payments, attack volume, and enabling infrastructure are moving on different curves, which makes simple incident counts a poor guide to exposure. For identity and access teams, the important question is where initial access is being created, preserved, and sold before the ransom stage begins.
That matters because ransomware campaigns increasingly depend on credential abuse, brokered entry, and shared infrastructure rather than one-off opportunistic compromise. The article also links criminal and state-linked actors to the same hosting and proxy layers, which means defenders are dealing with a converged enablement market rather than a single threat class.
Key questions
Q: What breaks when ransomware actors buy access instead of stealing it themselves?
A: When attackers buy footholds, traditional perimeter indicators arrive too late because the initial compromise has already been converted into authenticated access. That shifts risk to identity controls, especially exposed service accounts, stolen tokens, and overprivileged remote access. Organisations that do not monitor broker-style activity lose the chance to interrupt the campaign before lateral movement and extortion begin.
Q: Why do credentials and privilege matter so much in ransomware incidents?
A: Ransomware operators usually need administrative access to disable security tools, stop services, move laterally, and encrypt at scale. Stolen credentials often matter more than the initial malware sample because they give the attacker control over timing and scope. IAM and PAM controls therefore directly shape whether an intrusion becomes a widespread outage.
Q: How do organisations know whether ransomware identity controls are actually working?
A: Look for reduced privilege breadth, shorter-lived elevated sessions, and faster revocation when suspicious activity appears. If a compromised identity can still reach backups, security tooling, or production management systems, the controls are not working. Effective programmes can demonstrate that access is constrained before attackers can convert it into business interruption.
Q: Who is accountable when brokered access leads to ransomware impact?
A: Accountability sits across identity, security operations, infrastructure, and resilience teams because the failure usually starts before the incident is visible. Controls over privileged access, secret handling, and exposure monitoring are governance responsibilities, not just technical ones. Frameworks such as NIST CSF and NIST SP 800-53 make that shared ownership explicit.
Technical breakdown
Initial access brokers as a ransomware leading indicator
Initial Access Brokers, or IABs, sell footholds into real environments, often before the ransomware operator arrives. On-chain flows into these markets can therefore act as an early signal of downstream extortion risk, especially when payments and leak-site activity follow within about a month. This is less about malware delivery and more about access monetisation: once a broker has sold a path in, the attacker only needs to preserve reach long enough to launch encryption, exfiltration, or both. In practical terms, access telemetry, credential exposure monitoring, and broker-market intelligence should be treated as part of ransomware detection, not separate from it.
Practical implication: Map exposed credentials and brokered access to the same escalation pathway so that access alerts trigger ransomware readiness immediately.
Why median ransom size can rise while total revenue stagnates
A flat total payment figure can hide major pressure changes in the market. If fewer victims pay but attackers concentrate on higher-value targets or negotiate harder, the median payment rises even when aggregate revenue does not. That pattern is consistent with fragmentation in ransomware-as-a-service, where smaller groups compete for fewer easy payouts and adapt by targeting organisations with stronger perceived liquidity. For practitioners, this means measuring exposure only by total loss is misleading. The more useful questions are which business units are attractive to extortionists and where backup, segmentation, and identity controls reduce leverage.
Practical implication: Use median payment trends and victim segmentation to identify business functions that are likely to be extortion-priority targets.
Converged infrastructure services lower the cost of crime
The article shows that bulletproof hosting, residential proxies, malware loaders, and laundering services are shared across financially motivated and state-linked actors. That convergence matters because it collapses the idea that defenders can solve the problem by focusing only on one group or one malware family. When infrastructure is reusable, disruption has to target the enablement layer as much as the campaign itself. For identity teams, this reinforces the value of limiting privileged access paths, tightening outbound credential use, and reducing the blast radius of any initial compromise.
Practical implication: Treat infrastructure-level abuse as a governance problem and tighten controls that limit how stolen credentials can be reused or routed.
Threat narrative
Attacker objective: The attacker objective is to monetise access through ransom, extortion, and resale of compromised footholds across a broader cybercrime supply chain.
- Entry begins when an Initial Access Broker obtains footholds through exposed services, stolen credentials, or brokered access and resells them into the ransomware market.
- Escalation follows when operators validate privileges, move laterally, and preserve access long enough to deploy payloads, exfiltrate data, or stage extortion.
- Impact occurs when victims face encryption, data exposure, operational disruption, and negotiation pressure that extends beyond the initial technical intrusion.
NHI Mgmt Group analysis
Ransomware has become an access-market governance problem. The article makes clear that the economic center of gravity is shifting before encryption ever starts. Initial access brokers, standing credentials, and exposed services now shape the likelihood of downstream extortion more than the malware name itself. For identity teams, the control question is whether access can be discovered, constrained, and invalidated before it is monetised.
Standing privilege is now a ransomware multiplier, not just an IAM hygiene issue. When attackers can turn a stolen or brokered foothold into durable internal reach, negotiations and operational disruption both become more likely. This is where IAM, PAM, and NHI governance intersect directly with cyber extortion economics. The practitioner implication is that privileged persistence windows need to be treated as a measurable business risk.
Converged criminal infrastructure creates shared exposure across threat classes. Bulletproof hosting and residential proxy networks are no longer just ransomware enablers. They are reusable services for cybercrime and state-aligned activity alike, which means disruption has to focus on the enablement layer rather than a single campaign. That also strengthens the case for asset-level containment and egress control as part of identity-centric resilience.
Access intelligence deserves the same operational priority as incident telemetry. The article’s 30-day lead indicator around IAB inflows is a reminder that warning signals often appear well before the ransom demand. When exposure data, broker-market activity, and authentication anomalies are correlated, defenders can narrow the window in which access becomes leverage. The practitioner takeaway is to make access intelligence part of the ransomware operating model.
Attack volume and attacker revenue are no longer aligned metrics. More claimed victims do not automatically produce more revenue for attackers, which means defenders should avoid over-reading payment totals as a proxy for risk reduction. The more useful lens is whether identity controls, segmentation, and resilience measures are lowering the attacker’s conversion rate from access to payment. The conclusion is to measure control effectiveness at the monetisation stage, not only at the intrusion stage.
What this signals
Access intelligence is becoming a core resilience input. Security teams should expect ransomware readiness to be judged less by how quickly they respond after encryption and more by how early they can see access monetisation signals. That pushes broker-market monitoring, secret exposure detection, and privileged access analytics into the same operating rhythm as incident response.
Secret sprawl creates the conditions for resale. When credentials are fragmented across tools and teams, revocation becomes slower and attackers have more ways to preserve a foothold. That is why Ultimate Guide to NHIs , Key Challenges and Risks remains relevant for ransomware defence: it frames the governance problem that lets stolen access keep paying out.
Infrastructure disruption now has identity consequences. As hosting and proxy services are targeted, defenders should expect attacker tradecraft to adapt by reusing whatever access survives. The programme implication is clear: pair egress control and infrastructure monitoring with identity controls that can invalidate compromised credentials before they are operationalised.
For practitioners
- Correlate access-market signals with ransomware readiness Feed exposed credential alerts, broker-market intelligence, and authentication anomalies into the same triage queue so security teams can act before the usual extortion window opens. Use this as an early-warning layer alongside incident response planning.
- Shrink standing privilege windows Review administrative and service-account access that persists after task completion, then remove or time-box any privilege that would let a brokered foothold become an internal launch point. Prioritise high-value systems and remote administration paths.
- Harden credential and secret exposure pathways Inventory where secrets, API keys, and privileged tokens can be exposed through code repositories, logs, or misconfigured cloud services, then pair detection with rapid revocation and rotation. This reduces the resale value of a compromised foothold.
- Treat proxy and hosting abuse as a containment problem Block or monitor the outbound infrastructure patterns that let attackers blend into legitimate traffic, especially when stolen credentials are likely to be reused across services. This is a blast-radius control, not just a network tuning exercise.
- Use payments and leak-site trends as programme metrics Track whether extortion pressure is shifting by business unit, geography, and privilege tier, rather than only counting incidents. That helps security, risk, and resilience teams see where control failures are converting into attacker leverage.
Key takeaways
- Ransomware in 2025 was driven by an access economy, not only by malware deployment, with brokered entry and shared infrastructure shaping outcomes.
- Attack volume rose sharply while aggregate payments fell, but median ransom size and access-market signals both increased, showing a more selective extortion market.
- Teams reduce leverage when they shrink standing privilege, accelerate secret revocation, and treat access intelligence as part of ransomware defence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article centres on brokered access, lateral movement, and extortion impact. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access governance are central to limiting brokered footholds. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management directly addresses exposed secrets and token abuse. |
| CIS Controls v8 | CIS-5 , Account Management | Account lifecycle control is directly tied to shutting down residual access. |
| NIST AI RMF | MANAGE | AI-assisted extortion and analysis raise model and automation governance concerns. |
Map exposed-access signals to ATT&CK tactics and prioritise controls that break credential reuse and lateral spread.
Key terms
- Initial Access Broker: An initial access broker is a criminal intermediary that obtains footholds into real environments and sells them to other attackers. The broker may use stolen credentials, exposed services, or compromised systems. Their role is important because it turns access into a tradable asset and shortens the path to extortion or intrusion.
- Standing Privilege: Standing privilege is access that remains available all the time instead of being granted only when needed. It increases risk because an attacker who captures the account or secret can use it immediately, often without further approval or time limits. In ransomware scenarios, standing privilege turns a foothold into a durable launch point.
- Blast Radius: The potential scope of damage if a specific credential or identity is compromised. Identities with broad permissions have a larger blast radius and represent a higher priority for least-privilege enforcement and security controls.
- Access intelligence: Access intelligence is a runtime authorization approach that combines identity, context, and policy before granting or continuing access. It reduces the value of stolen credentials by requiring the request to still look legitimate at the moment of use, not just at the moment of approval.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- On-chain attribution methods used to separate ransomware receipts from related cybercrime flows.
- Breakdowns of initial access broker activity and how those flows were linked to later victim payments.
- Per-strain laundering patterns that help investigators fingerprint ransomware groups by behaviour, not just malware name.
- The infrastructure disruption examples involving bulletproof hosting and proxy services that this post only summarises.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and workload identity. It is designed for practitioners who need to turn identity controls into operational resilience across modern security programmes.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org