TL;DR: 2025 ransomware payments on-chain fell about 8% to $820 million even as reported victims rose 50%, median payments jumped 368% to $59,556, and initial access broker activity appears to precede later extortion by roughly 30 days, according to Chainalysis. The economics now reward access, infrastructure, and timing more than volume alone, making identity and credential governance a front-line control.
NHIMG editorial — based on content published by Chainalysis: the 2026 Crypto Crime Report analysis of ransomware, access brokers, and infrastructure
By the numbers:
- 2025年のブロックチェーン上のランサムウェア身代金総額は前年比約8%減の8億2000万ドル
- 攻撃被害の申告は50%増加
- 身代金支払額の中央値が前年比368%増の約6万ドルに上昇
Questions worth separating out
Q: What breaks when ransomware actors buy access instead of stealing it themselves?
A: When attackers buy footholds, traditional perimeter indicators arrive too late because the initial compromise has already been converted into authenticated access.
Q: Why do service accounts and secrets matter in ransomware defence?
A: Service accounts and secrets matter because they can turn a one-time intrusion into repeatable authenticated access.
Q: How can security teams tell whether MFA and SSO are actually reducing ransomware exposure?
A: Look for fewer user-entered passwords, fewer password reset events triggered by suspicious activity, and a narrower set of workflows that still depend on manual credential entry.
Practitioner guidance
- Monitor access-broker indicators as an upstream ransomware signal Correlate exposed credentials, suspicious remote access, and broker-market intelligence with high-value systems that could be resold to affiliates.
- Reduce the resale value of NHI credentials Inventory service accounts, API keys, tokens, and certificates that can create authenticated footholds, then shorten their lifespan and remove standing privilege wherever possible.
- Treat third-party infrastructure as part of ransomware governance Review hosted dependencies, proxy exposure, and loader-adjacent services that support authentication, delivery, or data transfer.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- Blockchain attribution methods for separating ransomware flows from access-broker payments and other adjacent cybercrime revenue.
- Year-over-year victim distribution and regional leakage patterns that show which sectors and geographies absorbed the most pressure.
- Case-by-case financial tracing of major ransomware ecosystems and their monetisation channels.
- Law-enforcement and sanctions actions against hosting, proxy, and loader infrastructure that sit behind the headline figures.
👉 Read Chainalysis's 2026 Crypto Crime Report analysis of ransomware access markets →
Ransomware access markets and infrastructure: what IAM teams need to watch?
Explore further
Ransomware has become an access market, not just a malware market. The report’s most important signal is the growing importance of Initial Access Broker activity as a precursor to later extortion. That changes the governance question for identity teams from “how do we recover?” to “where are we creating saleable access?” Practitioners should treat exposed credentials and brokerable entry paths as early-stage ransomware enablers.
A question worth separating out:
Q: Who is accountable when compromised credentials are used to trigger ransomware?
A: Accountability usually spans identity, infrastructure, and security operations because the failure chain includes authentication design, network trust boundaries, and detection gaps. Frameworks such as NIST CSF and Zero Trust Architecture place responsibility on governance that limits blast radius, not only on the team that owns the portal.
👉 Read our full editorial: Ransomware is shifting toward access markets and infrastructure