TL;DR: Ransomware payments fell about 8% to $820 million in 2025 even as claimed attacks rose 50%, median payments jumped 368% to nearly $60,000, and initial access broker inflows often preceded payment and leak-site spikes by roughly 30 days, according to Chainalysis. The market is shifting from isolated extortion events to an access-and-infrastructure economy where disruption, not just response speed, determines defender outcomes.
NHIMG editorial — based on content published by Chainalysis: LLMjacking and ransomware ecosystem analysis from the 2026 Crypto Crime Report
By the numbers:
- Total on-chain ransomware payments fell by approximately 8% to $820 million in 2025.
- Claimed ransomware victims rose 50% year-over-year in 2025.
- The median ransom payment grew 368% year-over-year to nearly $60,000.
Questions worth separating out
Q: What breaks when ransomware actors buy access instead of stealing it themselves?
A: When attackers buy footholds, traditional perimeter indicators arrive too late because the initial compromise has already been converted into authenticated access.
Q: Why do credentials and privilege matter so much in ransomware incidents?
A: Ransomware operators usually need administrative access to disable security tools, stop services, move laterally, and encrypt at scale.
Q: How do organisations know whether ransomware identity controls are actually working?
A: Look for reduced privilege breadth, shorter-lived elevated sessions, and faster revocation when suspicious activity appears.
Practitioner guidance
- Correlate access-market signals with ransomware readiness Feed exposed credential alerts, broker-market intelligence, and authentication anomalies into the same triage queue so security teams can act before the usual extortion window opens.
- Shrink standing privilege windows Review administrative and service-account access that persists after task completion, then remove or time-box any privilege that would let a brokered foothold become an internal launch point.
- Harden credential and secret exposure pathways Inventory where secrets, API keys, and privileged tokens can be exposed through code repositories, logs, or misconfigured cloud services, then pair detection with rapid revocation and rotation.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- On-chain attribution methods used to separate ransomware receipts from related cybercrime flows.
- Breakdowns of initial access broker activity and how those flows were linked to later victim payments.
- Per-strain laundering patterns that help investigators fingerprint ransomware groups by behaviour, not just malware name.
- The infrastructure disruption examples involving bulletproof hosting and proxy services that this post only summarises.
👉 Read Chainalysis's 2026 crypto crime report on ransomware and access markets →
Ransomware access markets and infrastructure: what practitioners need to know?
Explore further
Ransomware has become an access-market governance problem. The article makes clear that the economic center of gravity is shifting before encryption ever starts. Initial access brokers, standing credentials, and exposed services now shape the likelihood of downstream extortion more than the malware name itself. For identity teams, the control question is whether access can be discovered, constrained, and invalidated before it is monetised.
A question worth separating out:
Q: Who is accountable when brokered access leads to ransomware impact?
A: Accountability sits across identity, security operations, infrastructure, and resilience teams because the failure usually starts before the incident is visible. Controls over privileged access, secret handling, and exposure monitoring are governance responsibilities, not just technical ones. Frameworks such as NIST CSF and NIST SP 800-53 make that shared ownership explicit.
👉 Read our full editorial: Ransomware payments flattened as access markets and infrastructure grew