Ransomware attacks soar as hackers pivot to small businesses
Ransomware activity accelerated sharply in 2025, but the money flowing to attackers moved in the opposite direction.
New research from Chainalysis shows that while the number of attacks jumped significantly, overall ransom payments declined.
The firm’s annual report, published on February 26, recorded nearly 8,000 public leak events in 2025.
That represents a 50% increase compared with 2024. Yet total on-chain ransom payments fell to $820 million, down 8% year on year.
The figures point to a structural shift in how ransomware groups operate and who they choose to target.
Source: Chainalysis
Small businesses under pressure
According to Chainalysis, attackers are increasingly turning their attention to small and medium-sized enterprises.
Heightened regulatory scrutiny, enforcement actions against laundering networks, and a broader refusal by large organisations to pay ransoms have changed the economics of high-profile attacks.
With major firms more resistant and law enforcement more active, criminals appear to be pursuing smaller targets that may lack robust cyber defences.
The report references comments from eCrime.ch founder Corsin Camichel, who noted that fewer large, headline-making breaches are being observed.
Instead, there is a higher volume focused on smaller victims.
However, Chainalysis data shows that despite record public claims of attacks, actual ransom payments are trending downward.
This gap between reported incidents and confirmed payments suggests attackers are facing diminishing returns.
Payments fall despite record claims
The nearly 8,000 leak events recorded in 2025 mark an all-time high.
Even so, the $820 million in on-chain payments signals a drop in overall revenue for ransomware operators.
Chainalysis attributes the decline to enforcement actions that have disrupted laundering infrastructure and made it harder for criminal groups to move funds.
At the same time, many large corporations and institutions are choosing not to pay, reducing incentives for attackers to stage major breaches.
As profitability narrows, ransomware activity appears to be shifting towards volume-based strategies rather than large individual payouts.
Cheap access and AI tools
The surge in attempted attacks is also linked to falling prices for victim access on dark web marketplaces.
Chainalysis found that the average price for victim access declined from $1,427 at the start of 2023 to $439 at the start of 2026.
An influx of low-cost ransomware strains, alongside AI integrations that streamline attack processes, has lowered the barrier to entry.
The report describes industrialised access pipelines, AI-assisted tooling, and a proliferation of infostealer logs.
This oversupply of inexpensive but operationally limited tools has flooded underground markets and pushed pricing lower, contributing to the rise in overall attack volume.
Crypto scams surge in early 2026
Although ransomware payments dipped in 2025, broader crypto-related crime remains active.
A recent report from cybersecurity company CertiK found that $370.3 million in crypto was stolen in January 2026 alone.
Phishing scams accounted for $311.3 million of that total, representing the largest share of losses.
The data indicates that while ransomware revenue is under pressure, attackers are adapting.
The post Ransomware attacks soar as hackers pivot to small businesses appeared first on Invezz
