Blockchain Analysts Report Drop in Ransomware Payments After Years of Growth

Key Takeaways

• Estimated ransomware payments fell to roughly three-quarters of a billion dollars in the most recent annual reporting
• Defensive practices, better incident response, and reduced willingness to pay appear to be contributing factors
• Attackers are shifting tactics, prompting enterprises to rethink resilience strategies

Apparently we’re supposed to feel optimistic because ransomware payments dropped last year… to only about three-quarters of a billion dollars. It’s a strange kind of good news, but in a threat landscape that rarely offers any, security teams are willing to take the win—cautiously.

Several blockchain analysis firms, including widely cited research groups such as Chainalysis, have pointed to a measurable decline in money flowing to ransomware operations. While methodologies differ, the general trend appears consistent enough to take seriously. Payments didn’t fall to zero, of course, but the downturn suggests something in the ecosystem has shifted. The question is: what, exactly?

Here’s the thing—ransomware groups haven’t gone quiet. In fact, security researchers and government agencies repeatedly emphasize that attack volumes remain high, and in some sectors, they’re increasing. Healthcare, education, and local government continue to face relentless pressure. So the reduction in payments doesn’t stem from a drop in activity. If anything, it may reflect improved resilience.

Some CISOs argue that they’re simply better prepared. Over the past few years, the industry has leaned heavily into tabletop exercises, immutable backups, segmentation strategies, and faster containment. Cyber insurers, meanwhile, have tightened underwriting requirements. And while insurers don’t like to broadcast it, many have also reduced the scenarios in which ransom payments are reimbursed. When the checkbook closes, payment rates tend to fall. It’s not particularly complicated.

But there’s also the attacker side. Several major ransomware brands imploded or fractured due to law-enforcement pressure. The takedown of the Hive infrastructure in early 2023 is still frequently cited by analysts as an inflection point, even though the criminals behind it partially reconstituted elsewhere. More recently, coordinated international disruptions of other high-profile groups have chipped away at the stability of the ecosystem. Criminal marketplaces, it turns out, don’t handle trust issues well.

Then again, it’s worth pausing to ask whether payment data captures the full picture. Blockchain-based estimates are powerful because ransomware operators rely so heavily on cryptocurrency. But smaller extortion operations sometimes turn to alternative payment channels, or they fragment demands across wallets that are harder to attribute. Some industry reports have noted this shift, although they stop short of offering firm numbers. The point is simply that no one has a perfect view.

That said, the decline may still signal a broader behavioral change among enterprise victims. Many organizations are now more aware that paying doesn’t guarantee a decryption key, nor does it ensure stolen data won’t be leaked anyway. The double-extortion trend—stealing data before encryption—has burned enough victims that they’re more willing to refuse. It’s a rough lesson, but one repeatedly reinforced.

Interestingly, not all attackers appear happy with the direction things are going. Some ransomware groups have increased initial ransom demands, hoping to offset a lower probability of payout. Others have leaned harder into data theft, treating encryption as optional. A few have even attempted to rebrand themselves as “data brokers,” likely to sidestep heightened scrutiny. Whether this works long-term is debatable.

For business and technology leaders, the drop in payments is notable but not game-changing. Yes, it suggests defenses are improving. But yes, it also suggests attackers will pivot, because they always do. Security teams report that intrusions are faster, stealthier, and more automated than they were even two years ago. Techniques like living-off-the-land abuse, identity compromise, and exploitation of remote-access systems continue to dominate incident reports from agencies such as CISA, which regularly warns about the importance of basic hygiene practices.

One micro-tangent worth considering: as AI-powered tools proliferate, both attackers and defenders are experimenting with automation in new ways. Some security vendors claim that AI-assisted detection is catching ransomware precursors earlier. Meanwhile, cybercriminal groups experiment openly with using large language models to generate phishing lures and scripts. The arms race doesn’t slow down just because the payments dipped.

Still, the psychological impact of the trend matters. Security leaders are often hungry for signals that all the investment—patching workflows, microsegmentation projects, the endless user training—is actually moving the needle. Seeing financial pressure on attackers may reinforce the value of those efforts.

Of course, optimism in cybersecurity has a short half-life. A single high-impact incident, especially in a critical sector, can skew the entire narrative. Organizations should treat the decline in ransomware payouts not as a sign to relax, but as evidence that layered defense, when consistently applied, can shift attacker economics. And if economics can shift once, they can shift further.

If nothing else, the trend shows that coordinated pressure—across policy, technology, insurance, and operational security—can influence criminal markets. It’s not a final victory. It’s not even a major one. But it is proof that the landscape is not immutable. And that might be the most valuable takeaway of all.