Ransomware Payments Drop 35% as Threat Economy Shifts

Ransomware victims paid $813 million to attackers in 2024, a 35 percent drop from the previous year, according to data released by blockchain analytics firm Chainalysis in February 2025. Less than half of recorded ransomware incidents ended with a payment, the firm reported, marking the lowest payment rate since it began tracking the statistic. The number was released in a year-end report that the firm published on its website and syndicated through CoinDesk, and it became the central data point in a debate that has since widened: was the ransomware business model weakening, or was it simply mutating into something harder to measure?

The answer, eighteen months later, is both. The raw economics of ransomware have shifted under pressure from law enforcement operations, improved backup practices, and a growing consensus among insurers and regulators that paying ransoms creates more harm than it prevents. But the groups that built the ransomware economy did not retire. They moved laterally into adjacent crimes that are harder to tally, harder to attribute, and harder for disclosure rules to catch.

By May 2026, the World Economic Forum's Global Cybersecurity Outlook had registered a distinct inversion in what corporate leaders fear. Cyber-enabled fraud, not ransomware, had become the primary concern for CEOs. Ninety-four percent of executives surveyed told the WEF that artificial intelligence was the most significant driver of change in the cybersecurity domain, accelerating both defensive tools and the velocity of fraudulent campaigns. The Tech Edvocate summarized the findings on May 7, noting that the shift was not merely statistical: fraud was now outpacing ransomware in frequency and in the attention it commanded from boards.

The distinction matters for disclosure. A ransomware event typically produces a visible disruption: systems locked, operations halted, a ransom note. It triggers breach-notification obligations, regulatory filings, and often a public statement. Fraud does not always leave the same footprint. Business email compromise, invoice redirection, and AI-generated impersonation campaigns can drain funds over weeks or months without a single system going offline. The victim may never know the full scope, and the decision to disclose becomes discretionary in ways that ransomware disclosure, increasingly, is not.

The regulatory architecture around ransomware disclosure has tightened considerably since 2023. The U.S. Securities and Exchange Commission now requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality. The European Union's Digital Operational Resilience Act has imposed parallel obligations on financial entities. But these rules were written for the ransomware era they knew: a disruption, a forensic investigation, a determination of materiality, a filing. They are less legible when the crime is a slow fraud that never trips a network monitoring alert.

The United Kingdom went further in a different direction. In September 2025, the UK government proposed a legal prohibition on ransomware payments for operators of critical national infrastructure and public-sector bodies. TechRadar reported on the proposal, describing it as a measured legal response that split opinion among incident-response professionals. Proponents argued a ban would dismantle the profit incentive. Critics countered that an outright prohibition would simply drive payments underground, making the true scale of the problem even less visible than it already is.

The industrial attack surface widens

One signal that the ransomware economy has not contracted so much as changed shape is its expansion into sectors that barely registered in incident data five years ago. In April 2026, pv magazine International published an analysis of ransomware threats targeting photovoltaic energy systems. The article detailed how attackers can encrypt or lock critical PV system data and control platforms, preventing operators from accessing or managing their assets until a ransom is paid. The disruption can reduce energy production and create safety risks, the report noted, because solar arrays are controlled through networked industrial platforms that were not always designed with threat containment in mind.

The photovoltaic sector is not an outlier. It is a case study in what happens when any industry with operational technology connects its control systems to the internet without segmenting them from IT networks. The same pattern has appeared in water treatment facilities, agricultural processing plants, and port logistics systems. In each case, the attackers are not inventing new techniques; they are applying the same encryption-and-extortion model to targets that have fewer detection capabilities and, critically, no established norm for what constitutes reportable incident disclosure.

The ransomware-as-a-service (RaaS) model has accelerated this dispersion. Tech Times reported in March 2026 that RaaS platforms now allow attackers with minimal technical skill to target hospitals, government networks, and industrial facilities. The platforms operate like franchised businesses: one group maintains the malware and the payment infrastructure; affiliates do the intrusion and the negotiation. The affiliate model lowers the barrier to entry and distributes the attack surface across more targets than any single law enforcement operation can address.

What the RaaS model also does is obscure the money. When payments were routed through a smaller number of high-profile groups, Chainalysis and other blockchain analytics firms could track flows with relative precision. The 35 percent decline in payments that Chainalysis measured in 2024 may reflect not just fewer payments but a shift to smaller, more fragmented groups whose transactions are harder to trace, along with a rise in out-of-band payment methods that never touch a blockchain at all.

Less than half of recorded ransomware attacks resulted in victim payments.Chainalysis, 2024 ransomware report

That sentence, published by Chainalysis in February 2025, has become the reference point for every claim that ransomware is in retreat. But the qualifier is the word "recorded." Chainalysis tracks payments on public blockchains. It does not track payments made through intermediaries, in alternative cryptocurrencies with privacy features, or in the physical world. Nor does it count the business interruption costs, the remediation expenses, or the regulatory fines that accrue whether or not a ransom is paid. The payment is the narrowest possible measure of the problem.

The disclosure gap compounds the measurement gap. Companies in sectors with mandatory reporting requirements file incident notices with regulators, but those filings are not always public, not always timely, and not always consistent in what they describe. A ransomware event that disrupts a manufacturing line may be reported as an operational disruption without the word "ransomware" appearing anywhere in the disclosure. An extortion threat that does not result in data encryption may not be reported at all. The taxonomy of the problem is still being argued over by lawyers, incident responders, and the standards bodies that write disclosure forms.

What we do not know in 2026

Three structural unknowns make the ransomware and fraud economies harder to assess in 2026 than they were in 2022. The first is the true payment rate. If fewer than half of recorded attacks result in a blockchain payment, but an unknown fraction result in off-chain payments or in extortion settlements that are classified as something other than ransomware, then the published numbers represent a floor, not an estimate.

The second unknown is the substitution effect between ransomware and fraud. The WEF data shows fraud overtaking ransomware in CEO surveys, but that could mean fraud is growing, ransomware is shrinking, or enterprises are simply getting better at detecting fraud and worse at detecting ransomware. Without a common reporting taxonomy across both categories, no one can say which explanation is correct.

The third unknown is the industrial sector's reporting maturity. The photovoltaic industry was barely on the cybersecurity map five years ago. Today it is a documented target. The same is true of agricultural technology, maritime logistics, and building management systems. Each sector has its own operational priorities, its own regulatory framework, and its own threshold for what constitutes a reportable event. There is no aggregate picture of how many ransomware attacks are hitting operational technology networks, because no single agency collects that data with a consistent methodology.

What is known is that the groups behind the major ransomware strains of 2022 and 2023 have not disappeared. Some have rebranded. Some have been disrupted by law enforcement and reconstituted under new names. Some have pivoted to data extortion without encryption, which generates no operational disruption and therefore triggers fewer automatic disclosure obligations. The infrastructure of the ransomware economy, refined over a decade, remains in place. What has changed is where it applies pressure and how the pressure registers on the balance sheets and regulatory filings of the institutions that are supposed to track it.

The next twelve months will test whether the disclosure frameworks built for the ransomware crisis of the early 2020s can stretch to cover the fraud-and-extortion landscape that has followed it. The SEC's four-day rule, DORA in Europe, and the UK's proposed payment ban are all products of a particular moment in the threat cycle. That moment has passed. The next set of rules will have to account for crimes that do not announce themselves with a locked screen and a Bitcoin address. Whether they do so before the data gap becomes a policy failure is the question that will define the beat.