TRM Labs indicated recently that ransomware activity continued to expand in 2025 even as payments have mostly stagnated during the same time-period. Blockchain intelligence firm TRM Labs added that the total ransomware-linked volume reached around USD 1.3 billion (down considerably from USD 1.9 billion back in 2024), meanwhile, ransom payments held fairly steady at around USD 850 million. And, at the same time, victim postings on leak web sites increased by over 40%, indicating growing activity along with declining payment rates.
According to insights from TRM Labs, this divide now presents four “unique” opportunities.
TRM Labs has reportedly identified 93 new ransomware variants in the past year alone, a notably 94% increase from 2024.
Opportunity 1: Geographic reach is now said to be steadily expanding into “extraditable” jurisdictions.
The Ransomware-as-a-Service (RaaS) model has now considerably diversified the ransomware ecosystem, effectively dispersing operators across a wider range of nations.
TRM Labs’ analysis links actors across several different groups and identifies affiliates in “cooperative” jurisdictions.
Opportunity 2: Cyber crime services are thought of as a more disruptible layer than ransomware alone.
The ecosystem increasingly relies on third-party providers — such as initial access brokers, bulletproof hosters, credential tools — which tend to operate with relatively weaker operational security.
Opportunity 3: Leaks as well as physical crimes are effectively generating actionable intelligence.
Internal leaks, infrastructure seizures, cryptocurrency-related physical crimes are now said to be exposing operator identities as well as key operational details, strengthening attribution and significantly increasing opportunities for real-world enforcement.
Opportunity 4: Cross-chain laundering is considered to be significantly more traceable than actors may believe.
Ransomware actors are now said to be gradually shifting from mixers to cross-chain bridges, perceiving them as providing more ovearll anonymity.
But, repeated infrastructure usage as well as consolidation patterns continue to provide traceable on-chain footprints, thus enabling attribution.
TRM Labs further noted that ransomware payments during the past year totaled around USD 850 million—basically flat from 2024—meanwhile the number of victims posted on leak sites actually increased by 44%.
But, when accounting for wider illicit flows into ransomware wallets—such as transfers from other ransomware groups and payments from cybercrime service providers—the total volume received by these bad actors surpassed USD 1.3 billion.
TRM Labs concluded that this divergence indicates that, despite an expanded threat environment driven by considerably lower barriers to entry, victims are now increasingly refusing to make any payments to attackers.
It’s not entirely clear whether this is a good strategy, but giving into the demands of malicious actors may not be the best course of action. Putting up some level of resistance by not easily paying up can be challenging during these stressful situations, but it could send a clear message to these bad actors: the industry will not bend easily to these attacks.
However, what’s also needed at this time are improved investigation tools to potentially track down these entities and punis them accordingly.