Ransomware Payments Plummet Despite Catastrophic Hacks in 2024.
Ransomware gangs continued to wreak havoc throughout 2024, but new findings reveal a surprising trend: victims' payments to cybercriminals plummeted by hundreds of millions of dollars. While major attacks such as the hack of Change Healthcare and high-profile breaches by ransomware groups like BlackCat and Lockbit kept headlines buzzing, the overall ransom amounts paid fell sharply in 2024.
According to a report by cryptocurrency tracing firm Chainalysis, ransomware victims paid a total of $814 million in 2024, a 35% decrease compared to the staggering $1.25 billion extorted in 2023. Breaking it down further, the latter half of 2024 saw an even more significant decline in payments, with hackers collecting just $321 million between July and December, compared to $492 million during the first half of the year. This was the steepest drop in payments recorded by Chainalysis between two six-month periods.
“The drastic reversal of the trends we were seeing in the first half of the year to the second was quite surprising,” says Jackie Burns Koven, who heads up cyber threat intelligence at Chainalysis. Burns Koven suggests that this decline can be attributed to law enforcement actions and the subsequent disruption of major ransomware groups. “For the major attacks that occurred last year, those groups don't exist anymore or have been laying low,” she adds. “There's been a strong signal from law enforcement that if you cross the line, there's going to be consequences.”
Two major takedowns in early 2024 contributed to this shift: In December 2023, the FBI successfully compromised the encryption software used by BlackCat (also known as AlphV), distributing decryption keys to victims and dismantling the group's infrastructure. Two months later, the UK's National Crime Agency (NCA) took down Lockbit's operations, seizing cryptocurrency wallets, shutting down dark-web sites, and even gathering information about its members.
While these takedowns initially seemed to have little effect on the ransomware groups, the reality was quite different. AlphV continued to operate briefly after the FBI operation, hacking Change Healthcare and demanding $22 million. However, the group soon pulled an “exit scam,” disappearing with the ransom without sharing it with its partners. Similarly, Lockbit’s operations slowed down following the NCA’s crackdown, possibly due to mistrust in its leader, Dmitry Khoroshev, whose identity was revealed during the operation. In May 2024, Khoroshev was sanctioned by the US Treasury, complicating legal avenues for victims looking to pay ransoms.
Related: The rise of Ransomware attacks within the Legal industry
The disruption of these two major ransomware players had a lasting impact, leaving a gap filled by less experienced groups. According to Burns Koven, these newer ransomware gangs lacked the expertise and resources of their predecessors, often targeting smaller victims and demanding smaller ransoms, sometimes as low as tens of thousands of dollars.
“Their talent is not quite as robust as their predecessors,” Burns Koven explains. “We're seeing the hangover of these law enforcement takedowns, not just directly targeting individuals and strains of malware but also the infrastructure and tools and services that had been used to perpetuate these attacks.”
Despite a rise in the number of attacks, with 4,634 incidents recorded in 2024 compared to 4,400 in 2023, the smaller ransom amounts suggest newer threat actors are opting for quantity over quality, according to Allan Liska, a threat intelligence analyst at Recorded Future. "What we're seeing in terms of payments is a reflection of newer threat actors being attracted by the amount of money they see you can make in ransomware, trying to get into the game and not being very good at it," he says.
Several factors beyond law enforcement disruption are at play in the decline of ransomware payments. Global awareness of the ransomware threat has led to stronger defenses and better incident response strategies, while increasing regulation of cryptocurrency and crackdowns on money laundering infrastructure have made it harder for criminals to process payments without detection.
Although ransomware payments dropped significantly in the second half of 2024, experts warn that this decline is not necessarily indicative of a permanent trend. In 2022, ransomware payments also saw a decrease, only for the attacks to spike again in 2023. Brett Callow, a managing director at FTI Consulting, believes that ebbs and flows are inevitable in the battle against ransomware, with periods of high activity followed by short-term declines.
“We really need to analyze trends over a longer period, because increases and decreases over shorter periods don't really tell us much,” Callow says.
Ransomware incidents may fluctuate, but experts remain cautious. As Burns Koven warns, “We’re still standing in the rubble, right? We can't go tell everyone, everything's great, we solved ransomware—they're continuing to go after schools, after hospitals, and critical infrastructure.” Although defenders are seeing some positive results, she notes that there’s still much work to be done in combating the ransomware threat.
