The whole quantity of ransom funds decreased year-over-year by roughly 35%, on account of regulation enforcement actions and extra victims refusing to pay, in accordance with blockchain analytics firm Chainalysis.
In 2024, ransomware attackers collected roughly $813.55 million in funds, a big drop from the $1.25 billion collected in 2023 and $1.07 billion collected in 2021, Chainalysis stated in its 2025 Crypto Crime Report. Funds had been barely up by roughly 2% within the first half of the 12 months, main the corporate to estimate that 2024 would surpass 2023’s totals. Whereas the variety of ransomware occasions elevated within the second half of 2024, on-chain funds declined, suggesting that though extra victims had been focused, fewer really paid the ransom. In some instances, those that paid managed to efficiently negotiate the ransom quantity to a a lot smaller quantity.
Victims organizations have wrestled with the pay-or-not-pay dilemma for years. On one hand, paying will be the solely reply is there isn’t a different method to get better the info or if the downtime ready to get better the info is just too lengthy. Alternatively, paying rewards legal exercise, funds future actions, and should encourage extra assaults towards the sufferer. Improved cyber hygiene and general resiliency helps organizations make the choice to not pay, in accordance with Christian Geyer, founder and CEO of Actfore. Higher incident response capabilities, digital forensics, and knowledge mining providers are serving to victims establish the breached knowledge sooner.
“Organizations have more and more applied complete knowledge backup options, so the enterprise can quickly get better their programs via a wipe and restore course of,” Geyer stated.
One more reason is that regulation enforcement actions are making an influence on the ransomware ecosystem. A number of ransomware teams that had been prolific in 2023 and the primary half of 2024 weren’t as lively within the second half of the 12 months. LockBit is one such case. The UK’s Nationwide Crime Company, the U.S. Federal Bureau of Investigation, and regulation enforcement entities in Canada, Japan, and Australia, collaborated in Operation Cronos to seize knowledge and web sites related to LockBit in February 2024. That disruption appeared notably efficient, as funds to the criminals behind LockBit decreased by 79% within the second half of 2024. Equally, ALPHV/BlackCat going darkish in March 2024 after amassing $22 million from Change Healthcare left “a void” within the second half of 2024, Chainalysis stated.
When a big group leaves the cybercrime ecosystem — both after a regulation enforcement disruption or voluntarily shutting down operations — there often is a slight dip in exercise after which one other group ramps up actions to fill that vacuum. That does not appear to have occurred in 2024, Lizzie Cookson, a senior director of incident response at Coveware, advised Chainalysis. “We noticed an increase in lone actors, however we didn’t see any group(s) swiftly take up their market share…The present ransomware ecosystem is infused with loads of newcomers who are inclined to focus efforts on the small- to mid-size markets, which in flip are related to extra modest ransom calls for.”