The total value of payments made to cyber criminal ransomware gangs fell dramatically in the back half of 2024, and according to statistics released this week by Chainalysis, a supplier of blockchain and crypto services, less than half of victims of recorded incidents even made a payment.
Chainalysis found that over 2024 as a whole, ransomware gangs collectively made about $813.6m (£652.7m), down from 2023’s $1.25bn, and although payments were up by 2.4% in the first half of the year, in the second half, they dropped by 37.5% in the second.
Its analysts suggested that both a growing number of law enforcement actions and the effects of international cooperation on ransomware were likely important factors in the fall. Additionally, they said, more victims seem to be refusing to pay.
However, wrote the report’s authors, this does not mean that cyber criminal operations are shutting up shop.
“In response, many attackers shifted tactics, with new ransomware strains emerging from rebranded, leaked or purchased code, reflecting a more adaptive and agile threat environment,” they said.
“Ransomware operations have also become faster, with negotiations often beginning within hours of data exfiltration.”
Coveware senior director of incident response Lizzie Cookson, who shared insight with the Chainalysis team for the report, said the market had never really recovered following the downfall of the LockBit and ALPHV/BlackCat gangs.
“We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high-profile takedowns and closures,” said Cookson. “The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands.”
Improved cyber security hygiene and resiliency may also be playing a role here. The increased profile of ransomware attacks in daily discourse means organisations are investing more and better in defensive countermeasures, and hence find themselves better able to resist cyber criminal demands, negotiate to reduce the final payments, or explore other options such as ignoring the gangs and restoring from backups when they get hit.
Christian Geyer, founder and CEO at Actfore, a Washington DC-area cyber forensics specialist, said: “Organisations have increasingly implemented comprehensive data backup solutions, so the business can rapidly recover their systems through a wipe-and-restore process.
“Many are becoming more tech-driven when it comes to incident response services, enabling them to identify the breached data much faster,” he told Computer Weekly. “Digital forensics is not only becoming more advanced and precise, but data mining services and incident response are evolving to be more efficient and proactive. Technology is allowing organisations to better understand the contents of the stolen data before proceeding down the road of ransom payment.”
Geyer also said victims may be resisting demands out of concern over the ethical and legal ramifications of sending large ransomware payments to unknown, unidentified actors.
“For instance, if the threat actor is a foreign nation-state sponsored terrorist group, then it could be seen as illegal to be paying money to those adversaries,” he said. “The playing field becomes more level when you have more data to make decisions about whether to pay or not.”
Changing behaviour
Chainalysis’s insight into how cyber criminals exploit the world of crypto in their attacks may also explain some of the changes. The team said they observed significant changes in how ransomware gangs “off-ramp” their funds, with a significant decline in the use of so-called mixers in 2024 – likely testament to the impact of sanctions and police action.
A far higher proportion of ransomware funds are now flowing through centralised exchanges, and personal wallets, while cross-chain bridges are replacing mixers as a means of obscuring where the money is heading.
The use of personal crypto wallets is particularly interesting, said Chainalysis, and likely a big factor in the decline.
“Curiously, ransomware operators, a primarily financially motivated group, are abstaining from cashing out more than ever,” they said. “We attribute this largely to increased caution and uncertainty amid what is probably perceived as law enforcement’s unpredictable and decisive actions targeting individuals and services participating in or facilitating ransomware laundering, resulting in insecurity among threat actors about where they can safely put their funds.”
Getting speculative
Finally, Jon Miller, CEO and co-founder of ransomware prevention specialist Halcyon, suggested there may be another factor to partially explain the decline.
“2024 was a major election year in the US, with a lot at stake for nation-states like Russia, who give safe harbour to ransomware operators,” he said.
“The 2022 ‘lull’ has in part been attributed to Russia redirecting some cyber criminal resources to conduct more state-supported operations against Ukraine and their western supporters, so this decline in payments could also be in part the result of the most talented ransomware operators being yet again pulled off their cyber criminal activities to support Russian state priorities around the US election, so the drop was most precipitous in the second half of the year.”