Payments to ransomware actors decreased 35% year-over-year in 2024, totaling $813.55 million, down from $1.25 billion recorded in 2023.
Additionally, only about 30% of victims engaged in negotiations with ransomware actors ended up paying any ransom to them.
These figures are reported by blockchain intelligence firm Chainalysis, underlining a significant decline in an otherwise record-breaking year for ransomware.
Source: Chainalysis
Specifically, 2024 saw a Fortune 50 firm paying a record $75,000,000 amount to the Dark Angels ransomware group. Moreover, according to NCC Group, 2024 was the year with the highest volume of ransomware breaches, counting 5,263 successful attacks.
This is further corroborated by Chainalysis reporting that disclosures on data leak sites increased, suggesting that attackers are struggling to extort payments and increasing their activity to compensate for it.
Source: Chainalysis
No more ransom
The decline in ransomware payments despite increased attacks in 2024 is explained by several key factors, primarily higher victim resistance.
With awareness of risks underpinning ransomware breaches having increased across all industries, entities invest more in cybersecurity, adopt better practices, and implement stronger protection measures.
Additionally, a realization of threat actors’ promises to delete stolen data can’t be trusted, and due to legal pressure, more organizations are refusing to negotiate. Instead, they would rather absorb the reputational impact and recover their data/systems from backups.
Another dimension that played a key role in the decline is the law enforcement operations targeting ransomware gangs that took place last year. Most notably, the ‘Operation Cronos’ action that disrupted the most notorious and prolific ransomware group at the time, LockBit.
This, combined with the exit scam of ALPHV/BlackCat, left the space fragmented, with smaller operations failing to fill the void despite RansomHub’s relative success.
Ultimately, Chainalysis data shows that the median payment amounts dropped in 2024 despite the Dark Angels’ record, indicating that even when payments were made, they were often negotiated down.
Source: Chainalysis
Laundering complexities
Even for the money that gets into ransomware actors’ pockets, things have gotten much more complicated than in past years when cybercriminals had multiple laundering options.
Law enforcement crackdowns on cryptocurrency mixers and exchanges that didn’t abide by know-you-customer (KYC) laws have also pressed ransomware actors to look elsewhere.
Source: Chainalysis
Chainalysis says mixing services are now being abandoned in favor of cross-chain bridges to obfuscate transactions and evade tracking.
Centralized exchanges remained the primary cash-out method in 2024, with 39% of all ransomware proceeds being passed through them.
Finally, Chainalysis says an increasing number of affiliates opt to hold ransomware proceeds in personal wallets and hesitate to cash out due to fear of getting tracked down and arrested.