Chainalysis’ latest report on how the ransomware landscape changed from 2023 to 2024 shows a promising trend: An increasing number of victims refuses to pay the ransom.
The total volume of ransom payments decreased year-over-year by approximately 35%, the blockchain analysis firm says. In 2023, victims delivered $1.25 billion to ransomware attackers and data theft and extortion gangs. In 2024, the number fell to $813.55 million.
Ransomware payments vs. data leak site victims, 2024 (Source: ecrime.ch)
Lower and less frequent ransom payments
2024 was marked by a number of high-profile attacks. Hackers accessed Snowflake accounts of many organizations and pilfered their data, and impacted patients by launching a disruptive ransomware attack against pathology services provider Synnovis, which ended up affecting the National Health Service in England.
On the positive side, law enforcement around the world launched a number of actions that crippled some ransomware gangs: the takedown of LockBit’s infrastructure, the unmasking of the LockBit leader and affiliates, the charging of a LockBit developer, the sentencing of NetWalker affiliates, the charging of the Phobos ransomware administrator, the arrest of the suspected head of Reveton, Ransom Cartel RaaS groups, the disruption of the Radar/Dispossessor ransomware group and, before all that, the disruption of ALPHV/Blackcat leak sites (which was followed by the group’s exit scam in early 2024).
These actions is one of the reason for the decline of the global amounts paid to ransom the stolen/encrypted data.
“The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV,” Lizzie Cookson, Senior Director of Incident Response at Coveware, commented.
“We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high profile takedowns and closures. The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands.”
Another reason for the fall in the total ransom amount paid out in 2024 is improved cyber hygiene and overall resiliency.
Other notable trends
Among the more high-profile groups in 2024 was RansomHub, which apparently absorbed many of the former affiliates of LockBit and ALPHV/BlackCat and went on to hit many victims. Akira and Fog – believed to be connected – are the other two groups that demonstrated the ability to hit a lot of targets.
Chainalysis also noted that ransomware operations became faster, with negotiations often starting within hours of data exfiltration.
But attackers’ dwell times before actually deploying the ransomware have become longer, Cisco Talos incident responders have found, which may indicate that the attackers are trying to expand their access, evade defenses, and/or identify data of interest for exfiltration.
“Talos IR observed operators leveraging remote access tools in 100 percent of ransomware engagements this quarter, a significant uptick from last quarter, when it was only seen in 13 percent of ransomware or pre-ransomware engagements,” they also noted.
A few weeks ago, Rapid7 released its 2024 Ransomware Landscape report, pointing out another trend: Threat actors are demanding multiple payments for the release of the stolen data, sharing encryption keys and, in some cases, to refrain from launching DDoS attacks or directly contacting the victims’ partners and clients.