The overall quantity of ransom funds decreased yr over yr by roughly 35% on account of legislation enforcement actions and extra victims refusing to pay, in line with blockchain analytics firm Chainalysis.
In 2024, ransomware attackers collected roughly $813.55 million in funds, a big drop from the $1.25 billion collected in 2023 and $1.07 billion collected in 2021, Chainalysis mentioned in its “2025 Crypto Crime Report.” Funds have been barely up by roughly 2% within the first half of the yr, main the corporate to estimate that 2024 would surpass 2023’s totals. Whereas the variety of ransomware occasions elevated within the second half of 2024, on-chain funds declined, suggesting that regardless that extra victims have been focused, fewer really paid the ransom. In some circumstances, those that paid managed to efficiently negotiate the ransom quantity to a a lot smaller quantity.
Victims organizations have wrestled with the pay-or-not-pay dilemma for years. On one hand, paying stands out as the solely reply when there isn’t a different technique to recuperate the info or the downtime ready to recuperate the info is just too lengthy. Then again, paying rewards felony exercise, funds future actions, and will encourage extra assaults towards the sufferer. Improved cyber hygiene and general resiliency helps organizations make the choice to not pay, in line with Christian Geyer, founder and CEO of Actfore. Higher incident-response capabilities, digital forensics, and data-mining providers are serving to victims establish breached knowledge quicker.
“Organizations have more and more applied complete knowledge backup options, so the enterprise can quickly recuperate their methods by means of a wipe-and-restore course of,” Geyer mentioned.
Another excuse is that legislation enforcement actions are making an affect on the ransomware ecosystem. A number of ransomware teams that have been prolific in 2023 and the primary half of 2024 weren’t as energetic within the second half of the yr. LockBit is one such case. The UK’s Nationwide Crime Company, the US FBI, and legislation enforcement entities in Canada, Japan, and Australia collaborated in Operation Cronos to seize knowledge and web sites related to LockBit in February 2024. That disruption appeared significantly efficient; funds to the criminals behind LockBit decreased by 79% within the second half of 2024. Equally, ALPHV/BlackCat’s going darkish in March 2024 after gathering $22 million from Change Healthcare left “a void” within the second half of 2024, Chainalysis mentioned.
When a big group leaves the cybercrime ecosystem — both after a legislation enforcement disruption or voluntarily shutting down operations — there normally is a slight dip in exercise after which one other group ramps up actions to fill the void. That does not appear to have occurred in 2024, Lizzie Cookson, a senior director of incident response at Coveware, advised Chainalysis.
“We noticed an increase in lone actors, however we didn’t see any group(s) swiftly take in their market share. … The present ransomware ecosystem is infused with a number of newcomers who are inclined to focus efforts on the small to midsize markets, which in flip are related to extra modest ransom calls for,” she mentioned.
