Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label ransomware payments. Show all posts

Ransomware Payments Plummet in 2024 Despite Surge in Cyberattacks

 

The past year witnessed a series of devastating ransomware attacks that disrupted critical sectors. Cyber extortion groups targeted Change Healthcare, crippling hundreds of US pharmacies and clinics, exploited security loopholes in Snowflake's customer accounts to infiltrate high-profile targets, and secured a record-breaking $75 million from a single victim.

Despite these high-profile incidents, data reveals an unexpected trend: overall ransomware payments declined in 2024, with the second half of the year experiencing the steepest drop ever recorded. A report by cryptocurrency analytics firm Chainalysis shows that ransomware payments totaled $814 million in 2024, marking a 35% decrease from the record $1.25 billion paid in 2023. The decline became more pronounced between July and December, when hackers collected only $321 million, compared to $492 million in the first half of the year—representing the largest six-month reduction in ransomware payments observed by Chainalysis.

“The drastic reversal of the trends we were seeing in the first half of the year to the second was quite surprising,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. She attributes this shift to law enforcement takedowns and disruptions, some of which had delayed effects as organizations grappled with major breaches.

Significant law enforcement actions in late 2023 and early 2024 targeted major ransomware groups. Just before Christmas in 2023, the FBI exploited vulnerabilities in BlackCat (AlphV)'s encryption software, distributed decryption keys to victims, and dismantled the group’s dark-web infrastructure. In February 2024, the UK's National Crime Agency (NCA) struck a major blow against Lockbit, seizing its cryptocurrency wallets and exposing its cybercriminal network.

Initially, both groups appeared to recover. AlphV orchestrated a major attack on Change Healthcare, disrupting payments at US pharmacies and extorting $22 million. Lockbit quickly reestablished its operations through a new dark-web platform. However, law enforcement actions had deeper consequences than initially apparent. AlphV executed an “exit scam,” disappearing with the ransom and leaving its hacker affiliates empty-handed. Lockbit’s operations also diminished following the NCA’s crackdown, with distrust growing in cybercriminal circles after authorities identified its alleged leader, Dmitry Khoroshev. In May 2024, the US Treasury imposed sanctions on Khoroshev, complicating ransom payments to the group.

New Ransomware Gangs Struggle to Match Predecessors

While emerging ransomware groups attempted to fill the void left by these takedowns, many lacked the sophistication to target high-value victims. “Their talent is not quite as robust as their predecessors,” notes Burns Koven. As a result, ransom demands shrank, often amounting to tens of thousands rather than millions of dollars.

Although 2024 saw an increase in ransomware attacks—4,634 incidents compared to 4,400 in 2023—lower ransom payouts suggest that newer cybercriminals prioritized volume over impact. “What we're seeing in terms of payments is a reflection of newer threat actors being attracted by the amount of money that they see you can make in ransomware, trying to get into the game and not being very good at it,” says Allan Liska, a threat intelligence analyst at Recorded Future.

Stronger Cyber Defenses and Cryptocurrency Regulations

Beyond law enforcement interventions, the decline in payments is also linked to heightened awareness and improved cybersecurity measures. Governments and institutions have implemented stronger ransomware response strategies, while increased cryptocurrency regulation and crackdowns on illicit financial channels have complicated ransomware payments. Authorities have particularly targeted crypto mixers, tools used by cybercriminals to anonymize transactions.

Despite the downward trend in payments, historical data suggests that ransomware remains cyclical. In 2022, total payments fell to $655 million, down from $1.07 billion in 2021, only to surge again in 2023 to $1.25 billion. Experts caution against interpreting short-term declines as long-term victories. “If the baddies had a couple of brilliant quarters, a dip will follow, same as if the goodies had some good quarters,” says Brett Callow, managing director at FTI Consulting. “That’s why we really need to analyze trends over a longer period.”

Additionally, the true scale of ransomware payments remains difficult to quantify, as cybercriminals often inflate their success and many victims choose not to report attacks due to stigma or regulatory concerns.

Chainalysis researchers emphasize that the decline in ransomware payments should not be mistaken for a lasting solution. “We're still standing in the rubble, right? We can't go tell everyone, everything's great, we solved ransomware—they’re continuing to go after schools, after hospitals and critical infrastructure,” says Burns Koven. However, the data does serve as an important indicator that sustained investment in ransomware defense is yielding results.

Ransomware Payments Drop 35% in 2024 Amid Increased Resistance and Law Enforcement Crackdowns

 

Ransomware payments saw a significant decline in 2024, dropping 35% year-over-year to $813.55 million from the $1.25 billion recorded in 2023. Additionally, only about 30% of victims engaged in ransom negotiations proceeded with payments.

These insights, reported by blockchain intelligence firm Chainalysis, highlight a downward trend despite 2024 being a record-breaking year for ransomware attacks. A notable incident involved a Fortune 50 company paying $75 million to the Dark Angels ransomware group—the largest known payout of the year. Meanwhile, cybersecurity firm NCC Group recorded 5,263 successful ransomware breaches in 2024, marking the highest-ever attack volume.

Despite the increase in attacks, ransomware actors are facing difficulties in extorting payments. Chainalysis noted a surge in disclosures on data leak sites, indicating that cybercriminals are resorting to increased exposure tactics to pressure victims. However, a growing number of organizations are resisting ransom demands.

This shift is driven by heightened cybersecurity awareness, improved protective measures, and a realization that attackers’ promises to delete stolen data are often unreliable. Legal scrutiny has also played a role, pushing companies to forgo negotiations, instead opting to restore systems from backups while mitigating reputational risks.

Another critical factor behind the payment decline is the impact of law enforcement operations. In 2024, global agencies targeted ransomware groups, with ‘Operation Cronos’ taking down LockBit, one of the most prolific gangs. Additionally, the collapse of ALPHV/BlackCat created instability, leaving smaller groups unable to dominate the space, despite RansomHub’s attempts.

Chainalysis data indicates that even when ransoms were paid, they were often significantly reduced through negotiations. Cybercriminals are also facing increasing difficulties laundering their illicit earnings. Crackdowns on cryptocurrency mixers and non-compliant exchanges have forced ransomware actors to shift to alternative methods, such as cross-chain bridges, to obscure transactions.

Centralized exchanges remained the primary cash-out method in 2024, handling 39% of all ransomware proceeds. However, an increasing number of affiliates are now opting to hold funds in personal wallets, wary of law enforcement tracking and potential arrests.

Despite the surge in ransomware activity, victims are becoming more resistant, and law enforcement is tightening its grip, signaling a potential long-term shift in the cybersecurity landscape.