The global ransomware landscape underwent a significant shift in 2024, with total payments to cybercriminals dropping by 35% year-over-year, according to blockchain analytics firm Chainalysis.
Ransomware gangs extorted approximately $813.55 million in 2024 compared to a record $1.25 billion in 2023.
This marks the first decline in ransomware revenues since 2022, despite an increase in the number of attacks.
The drop is attributed to enhanced law enforcement actions, improved international collaboration, and a growing trend among victims to resist paying ransoms.
Fragmented Ecosystem
The disruption of major ransomware groups like LockBit and BlackCat contributed significantly to this decline.
LockBit’s infrastructure was dismantled by joint U.S.-U.K. law enforcement operations, while BlackCat exited the scene following an “exit scam.”
These actions left a fragmented ecosystem dominated by smaller groups and lone actors targeting mid-sized organizations with modest ransom demands.
For instance, payments to LockBit fell by 79% in the latter half of 2024 after its takedown.
Emerging ransomware-as-a-service (RaaS) platforms like RansomHub filled the void left by these major players but focused on smaller-scale attacks.
This shift reduced the frequency of high-value ransom demands, further contributing to the overall decline in payments.
Backup Strategies
Improved cyber hygiene and incident response strategies have empowered victims to resist ransom demands.
According to the Chainanalysis, many organizations now rely on robust backup systems and decryption tools rather than paying attackers.
According to incident response experts, only about 30% of ransomware negotiations result in payment, as victims increasingly explore alternative recovery options.
Lizzie Cookson, Senior Director of Incident Response at Coveware, highlighted that restoring from backups is often faster and more cost-effective than paying ransoms.
This approach has widened the gap between ransom demands and actual payouts, with median payments dropping significantly from $200,000 in Q3 2024 to $110,890 in Q4.
Ransomware operators also faced growing difficulties laundering illicit funds.
Law enforcement crackdowns on cryptocurrency mixers like Tornado Cash and Chipmixer disrupted traditional money-laundering channels.
As a result, many attackers opted to hold funds in personal wallets or use cross-chain bridges for obfuscation.
Additionally, victims have become more skeptical about attackers’ promises to delete stolen data after payment.
Cases like BlackCat’s leak of United Healthcare’s data post-payment have fueled distrust, further discouraging ransom payments.
While the decline in ransomware payments is a positive development, experts caution against complacency.
The evolving tactics of cybercriminals such as leveraging artificial intelligence for more sophisticated attacks could reverse this trend in 2025.
Continued investment in cybersecurity measures and international cooperation will be critical to sustaining progress against ransomware threats.
