Ransomware payments took an unexpected plunge in 2024, dropping 35% to approximately $813.55 million — despite payouts surpassing $1 billion for the first time in 2023. The decline was largely driven by a series of successful law enforcement takedowns and improved cyber hygiene, which enabled more victims to refuse payment, according to blockchain platform Chainalysis.
The drop came as a surprise, considering the upward trend seen earlier in the year. In fact, ransomware actors extorted 2.38% more in the first half of 2024 compared to the same period in 2023, suggesting that payments would continue to rise. However, this momentum was short-lived, as payment activity plummeted by approximately 34.9% in the second half of the year.
According to Chainalysis, Akira was the only one of the top 10 most prolific ransomware groups from the first half of 2024 to have increased its efforts in the second half. Additionally, as the year progressed, fewer exceptionally large payouts were made compared to the record-breaking $75 million payment to Dark Angels in early 2024.
Incident response data also showed that the gap between the amounts demanded by criminals and the amounts paid by victims increased to 53% in the second half of the year. Chainalysis analysts attributed this to improved resiliency among organisations, which allowed them to explore recovery options, such as using a decryption tool or restoring from backups, rather than paying the ransoms.
SEE: How Can Businesses Defend Themselves Against Common Cyberthreats?
Despite the overall decline in ransomware payments, the number of new data leak sites doubled in 2024, according to Recorded Future. However, the Chainalysis team noted that many organisations had their data listed multiple times, and ransomware groups often claimed to have compromised multinational corporations when, in reality, they had only breached a single branch.
Hackers may also exaggerate or misrepresent the extent of a victim’s compromised data, sometimes even reposting the results of old attacks. This tactic is often used to stay relevant or appear active after a law enforcement takedown — an operation criminals have dubbed “Operation Cronos.”
LockBit and ALPHV have left a notable gap
The notorious ransomware group LockBit, responsible for the most common type of ransomware deployed globally in 2023, was targeted in a law enforcement takedown in February 2024. The U.K. National Crime Agency’s Cyber Division, the FBI, and international partners cut off their website, which had been operating as a major ransomware-as-a-service storefront.
While LockBit resumed operations at a different Dark Web address a few days later, payments to the group decreased by 79% in the second half of the year, according to Chainalysis. Research from Malwarebytes also found that while LockBit conducted more individual attacks, the proportion of ransomware incidents it claimed responsibility for fell from 26% to 20%.
SEE: Cybersecurity News Round-Up 2024: 10 Biggest Stories That Dominated the Year
ALPHV, the second-most prolific ransomware group in 2023, also left a vacancy after a poorly executed cyber attack against Change Healthcare in February. The group failed to pay an affiliate their share of the $22 million ransom, prompting the affiliate to expose them. In response, ALPHV staged a fake law enforcement takedown and ceased operations.
Decline in mixer use and rise in personal wallets signal law enforcement impact
Beyond the decline in payouts, Chainalysis identified additional evidence that law enforcement takedowns of 2024 were successful. The use of mixing services — tools that obscure the origin of illicit cryptocurrency by blending it with other funds — by ransomware actors declined in 2024.
Chainalysis linked this trend to the sanctions and law enforcement crackdowns on mixers such as Chipmixer, Tornado Cash, and Sinbad. In their place, ransomware actors are using cross-chain bridges, which transfer cryptocurrency between different blockchains to facilitate their off-ramping.
Furthermore, “substantial volumes” of criminal funds are now being held in personal wallets, suggesting they are abstaining from cashing out.
“We attribute this largely to increased caution and uncertainty amid what is probably perceived as law enforcement’s unpredictable and decisive actions targeting individuals and services participating in or facilitating ransomware laundering, resulting in insecurity among threat actors about where they can safely put their funds,” the Chainalysis team said.
Ransomware attackers are upping their game in response
Chainalysis warned that ransomware groups continue to adapt despite law enforcement disruptions, with “new ransomware strains emerging from leaked or purchased code” to evade detection. The report also highlighted that attacks have become faster, with negotiations now beginning within hours of data exfiltration.
SEE: Microsoft: Ransomware Attacks Growing More Dangerous, Complex
However, authorities are now catching on to the evolving tactics and are considering more drastic countermeasures. Last month, the U.K. government announced it may ban ransomware payments to make critical industries “unattractive targets for criminals.”
