Ransomware Extortion Drops to $813.5M in 2024, Down from $1.25B in 2023

Ransomware attacks netted cybercrime groups a total of $813.5 million in 2024, a decline from $1.25 billion in 2023.
The total amount extorted during the first half of 2024 stood at $459.8 million, blockchain intelligence firm Chainalysis said, adding payment activity slumped after July 2024 by about 3.94%.
"The number of ransomware events increased into H2, but on-chain payments declined, suggesting that more victims were targeted, but fewer paid," the company said.
Adding to the challenges is an increasingly fragmented ransomware ecosystem, which, in the wake of the collapse of LockBit and BlackCat, has led to the emergence of a lot of newcomers that have eschewed big game hunting in favor of small- to mid-size entities that, in turn, translate to more modest ransom demands.
According to data compiled by Coveware, the average ransomware payment in Q4 2024 was at $553,959, up from $479,237 in Q3. The median ransomware payment, in contrast, dropped from $200,000 to $110,890 quarter-over-quarter, a 45% drop.
"Payments continue to remain primarily a last-resort option for those who have no alternative to recover critical data," the company said.
"Faulty decryption tools from both new and old ransomware strains and mounting distrust of threat actors' ability to honor assurances compound to drive victims away from the table unless they have no other option."


The decline in ransom payments have also been complemented by growing law enforcement success in dismantling cybercriminal networks and crypto laundering services, thereby disrupting the financial incentive and raising the barriers to entry.
That said, 2024 also witnessed the highest volume of annual ransomware cases since 2021, reaching a staggering 5,263 attacks, an increase of 15% year-over-year.
"With a crucial role in the global economy, Industrials experienced 27% (1424) of all ransomware attacks in 2024, increasing 15% from 2023," NCC Group said. "North America experienced over half of all attacks in 2024 (55%)."
The most commonly observed ransomware variants during 2024 were Akira (11%), Fog (11%), RansomHub (8%), Medusa (5%), BlackSuit (5%), BianLian (4%), and Black Basta (4%). Lone wolf actors captured an 8% market share during the time period.
Some of the new entrants observed in recent months include Arcus Media, Cloak, HellCat, Nnice, NotLockBit, WantToCry, and Windows Locker. HellCat, in particular, has been found resorting to psychological tactics to humiliate victims and pressure them into paying up.
"Both Akira and Fog have used identical money laundering methods, which are distinct from other ransomware strains, further supporting a connection between them," Chainalysis said.
"Both groups have primarily focused on exploiting VPN vulnerabilities, which allows them to gain unauthorized access to networks and consequently deploy their ransomware."
Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking
Kimsuky hackers use new custom RDP Wrapper for remote access
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumRelative Path Confusion
MediumXSLT Injection
LowStrict-Transport-Security Malformed Content (Non-compliant with Spec)
LowMultiple HREFs Redirect Detected (Potential Sensitive Information Leak)
LowStrict-Transport-Security Defined via META (Non-compliant with Spec)
InformationalLoosely Scoped Cookie
InformationalImage Exposes Location or Privacy Data
CWE-66 Improper Handling of File Names that Identify Virtual Resources
HighCWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
CWE-1296 Incorrect Chaining or Granularity of Debug Components
CWE-1084 Invokable Control Element with Excessive File or Data Access Operations
Free online web security scanner