Ransomware Groups Made Less Money in 2024

The total volume of ransom payments decreased year-over-year by approximately 35%, due to law enforcement activities and more victims refusing to pay, according to blockchain analytics company Chainalysis.
In 2024, ransomware attackers collected approximately $813.55 million in payments, a significant drop from the $1.25 billion collected in 2023 and $1.07 billion collected in 2021, Chainalysis said in its 2025 Crypto Crime Report. Payments were slightly up by approximately 2% in the first half of the year, leading the company to estimate that 2024 would surpass 2023's totals. While the number of ransomware events increased in the second half of 2024, on-chain payments declined, suggesting that even though more victims were targeted, fewer actually paid the ransom. In some cases, those who paid managed to successfully negotiate the ransom amount to a much smaller amount.
Victims organizations have wrestled with the pay-or-not-pay dilemma for years. On one hand, paying may be the only answer is there is no other way to recover the data or if the downtime waiting to recover the data is too long. On the other hand, paying rewards criminal activity, funds future activities, and may encourage more attacks against the victim. Improved cyber hygiene and overall resiliency is helping organizations make the decision to not pay, according to Christian Geyer, founder and CEO of Actfore. Better incident response capabilities, digital forensics, and data mining services are helping victims identify the breached data faster.
"Organizations have increasingly implemented comprehensive data backup solutions, so the business can rapidly recover their systems through a wipe and restore process," Geyer said.
Another reason is that law enforcement actions are making an impact on the ransomware ecosystem. Several ransomware groups that were prolific in 2023 and the first half of 2024 were not as active in the second half of the year. LockBit is one such case. The United Kingdom's National Crime Agency, the U.S. Federal Bureau of Investigation, and law enforcement entities in Canada, Japan, and Australia, collaborated in Operation Cronos to seize data and websites associated with LockBit in February 2024. That disruption seemed particularly effective, as payments to the criminals behind LockBit decreased by 79% in the second half of 2024. Similarly, ALPHV/BlackCat going dark in March 2024 after collecting $22 million from Change Healthcare left “a void” in the second half of 2024, Chainalysis said.
When a large group leaves the cybercrime ecosystem — either after a law enforcement disruption or voluntarily shutting down operations — there usually is a slight dip in activity and then another group ramps up activities to fill that vacuum. That doesn't seem to have happened in 2024, Lizzie Cookson, a senior director of incident response at Coveware, told Chainalysis. "We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share…The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands."
4 Ways to Keep MFA From Becoming too Much of a Good Thing
DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-13 ASP.NET Misconfiguration: Password in Configuration File
CWE-45 Path Equivalence: 'file...name' (Multiple Internal Dot)
CWE-211 Externally-Generated Error Message Containing Sensitive Information
CWE-1044 Architecture with Number of Horizontal Layers Outside of Expected Range
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer
Free online web security scanner