The notorious ransomware industry suffered a significant setback in 2024 as cryptocurrency ransom payments nosedived by 35% compared to the previous year, according to a comprehensive report from blockchain analytics firm Chainalysis. Despite an uptick in the overall number of ransomware incidents, cybercriminals pocketed just $814 million last year, a stark contrast to 2023’s record haul of $1.25 billion.
Victims Fight Back as Trust Erodes
Chainalysis attributes this marked decline to a confluence of factors, chief among them being a growing reluctance among victims to acquiesce to attackers’ demands. In a striking shift, less than half of all reported ransomware attacks in 2024 resulted in a payout to the perpetrators.
Jacqueline Burns Koven, head of cyber threat intelligence at Chainalysis, suggests that this trend is largely fueled by eroding trust. Many victim organizations are increasingly skeptical that meeting ransom demands will actually lead to the secure deletion of their compromised data from attackers’ servers.
What it illuminated is that payment of a ransom is no guarantee of data deletion.
– Jacqueline Burns Koven, Head of Cyber Threat Intelligence, Chainalysis
This growing distrust was exemplified by the dramatic implosion of the notorious Russian ransomware gang BlackCat mere weeks after extorting a staggering $22 million from American insurance giant United Healthcare. Despite receiving the payment, the group’s disbandment led to the public leak of the very data United Healthcare had hoped to protect.
Sanctions Tie Victims’ Hands
Beyond eroding trust, Koven highlights the impact of escalating international sanctions against ransomware groups. For many victim organizations, the risk of violating these sanctions often outweighs the potential benefit of paying to recover their data.
There’s been a spate of sanctions against different ransomware groups and for some entities, it’s outside of their risk threshold to be willing to pay them because it constitutes sanctions risk.
– Jacqueline Burns Koven, Head of Cyber Threat Intelligence, Chainalysis
Victims Wising Up and Shoring Up
The Chainalysis report also suggests that improved cybersecurity hygiene and incident response capabilities are enabling more victims to resist attackers’ demands. Lizzie Cookson, senior director of incident response at Coveware, notes that many organizations are now better positioned to restore systems from backups rather than resorting to paying ransoms.
They may ultimately determine that a decryption tool is their best option and negotiate to reduce the final payment, but more often, they find that restoring from recent backups is the faster and more cost-effective path.
– Lizzie Cookson, Senior Director of Incident Response, Coveware
Cashing Out Complications for Criminals
Adding to the ransomware industry’s woes, Chainalysis detected a substantial decline in attackers’ use of cryptocurrency mixing services to launder illicit proceeds. The blockchain analytics firm attributes this drop to the disruptive impact of sanctions and law enforcement actions against mixing providers like Chipmixer, Tornado Cash, and Sinbad.
Interestingly, rather than seeking alternative laundering avenues, many ransomware actors are simply letting their cryptocurrency sit idle in personal wallets. Chainalysis suggests this may reflect heightened caution and uncertainty among cybercriminals in the face of unpredictable and decisive law enforcement crackdowns.
Cautious Optimism Amid Continued Threat
While 2024’s decline in ransom payments is undoubtedly a positive development, experts caution against premature celebration. Koven stresses that all the enabling factors for a resurgence in high-impact “big game hunting” attacks remain in play.
I think it is premature to be celebrating, because all the factors are there for it to reverse in 2025, for those large attacks — the big game hunting — to resume.
– Jacqueline Burns Koven, Head of Cyber Threat Intelligence, Chainalysis
As the battle against ransomware rages on, victim organizations must remain vigilant in their cybersecurity efforts. While 2024’s downturn in successful extortions offers a glimmer of hope, the ever-evolving threat landscape demands constant adaptation and resilience. Only through sustained defensive efforts and ongoing collaboration between the public and private sectors can we hope to keep the ransomware scourge at bay in the years to come.
