Getty Images/iStockphoto

Chainalysis records 35% decrease in ransom payments in 2024

While the first half of 2024 was on pace to surpass 2023's record-setting numbers, Chainalysis found that the volume of ransom payments dropped in the second half of the year.

Despite a highly active year for ransomware in 2024, Chainalysis recorded a 35% decrease in ransom payments compared with the previous year.

Chainalysis detailed the 2024 ransomware landscape in a blog post published Wednesday that cited shifts in threat actors' tactics and the emergence of new ransomware strains. While the report noted that ransomware gang leak sites posted more victims in 2024 than any previous year, the blockchain analytics company found fewer victims gave into ransom demand pressures.

The blockchain analytics company attributed the decrease in ransom payments to several factors, including increased law enforcement actions that led to successful takedowns and more victim organizations refusing to pay. The decrease in the total volume of ransom payments follows what Chainalysis called a "watershed year for ransomware" in 2023.

"In 2024, ransomware attackers received approximately $813.55 million in payments from victims, a 35% decrease from 2023's record-setting year of $1.25 billion, and for the first time since 2022, ransomware revenues declined," Chainalysis wrote in the blog post.

Chainalysis said the evolving 2024 ransomware landscape forced attackers to shift tactics and become more adaptive. For example, the company observed new ransomware strains emerged from rebranded, leaked or previously purchased code. Additionally, Chainalysis warned that ransomware operations have also become faster as threat actors often start negotiations with victim organizations within hours of exfiltrating sensitive data.

While Chainalysis had anticipated the volume of ransom payments in 2024 would surpass 2023's total due to significant payouts like the $75 million to Dark Angels ransomware operators, the second half of last year saw a significant decline. Law enforcement actions played a critical role in the decrease, affecting the top 10 most active ransomware groups. For example, the U.K.'s National Crime Agency led a successful joint law enforcement effort dubbed Operation Cronos, which disrupted the infamous LockBit ransomware group. Operation Cronos was composed of three phases and led agencies to seize infrastructure and decryption keys, as well as make arrests and expose one of the group's ringleaders.

"LockBit, which was disrupted by the United Kingdom's National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI) in early 2024, saw H2 payments decrease by approximately 79%, showcasing the effectiveness of international law enforcement collaboration," the blog post said.

In addition to dismantling ransomware groups, Chainalysis also found that law enforcement actions disrupted actors' ability to launder cryptocurrency. Chainalysis stated that like previous years, cryptocurrency continued to "play a vital role in extortion" during ransomware attacks.

Ransomware actors demand payments in cryptocurrency to make it more difficult for authorities to trace. To further obfuscate illicit funds, ransomware actors use cryptocurrency mixers or tumblers, although Chainalysis observed a downward trend for such activity in 2024.

"We note a substantial decline in the use of mixers in 2024. Historically, mixing services routinely captured between 10% and 15% of ransomware quarterly money laundering flows. The decline of mixing among ransomware actors over the years is very interesting and a testament to the disruptive impact of sanctions and law enforcement actions, such as those against Chipmixer, Tornado Cash, and Sinbad," the blog post said.

In place of mixers, Chainalysis noted that ransomware actors increasingly relied on cross-chain bridges. More surprisingly, the company discovered that "substantial volumes of funds" were held in personal wallets and that many ransomware operators abstained from cashing out.

"We attribute this largely to increased caution and uncertainty amid what is probably perceived as law enforcement's unpredictable and decisive actions targeting individuals and services participating in or facilitating ransomware laundering, resulting in insecurity among threat actors about where they can safely put their funds," the blog post said.

Chainalysis shows an increase in data leak site victims but a decrease in ransomware payments.
While the number of victims posted to data leak sites last year increased, the volume of ransomware payments decreased.

Victims refuse to pay

Discussions of ransom payment bans reignited last year, as many vendors including Chainalsysis tracked record setting numbers for ransomware activity in 2023. While no ransom payment bans were implemented in the U.S., Chainalysis found that more victim organizations refused to pay ransoms last year.

The company found that while the number of ransomware events increased during the second half of 2024, the on-chain payments declined "suggesting that more victims were targeted but fewer paid." The discrepancy could be attributed to threat actors who have been caught lying about victims on public data leak sites, or reposting claims by old victim organizations, Chainalysis said.

"Victims also demonstrated greater resistance to ransom demands, widening the gap between demands and payments," the blog post said.

Jacqueline Burns Koven, head of cyber threat intelligence at Chainalysis, told Informa TechTarget that while 2024 was a down year for ransom payments, it's difficult to say whether the trend will continue into 2025. She added that the decrease in payments reflects an ecosystem that is better prepared and better at negotiating.

Burns Koven said law enforcement actions and the fragmentation of the ransomware ecosystem have forced opportunistic ransomware actors to shift from mid-tier victims to low-tier victim organizations in terms of size, which is reflected in a drop in median payments. "A multitude of factors including victim preparedness, global disruption efforts and victims abstaining from paying contributed to ransomware revenue's decline and we must continue to apply and adjust these strategies as threat actors adapt to new conditions," she said.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.

Dig Deeper on Threat detection and response