2024 Saw Increase in Ransomware Attacks but 35% Decrease in Payments
A blockchain analysis suggests an increasing reluctance to pay money to ransomware groups. A new report from Chainalysis revealed a 35% year-over-year decline in ransom payments, which fell from $1.25 billion in 2023 to $813,550,000 in 2024 – the second-lowest annual total in the past 5 years behind the $655.44M paid in 2022.
In the first half of 2024, the number of additions to ransomware groups’ data leak sites increased by 2.38% compared to the corresponding period in 2023, and attacks continued to increase in H2 reaching a peak in November 2024; however, November saw the lowest number of ransom payments of the year. Over the entire year, fewer than half of victims of ransomware attacks ended up paying the ransom.
When companies are presented with a ransom demand, contact is often made with the cybercriminal group and ransom negotiations commence. Ransomware groups appear more willing to negotiate payments and accept lower amounts, with the median ransom payment falling in 2024; however, fewer than one-third (30%) of companies that initiated negotiations ended up paying a ransom.
The analysis indicates growing distrust that ransomware groups will delete stolen data when a ransom is paid and that companies are determining it is more cost-effective to accept the reputational damage and recover encrypted data from backups than pay a ransom.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Payments are down year-over-year, but the number of successful attacks has increased. More than 5,260 successful attacks were identified in 2024, with more victims posted to data leak sites than any other year to date. Last year saw the creation of 56 new data leak sites – more than twice the number in 2023. The increase in attacks and posts on data leak sites suggests ransomware groups are responding to dwindling returns by conducting more attacks.
The ransomware ecosystem changed significantly in 2024 following major law enforcement operations targeting the two most prolific ransomware groups, LockBit and ALPHV/BlackCat. The LockBit law enforcement operation – Operation Cronos – caused major disruption to the LockBit operation, and while the group responded to the takedown of its infrastructure by posting a large number of victims to its data leak site, that appears to have been an effort to convince affiliates that the group remained active and relevant. Many of the data leak posts were for older ransomware attacks that had previously been added to the data leak site. Many of the group’s affiliates left the group after the law enforcement operation.
The law enforcement operation targeting ALPHV/BlackCat also disrupted the group’s activities and the group called it quits in 2024 after pulling an exit scam after the Change Healthcare ransomware attack, pocketing the $22 million ransom payment and failing to pay the affiliate.
The disruption to LockBit and the shutting down of ALPHV/Blackcat forced many affiliates to change ransomware groups, fragmenting the ransomware ecosystem. There are now a large number of lone wolf actors and smaller ransomware groups, which tend to conduct attacks on small to mid-sized organizations which result in much lower payments. Out of the top ten ransomware groups in H1, 2024, only one increased its efforts in H2 – Akira.
One ransomware group that has been actively recruiting affiliates from LockBit and ALPHV/BlackCat is the RansomHub group, which has grown into the most prolific ransomware group with more victims posted to its data leak site than any other ransomware group last year. The increase in activity has seen RansomHub ranked as one of the top ten strains based on ransom payments.
Chainalysis also reports that law enforcement efforts to crack down on cryptocurrency mixers, which have been extensively used by ransomware gangs to hide their ill-gotten gains, have forced ransomware groups to seek other methods to launder their money and hide their activities, with them now favoring cross-chain bridges, although centralized exchanges are still the main cash-out method. Many affiliates are now choosing to keep their proceeds in personal wallets and are not cashing out due to fears of being tracked and arrested.
