Ransomware extortion payments plummeted to $813.5 million in 2024, a sharp decline from the staggering $1.25 billion in 2023, according to blockchain intelligence firm Chainalysis.
During the first half of 2024, ransomware groups managed to extort $459.8 million, but payment activity declined after July 2024 by approximately 3.94%. Despite an increase in ransomware attacks, fewer victims opted to pay, signaling a shift in response strategies.
"The number of ransomware events increased in the second half of 2024, yet on-chain payments dropped, suggesting that while more organizations were targeted, fewer chose to comply with ransom demands," Chainalysis reported.
The Shift in Ransomware Strategies: Smaller Targets, Lower Payouts
The ransomware ecosystem has become increasingly fragmented following the collapse of LockBit and BlackCat, leading to the emergence of smaller ransomware groups. These groups have moved away from high-profile "big game" attacks and are now focusing on small to mid-sized businesses, which demand lower ransom amounts.
According to Coveware, the average ransomware payment in Q4 2024 rose to $553,959, up from $479,237 in Q3. However, the median payment saw a 45% drop, decreasing from $200,000 to $110,890.
"Ransom payments remain a last resort for victims who have no alternative means to recover their critical data," Coveware stated.
A growing distrust in ransomware operators—fueled by faulty decryption tools and broken promises—has discouraged many organizations from paying ransoms unless absolutely necessary.
Law Enforcement Crackdowns and Rising Ransomware Cases
The reduction in ransomware payments can also be attributed to increased law enforcement efforts aimed at dismantling cybercriminal networks and crypto laundering services. These actions have disrupted ransomware operations, making it more difficult for threat actors to profit.
Despite the decline in ransom payments, 2024 saw the highest number of ransomware cases since 2021, with 5,263 attacks, marking a 15% year-over-year increase.
According to NCC Group, industrial sectors were the hardest hit, accounting for 27% (1,424) of all ransomware incidents. Additionally, North America remained the primary target, experiencing 55% of all attacks.
Most Active Ransomware Variants in 2024
The most prevalent ransomware variants in 2024 included:
- Akira – 11%
- Fog – 11%
- RansomHub – 8%
- Medusa – 5%
- BlackSuit – 5%
- BianLian – 4%
- Black Basta – 4%
- Lone wolf actors – 8%
Meanwhile, new ransomware groups such as Arcus Media, Cloak, HellCat, Nnice, NotLockBit, WantToCry, and Windows Locker have surfaced. Notably, HellCat has been leveraging psychological pressure tactics to humiliate victims and coerce payments.
Emerging Trends: VPN Exploits & Money Laundering Patterns
Cybersecurity analysts have observed that Akira and Fog ransomware groups utilize identical money laundering techniques, setting them apart from other cybercriminals.
"Both groups primarily exploit VPN vulnerabilities to gain unauthorized access to networks, allowing them to deploy their ransomware with minimal resistance," Chainalysis noted.
As ransomware tactics evolve, organizations must bolster cyber defenses, implement robust backup strategies, and enhance threat detection to mitigate risks.
