Ransomware Payments Dropped By 35%, As Victims Refusing To Pay

In a significant shift in the ransomware landscape, payments to attackers have decreased by approximately 35% year-over-year.

This decline is attributed to increased law enforcement actions, improved international collaboration, and a growing trend among victims to refuse ransom demands.

Ransomware Payment Totals (Source – Chainalysis)

Here below we have mentioned all the key developments in 2024:-

Ransomware Payments: In 2024, ransomware attackers received about $813.55 million in payments, down from $1.25 billion in 2023. This marks the first decline in ransomware revenues since 2022.

  Year  | Total Payments
  ------|----------------
  2023  | $1.25 billion
  2024  | $813.55 million

Law Enforcement Impact: The disruption of major ransomware groups like LockBit and the exit scam of ALPHV/BlackCat have significantly impacted the ecosystem. LockBit saw payments decrease by about 79% in the second half of 2024 following law enforcement actions.

  Ransomware Group | H1 2024 Payments | H2 2024 Payments
  -----------------|------------------|------------------
  LockBit          | High            | Decreased by 79%

Victim Resilience: More victims are opting not to pay ransoms. According to incident response firms, only about 30% of negotiations lead to payments. Improved cyber hygiene and the ability to restore from backups have empowered victims to resist demands.

  Negotiation Outcome
  -------------------
  Payments Made: ~30%

Shifts in Ransomware Tactics

As major groups face disruptions, new strains have emerged, often from rebranded or leaked code.

Chainalysis researchers noted that the ransomware operations have become faster, with negotiations starting within hours of data exfiltration.

The rise of lone actors and smaller groups focusing on smaller targets has become more prevalent.

Despite an increase in data leak site postings, which often serve as a proxy for ransomware events, actual payments have declined.

Ransomware payments vs data leak site victims (Source – Chainalysis)

This inconsistency suggests that attackers may be overstating or fabricating victim claims to maintain relevance.

Ransom funds are primarily laundered through centralized exchanges (CEXs), personal wallets, and cross-chain bridges. There has been a notable decline in the use of mixers, likely due to sanctions and law enforcement actions.

The decrease in ransomware payments reflects a more resilient victim base and effective law enforcement strategies.

As the landscape continues to progress rapidly, so, understanding these trends is crucial for mitigating future threats.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.