Ransomware Groups Made Less Money in 2024Ransomware Groups Made Less Money in 2024

The total volume of ransom payments decreased year-over-year by approximately 35%, due to law enforcement activities and more victims refusing to pay, according to blockchain analytics company Chainalysis.

In 2024, ransomware attackers collected approximately $813.55 million in payments, a significant drop from the $1.25 billion collected in 2023 and $1.07 billion collected in 2021, Chainalysis said in its 2025 Crypto Crime Report. Payments were slightly up by approximately 2% in the first half of the year, leading the company to estimate that 2024 would surpass 2023's totals. While the number of ransomware events increased in the second half of 2024, on-chain payments declined, suggesting that even though more victims were targeted, fewer actually paid the ransom. In some cases, those who paid managed to successfully negotiate the ransom amount to a much smaller amount.

Victims organizations have wrestled with the pay-or-not-pay dilemma for years. On one hand, paying may be the only answer is there is no other way to recover the data or if the downtime waiting to recover the data is too long. On the other hand, paying rewards criminal activity, funds future activities, and may encourage more attacks against the victim. Improved cyber hygiene and overall resiliency is helping organizations make the decision to not pay, according to Christian Geyer, founder and CEO of Actfore. Better incident response capabilities, digital forensics, and data mining services are helping victims identify the breached data faster.

"Organizations have increasingly implemented comprehensive data backup solutions, so the business can rapidly recover their systems through a wipe and restore process," Geyer said. 

Another reason is that law enforcement actions are making an impact on the ransomware ecosystem. Several ransomware groups that were prolific in 2023 and the first half of 2024 were not as active in the second half of the year. LockBit is one such case. The United Kingdom's National Crime Agency, the U.S. Federal Bureau of Investigation, and law enforcement entities in Canada, Japan, and Australia, collaborated in Operation Cronos to seize data and websites associated with LockBit in February 2024. That disruption seemed particularly effective, as payments to the criminals behind LockBit decreased by 79% in the second half of 2024. Similarly, ALPHV/BlackCat going dark in March 2024 after collecting $22 million from Change Healthcare left “a void” in the second half of 2024, Chainalysis said.

When a large group leaves the cybercrime ecosystem — either after a law enforcement disruption or voluntarily shutting down operations — there usually is a slight dip in activity and then another group ramps up activities to fill that vacuum. That doesn't seem to have happened in 2024, Lizzie Cookson, a senior director of incident response at Coveware, told Chainalysis. "We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share…The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands."