Ransomware payments dropped substantially in 2024, new research from Chainalysis suggests, with cybercriminals extorting approximately $813.55m from victims. This represents a 35% decline compared to the $1.25bn recorded in 2023, according to the firm’s latest ‘Crypto Crime Report,’ and marks the first reduction in ransomware revenue since 2022. The decline, added the research firm, was driven in large part by increased law enforcement actions, improved international cooperation, and a growing number of organisations refusing to meet ransom demands.
“Crackdowns and collaboration with incident response firms and blockchain experts helped disrupt many ransomware groups, reducing their profitability,” said Chainalysis. “Victims also demonstrated greater resistance to ransom demands, widening the gap between demands and payments.”
The decline was most pronounced in the second half (H2) of 2024. While the first half (H1) saw a modest 2.38% increase in ransomware-related extortion, payment volumes dropped sharply after July, decreasing by nearly 34.9%. This pattern reflects trends since 2021, with consistent declines in ransomware-related transactions and other crypto-enabled crimes, including stolen funds.
Ransomware groups adapt to shifting conditions
Ransomware operators adjusted their strategies in 2024, adopting faster, more agile extortion methods. New ransomware strains emerged from rebranded, leaked, or purchased code, with ransom negotiations often starting within hours of data exfiltration, according to Chainalysis.
The ecosystem remained diverse, involving nation-state-linked groups, ransomware-as-a-service (RaaS) affiliates, independent actors, and data theft extortion groups. High-profile attacks included breaches of cloud service provider Snowflake.
Among the top ransomware strains, Akira stood out as the only group to increase activity in H2 2024, having targeted over 250 organisations since March 2023. In contrast, LockBit saw a 79% drop in payments after disruptions by the UK’s National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI) in early 2024. ALPHV/BlackCat, one of 2023’s top earners, ceased operations following an exit scam in January 2024.
The decline of established groups created opportunities for new actors. RansomHub, a RaaS operation that surfaced in February 2024, absorbed affiliates displaced by the collapse of LockBit and BlackCat. Despite its recent formation, RansomHub posted the highest number of victims in 2024, securing a spot among the top 10 ransomware strains, based on Chainalysis data.
Data leak sites also surged. Allan Liska, Threat Intelligence Analyst at Recorded Future, reported 56 new data leak sites in 2024, more than double the number from 2023. However, not all breaches result in public disclosures, limiting the completeness of available data. The rise of leak sites reflects the growing reliance on double extortion tactics, where stolen data is used alongside system encryption to pressure victims into payment.
Incident response data from 2024 revealed a growing gap between ransom demands and actual payments. In H2 2024, this gap reached 53%, indicating a rising tendency among victims to reject demands. Reports from incident response firms suggest that many organisations refuse to pay altogether, implying the real gap may be larger.
Ransomware payment patterns also shifted. Some groups, such as Phobos, targeted smaller organisations with average payments between $500 and $1,000. Others clustered around $10,000, while larger enterprises faced demands exceeding $100,000, with some payments surpassing $1m. High-value attacks increased, with more incidents involving payments over $1m compared to previous years.
Read more: UK government proposes strict new ransomware payment rules
