More Ransomware Attacks but Less Ransom Payments in 2024 – What Does It Mean?

In 2024, ransomware attacks left a significant mark, targeting critical industries and securing record-breaking payments. Major incidents included the exploitation of vulnerabilities in Snowflake’s customer accounts and the high-profile breach of Change Healthcare, which paralyzed hundreds of US pharmacies and clinics.  

However, despite these alarming events, ransomware payments declined significantly over the year, dropping 35% from 2023’s record $1.25 billion to $814 million.  

The most striking trend was a steep fall in payments in the second half of 2024, where attackers collected only $321 million compared to $492 million in the first half—the largest six-month drop ever recorded, Wired reports a Chainalysis report as finding.

This unexpected decline is largely attributed to aggressive law enforcement actions. The FBI and UK’s National Crime Agency (NCA) dismantled major ransomware groups, including BlackCat /ALPHV and LockBit, disrupting their operations.  

Though initially resilient, BlackCat /ALPHV collapsed after executing an "exit scam" following its $22 million ransom from Change Healthcare. LockBit’s influence also waned after law enforcement identified its leader, Dmitry Khoroshev, and imposed US sanctions, making ransom payments more difficult.

While new ransomware groups emerged, they lacked the sophistication and reach of their predecessors, leading to smaller ransom demands, often in the tens of thousands rather than millions. Moreover, improved cybersecurity measures, greater awareness, and enhanced cryptocurrency regulations further hindered ransomware actors.

Despite the sharp decline in payments, ransomware incidents actually increased in 2024, with 4,634 attacks compared to 4,400 in 2023. This shift suggests that newer threat actors focused on quantity over high-value targets.  

While law enforcement actions have momentarily disrupted the ransomware ecosystem, history has shown that such trends can reverse, as evidenced by previous fluctuations in ransomware payments from 2020 to 2023.

Takeaway: There are several factors that contributed to the downward trend on ransom payments, most notably:

LEO actions: while there were few, they did target the most prolific groups at the time - LockBit and BlackCat/ALPV, whose volume of attacks dwarfed other threat actor groups - but this may have been a temporary lull, as LockBit never completely went away and recently announced they were releasing a new LockBit4 payload this month (February), so we may know very soon just how successful the LEO actions against the groups actually were.

More groups: we have seen more groups emerge 2024, some shooting to the top of the RaaS group rankings like RansomHub, who is a very formidable threat. Others that have emerged tend to only garner smaller payments, well below the average - recall the latest reporting indicates there were more attacks in 2024, but the total sum of ransom payments was less than the record set for 2023. This could be chalked up to more groups with less experienced operators, or by choice they decided that multiple smaller ransom payments was a better option than fewer large ransoms that would draw the attention of LEO - they are making an effort to fly below the radar.

Better preparation: Another factor is that victim organizations may be a little better prepared and seeking out experienced consultants and incident responders who together can make the attacks less disruptive and are negotiating smaller ransom payments.

Diversification: And as some threat actors move to more straight data extortion attacks, where they exfiltrate sensitive data for ransom and forego the encryption stage of an attack, they may be finding other ways to monetize that data beyond collecting a ransom from the victim - we are seeing more data brokers emerging within the larger ransomware economy.

US elections: And to get very speculative, let's remember that 2024 was a major election year in the US, with a lot at stake for nation-states like Russia who give safe harbor to ransomware operators - the 2022 "lull" has in part been attributed to Russia redirecting some cybercriminal resources to conduct more state-supported operations against Ukraine and their western supporters, so this decline in payments could also be in part the result of the most talented ransomware operators being yet again pulled off their cybercriminal activities to support Russian state priorities around the US election, so the drop was most precipitous in second half of the year.

Whichever combination of factors contributed to the decline, it is likely temporary. Ransomware and data extortion attacks are very lucrative and involve almost zero risk for the operators. As well, many attacks also have the dual purpose of supporting the geopolitical ambitions of nations like Russia. We will not see threat actors abandoning the model any time soon.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.