Ransomware Payouts Tumbled Last Year

We saw something here at The Daily Upside we hadn’t seen in so long we barely recognized it: honest-to-goodness good news.

Research from blockchain data platform Chainalysis published last week found that in 2024 the amount of money paid out by victims of ransomware attacks — when hackers seize data and/or shut down key systems and extort money in return for the stolen data and system access — fell by 35% from the year before to $813.6 million. That’s down to a cocktail of causes, Jacqueline Burns Koven, Head of Cyber Threat Intelligence at Chainalysis, told The Daily Upside. “It’s difficult to determine one key factor, but the decrease was driven by a combination of increased law enforcement actions, improved international collaboration, fragmentation of the ransomware ecosystem, victim preparedness, and a growing refusal by victims to pay,” said Koven.

A Pauper’s Ransom

Total annual ransomware payouts have been trending upward for years (with 2022 being an exception), and 2023 notched a record-breaking $1.25 billion in extorted money. The first half of 2024 was no different, per Chainalysis’ data, but after July, payouts by ransomware victims dropped sharply.

This drop is in part explained by law enforcement cracking down on prolific online gangs, disrupting arguably the most centralized part of the ransomware market:

• The FBI, UK’s National Crime Agency, and Europol managed to infiltrate and disrupt the online gang Lockbit in February last year, and Chainalysis noted a 79% drop in the group’s ransomware payouts in the second half of 2024. 
• In June, Spanish police arrested a 22-year-old British man alleged to be the leader of ransomware group Scattered Spider, although The Register reported at the end of last year that the group was picking up steam again.

Lizzie Cookson, Senior Director of Incident Response at Coveware, a firm that works with cyber-extortion victims, told Chainalysis that no one had moved into the market niche left behind by large ransomware gangs. “We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high-profile takedowns and closures,” Cookson said. “The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands.”

Consumer Confidence: One expert told Chainalysis that another reason for the lower ransomware payouts is that targeted cybercrime gangs, desperate to retain street cred after getting a black eye from law enforcement, tried plumping up their lists of stolen data. Some of that data, however, was either old or completely made up. “This is especially true of LockBit, which, in a bid to remain relevant after being ostracized by much of the underground community post law enforcement action, has published as high as 68% repeat or straight-up fabricated victims on its data leak site,” Allan Liska, threat intelligence analyst at Recorded Future, told Chainalysis.