In the latter half of 2024, the payments to ransomware gangs took a nosedive. According to Chainalysis, a blockchain analytics firm, fewer than half of the victims opted to pay up after incidents. Overall, ransomware groups pulled in around $813.6 million this year, a significant drop from the $1.25 billion they made in 2023. The first half of the year saw a slight uptick in payments, but by the second half, they plummeted by 37.5%.
Analysts believe that increased law enforcement efforts and international cooperation have made a difference. More victims seem to be standing their ground against cybercriminals. Yet, this doesn’t mean the threat is waning. Attackers are adapting quickly, using new strains of ransomware that have been rebranded or modified. These operations are often kicking off negotiations within hours of a breach.
Lizzie Cookson from Coveware pointed out that after the takedowns of major gangs like LockBit and ALPHV/BlackCat, the market hasn’t really bounced back. Lone actors have filled some gaps, but no significant groups have absorbed their share. Newer players are targeting small to mid-sized businesses with lower ransom demands.
Organizations are also getting better at defending against these attacks. More companies are investing in improved cybersecurity measures and focusing on backing up their data. This allows them to recover from incidents more effectively, whether that means negotiating lower payments or restoring from backups.
Christian Geyer, CEO of Actfore, emphasized how comprehensive backup solutions let businesses recover systems quickly after an attack. Companies are becoming tech-savvy when it comes to incident response, which helps them pinpoint breached data faster. Enhanced digital forensics is making these processes more efficient.
There’s also a shift in how victims view the ethics of paying ransoms. Many worry about the legality of sending money to unknown actors, particularly if those groups have ties to state-sponsored terrorism. Geyer noted that having more information helps victims make more informed choices about whether to pay up.
Chainalysis also highlighted a shift in the ways cybercriminals are moving their profits. The use of cryptocurrency mixers has dropped significantly, likely due to stricter sanctions and police actions. Ransomware funds are now flowing more through centralized exchanges and personal wallets, with cross-chain bridges taking the place of mixers.
Interestingly, ransomware operators seem to be cashing out less than before, likely because of the increasing unpredictability of law enforcement actions. This raises concerns about where they can securely hold their funds.
Jon Miller, CEO of Halcyon, pointed out another perspective. The U.S. election year in 2024 may have played a role in the decline of ransomware payments. With heightened scrutiny and the need for cybersecurity, some of the top operators could have been pulled away to support state-sponsored efforts, especially given previous patterns of resource reallocation toward political goals.