Ransomware Payments Drop 35% in 2024 Amid Resilience

Andrew R. Lee

Email

504-582-8664

Bio and Articles

Find Your Next Job !

Family/Matrimonial Law Attorney
On Balance Search Consultants

Associate Attorney – Family Law
The Micklin Law Group

Matrimonial Attorney
On Balance Search Consultants

Explore More Job Openings

Bad News & Good News: Ransomware Up, Payments Down in 2024

by: Andrew R. Lee of Jones Walker LLP - Client Alert

Sunday, February 9, 2025

Print Mail Download info_icon_img

/>i

American blockchain analysis firm Chainalysis reports that ransomware payments declined significantly in 2024, dropping to $813 million from $1.25 billion in 2023 - a 35% decrease. The company's sleuthing also revealed that only 30% of victims who entered negotiations with ransomware actors ultimately paid a ransom. That’s big. And this downward payment trend occurred despite 2024 being a record year for ransomware attacks overall.

This work reveals a disconnect between attack volume and successful extortion, suggesting organizations are becoming more resilient to ransomware pressure tactics. Some of the possible factors contributing to the decrease in ransomware payments include:

Law Enforcement and International Collaboration: Increased law enforcement actions and improved international collaboration have been effective in disrupting ransomware operations. For example, the takedown of LockBit by the UK's National Crime Agency (NCA) and the US FBI led to a 79% decrease in payments.
Increased Gap Between Demands and Payments: The difference between ransom demands and actual payments is increasing. Incident response data shows that a majority of clients do not pay at all.
Shift in Ransomware Ecosystem: The collapse of LockBit and BlackCat led to a rise in lone actors and smaller groups that focus on small to mid-size markets with more modest ransom demands.
Illegitimate Victims on Data Leak Sites (more on this below): Some threat actors have been caught overstating or lying about victims, or reposting claims by old victims. LockBit has been known to publish as high as 68% repeat or fabricated victims on its data leak site after being ostracized by the underground community following law enforcement action.
Ransomware Actors Abstaining From Cashing Out: Ransomware operators are increasingly abstaining from cashing out their funds (such that the funds flow isn't tracked), likely due to uncertainty and caution amid law enforcement actions targeting individuals and services facilitating ransomware laundering.
Victim Refusal to Pay: More victims are choosing not to pay ransoms due to improved cyber hygiene and overall resiliency.

Chainalysis also gives a summary of the data leak trends in 2024:

unprecedented growth in ransomware data leak sites, with 56 new sites emerging in 2024 – more than twice the number identified in 2023
researchers note significant concerns about the accuracy of these reported leaks:
- many leaks overstated their impact, claiming entire multinational organizations when only small subsidiaries were affected
- over 100 organizations appeared on multiple leak sites
- ransomware gang LockBit, following law enforcement disruption, artificially inflated their numbers by reposting old victims and fabricating new ones – with up to 68% of their posts being repeat or false claims

This analysis suggests that while data leak sites showed record numbers in 2024, the actual scope of successful ransomware attacks may be significantly lower than the raw numbers indicate.