The total illicit revenue amassed by ransomware syndicates throughout 2024 has contracted to $813.5 million, marking a substantial downturn from the staggering $1.25 billion siphoned in 2023.
According to blockchain intelligence firm Chainalysis, the first half of 2024 alone saw $459.8 million extracted from victims, yet post-July, there was a discernible 3.94% decline in ransom-related financial activity.
“The sheer number of ransomware intrusions escalated during the latter half of the year, yet blockchain transactions linked to payouts receded. This dynamic suggests that while cybercriminals cast a wider net, fewer entities acquiesced to extortion demands,” the firm reported.
One of the defining shifts in the ransomware landscape is its increasing fragmentation. The downfall of behemoth groups like LockBit and BlackCat has fostered an influx of smaller, more agile threat actors who pivot towards targeting mid-sized organizations rather than high-profile enterprises, resulting in comparatively modest ransom requests.
Insights from Coveware reveal that the average ransom settlement in Q4 2024 climbed to $553,959, exceeding the Q3 average of $479,237. However, the median payment nosedived from $200,000 to $110,890, reflecting a precipitous 45% drop between quarters.
“Organizations now overwhelmingly view ransom payments as a measure of absolute last resort, only opting for this course when no alternative data restoration methods exist,” Coveware noted.
A growing reluctance to remit payments stems from two key factors: the proliferation of unreliable decryption utilities—both from emergent and well-established ransomware variants—and diminishing trust in cyber extortionists’ willingness to honor their word. The cumulative effect has pushed many victims to disengage from negotiations unless left with no viable recourse.
This downward trajectory in ransom disbursements has been further bolstered by intensified law enforcement crackdowns on cybercriminal infrastructures and cryptocurrency laundering conduits, heightening operational risks and constraining the financial appeal of ransomware campaigns.
Despite these deterrents, 2024 witnessed a dramatic surge in attack frequency, logging a staggering 5,263 ransomware incidents, the highest annual count since 2021 and a 15% increase year-over-year.
“Industrials, a cornerstone of the global economy, bore the brunt of 27% (1,424) of all recorded ransomware incidents in 2024, marking a 15% rise from 2023,” reported NCC Group. “Meanwhile, North America remained the epicenter, accounting for a dominant 55% of global attacks.”
Among the most prolific ransomware strains of 2024 were Akira (11%), Fog (11%), RansomHub (8%), Medusa (5%), BlackSuit (5%), BianLian (4%), and Black Basta (4%), while independent actors—operating without allegiance to any major syndicate—captured an 8% market share.
Several nascent ransomware operations emerged in recent months, including Arcus Media, Cloak, HellCat, Nnice, NotLockBit, WantToCry, and Windows Locker. Of particular concern is HellCat, which has been documented leveraging psychological coercion tactics, publicly shaming victims to intensify pressure for compliance.
Meanwhile, Akira and Fog appear to share an operational framework, as evidenced by their identical money laundering methodologies, which diverge from the conventional laundering patterns of other ransomware factions.
“Both groups have exhibited a preference for breaching organizations via VPN vulnerabilities, granting them unauthorized ingress into networks where they subsequently unleash their ransomware payloads,” Chainalysis reported.
The evolving ransomware terrain underscores a growing complexity: While the frequency of attacks climbs, the efficacy of cyber extortion as a lucrative enterprise is increasingly being undercut by defensive countermeasures and a shifting threat landscape.