Unexpectedly, ransomware payments for 2024 saw a significant decrease of 35%, amounting to around $813.55 million. This decline follows a period where payments had exceeded $1 billion in 2023. The reduction was mainly influenced by successful law enforcement operations and enhanced cybersecurity practices, allowing more victims to resist paying, as stated by blockchain platform Chainalysis.
The decrease came as a surprise given the initial upward trajectory observed earlier in the year. Initially, ransomware groups extorted 2.38% more in the first half of 2024 compared to the same period in 2023, suggesting a continued rise in payments. However, this growth was short-lived, with payment activity dropping by about 34.9% in the latter half of the year.
Chainalysis reports that Akira was the sole top 10 ransomware group in the first half of 2024 to escalate its operations in the latter half. Moreover, as 2024 progressed, fewer exceptionally large ransoms were paid compared to the record-breaking $75 million paid to Dark Angels in early 2024.
Data from incident response also showed a widening gap between the demanded amounts by criminals and the actual payments made by victims, which grew to 53% in the second half of the year. Chainalysis analysts attribute this to enhanced resilience among organizations, enabling them to explore recovery alternatives like decryption tools or data restoration from backups instead of complying with ransom demands.
EXPLORE: Strategies for Safeguarding Businesses Against Common Cyber Threats
Despite the overall decrease in ransom payments, the count of new data leak platforms doubled in 2024, according to Recorded Future. However, Chainalysis noted that many organizations had their data listed multiple times, with ransomware groups often exaggerating claims of breaching multinational corporations when, in reality, it was only a single branch.
Hackers may inflate or misrepresent the extent of a victim’s compromised data, occasionally reposting outcomes of previous attacks. This tactic is commonly employed to maintain relevance or activity post-law enforcement operations – a scheme dubbed “Operation Cronos” by criminals.
LockBit and ALPHV: Influence and Impact
The infamous ransomware group LockBit, which deployed the most widespread type of ransomware globally in 2023, was targeted in a law enforcement operation in February 2024. The Cyber Division of the U.K. National Crime Agency, the FBI, and global partners collectively shut down their website, which served as a major ransomware-as-a-service hub.
While LockBit resumed activities at a different deep web address shortly after, payments to the group decreased by 79% in the latter half of the year, per Chainalysis. Research by Malwarebytes also revealed that although LockBit initiated more individual attacks, the percentage of ransom incidents it claimed responsibility for dropped from 26% to 20%.
EXPLORE: Overview of Cybersecurity News in 2024: Top 10 Stories that Shaped the Year
ALPHV, the second most prolific ransomware entity in 2023, also created a void after a botched cyber assault on Change Healthcare in February. Failing to pay an affiliate their portion of the $22 million ransom prompted the affiliate to expose them. Consequently, ALPHV simulated a fictitious law enforcement takedown and ceased operations.
Reduced Mixer Usage and Growth of Personal Wallets: Signs of Law Enforcement Impact
In addition to the decrease in payments, Chainalysis pointed out further clues that the law enforcement actions of 2024 were effective. The utilization of mixing services, tools that obscure illicit cryptocurrency origins by combining them with other funds, declined among ransomware actors in 2024.
Chainalysis correlated this shift to sanctions and enforcement crackdowns on services like Chipmixer, Tornado Cash, and Sinbad. Rather than mixers, ransomware actors are utilizing cross-chain bridges to transfer cryptocurrency across different blockchains for their off-ramping activities.
Additionally, a considerable amount of criminal funds are now being held in personal wallets, indicating a reluctance to cash out.
“We attribute this primarily to heightened caution and uncertainty surrounding what is perceived as the unpredictable and decisive actions of law enforcement agencies against individuals and services involved in ransomware laundering, leading threat actors to feel uncertain about where they can securely deposit their funds,” noted the Chainalysis team.
Elevating Tactics: Ransomware Operatives Respond
Chainalysis cautioned that despite law enforcement disruptions, ransomware groups are evolving, with “novel ransomware variants emerging from leaked or purchased code” to evade detection. The report also highlighted a faster pace in attacks, with negotiations now commencing within hours of data compromise.
EXPLORE: Microsoft: Escalating Danger and Complexity of Ransomware Attacks
Nevertheless, authorities are catching on to the changing tactics and considering more drastic counter-strategies. Recently, the U.K. government disclosed plans to potentially prohibit ransom payments to make critical sectors less appealing to cybercriminals.
About Author
