Ransomware attacks netted cybercrime groups a total of $813.5 million in 2024, a decline from $1.25 billion in 2023.
The total amount extorted during the first half of 2024 stood at $459.8 million, blockchain intelligence firm Chainalysis said, adding payment activity slumped after July 2024 by about 3.94%.
“The number of ransomware events increased into H2, but on-chain payments declined, suggesting that more victims were targeted, but fewer paid,” the company said.
Adding to the challenges is an increasingly fragmented ransomware ecosystem, which, in the wake of the collapse of LockBit and BlackCat, has led to the emergence of a lot of newcomers that have eschewed big game hunting in favor of small- to mid-size entities that, in turn, translate to more modest ransom demands.
According to data compiled by Coveware, the average ransomware payment in Q4 2024 was at $553,959, up from $479,237 in Q3. The median ransomware payment, in contrast, dropped from $200,000 to $110,890 quarter-over-quarter, a 45% drop.
“Payments continue to remain primarily a last-resort option for those who have no alternative to recover critical data,” the company said.
“Faulty decryption tools from both new and old ransomware strains and mounting distrust of threat actors’ ability to honor assurances compound to drive victims away from the table unless they have no other option.”
The decline in ransom payments have also been complemented by growing law enforcement success in dismantling cybercriminal networks and crypto laundering services, thereby disrupting the financial incentive and raising the barriers to entry.
That said, 2024 also witnessed the highest volume of annual ransomware cases since 2021, reaching a staggering 5,263 attacks, an increase of 15% year-over-year.
“With a crucial role in the global economy, Industrials experienced 27% (1424) of all ransomware attacks in 2024, increasing 15% from 2023,” NCC Group said. “North America experienced over half of all attacks in 2024 (55%).”
The most commonly observed ransomware variants during 2024 were Akira (11%), Fog (11%), RansomHub (8%), Medusa (5%), BlackSuit (5%), BianLian (4%), and Black Basta (4%). Lone wolf actors captured an 8% market share during the time period.
Some of the new entrants observed in recent months include Arcus Media, Cloak, HellCat, Nnice, NotLockBit, WantToCry, and Windows Locker. HellCat, in particular, has been found resorting to psychological tactics to humiliate victims and pressure them into paying up.
“Both Akira and Fog have used identical money laundering methods, which are distinct from other ransomware strains, further supporting a connection between them,” Chainalysis said.
“Both groups have primarily focused on exploiting VPN vulnerabilities, which allows them to gain unauthorized access to networks and consequently deploy their ransomware.”
