Ransomware extortion payments fell in 2024, according to blockchain analyst biz Chainalysis this week.

Like infosec outfit NCC, Chainalysis thinks ransomware attacks increased during 2024. However the blockchain inspectors’ data suggests fewer victims paid ransoms, and online extortionists therefore raked in just $813.55 million last year compared to 2023’s record-breaking haul of $1.25 billion. That’s cryptocurrency payments that could be observed on public blockchains, to be clear.

“The number of ransomware events increased into the second half of the year, but on-chain payments declined, suggesting that more victims were targeted, but fewer paid,” Chainalysis said.

More victims were targeted, but fewer paid

The results are perhaps a little surprising, considering the record-breaking $75 million payout by a Fortune 50 company to the Dark Angels crew in August 2024. On the other hand, perhaps payment amounts are down because organizations can’t afford to pay, aren’t allowed to pay, don’t want to pay out of principle, or don’t need to pay because the impact isn’t worth the ransom demand.

Chainalysis’s numbers also warrant careful consideration, as it uses volume of activity on ransomware gangs’ data leak sites as a proxy for evidence of ransomware attacks rather than direct tallies of such incidents.

One might have hoped ransomware infections would be on the slide given law enforcement agencies have busted big ransomware gangs, but at least takings are down. The BlackCat and/or AlphV crew were smashed by police in December 2023. February 2024 saw an international operation take down the infamous LockBit operation shuttered.

Both groups later bounced back and resumed attacks. However, Chainalysis quoted Lizzie Cookson, senior director of incident response at ransomware specialists Coveware, as saying: “The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV.”

“We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high profile takedowns and closures,” Cookson said. “The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands.”

Another possible reason for the drop in ransom payments is, as we suspected, businesses are better prepared to recover from infections. Cookson opined victims feel it is cheaper to rebuild systems from secure backups than pay a ransom to retrieve information. Compromised machines need to be thoroughly wiped anyway.

“They may ultimately determine that a decryption tool is their best option and negotiate to reduce the final payment, but more often, they find that restoring from recent backups is the faster and more cost-effective path,” she said.

Another factor is the criminals are learning that Bitcoin transactions and other forms of digi-cash transfers are harder to hide than expected, which means the ransomware business model becomes riskier.

That could be the result of concerted police action against cryptocurrency mixers such as Chipmixer and the North Korean favorite Sinbad, which make it harder to obfuscate evidence of digi-cash transactions.

Chainalysis noted the use of mixer services dropped markedly during 2024 and an increasing number of miscreants looked for different ways to access their coin.

Governments are taking an increasingly strong line against ransomware operators. Both the UK and US governments have come out against paying the extortionists. There’s also anecdotal evidence the insurance industry – which gained a reputation for encouraging victims to pay up to reduce overall costs – is getting wise to the fact that feeding criminals money is unlikely to fix anything. ®