Chainalysis’ Reports Upsurge in Ransomware Attacks in 2024 but Less Ransom Payments

A blockchain analysis indicates a growing unwillingness to pay ransomware groups. Chainalysis’ new report showed a 35% year-over-year decrease in ransom payments, from $1.25 billion (2023) to $813,550,000 (2024). Ransom payments in 2024 are the second-lowest yearly total in the last 5 years next to the $655.44M in 2022.

In H1 of 2024, 2.38% more listings were added to ransomware groups’ data leak websites compared to the matching period of 2023. Attacks kept increasing in H2 with the biggest number occurring in November 2024; nevertheless, November had the smallest number of ransom payments made in 2024. Less than 50% of ransomware attack victims paid the ransom.

When organizations receive a ransom demand, talking with the cybercriminal group is often the option. Ransomware groups seem to like negotiations and do not mind taking lower ransom payments. Less than 30% of organizations that started negotiations paid a ransom.

The analysis signifies increasing doubt that ransomware groups will erase stolen information after receiving the ransom payment. It also shows that companies, including HIPAA-covered entities, are learning that it is cheaper to acknowledge the reputational injury and retrieve encrypted information from backups compared to paying a ransom.

Payments decreased year-over-year, although the number of successful attacks has risen. There were over 5,260 successful attacks discovered in 2024, with a lot more victims added to data leak websites compared to any other year so far. 2024 saw the development of 56 new data leak websites. The increase in attacks and announcements on data leak sites indicate that ransomware groups are answering deteriorating returns by performing more attacks.

The ransomware ecosystem transformed considerably in 2024 pursuing big law enforcement campaigns focusing on the two ransomware groups, ALPHV/BlackCat and LockBit. Operation Cronos, the law enforcement operation against LockBit, triggered a big disruption to LockBit operations. Although the group responded to the shutdown of its infrastructure by publishing a lot of victims on its data leak website, that seems to have been an attempt to tell affiliates that the group stayed active and relevant.

The law enforcement campaign against ALPHV/BlackCat also upset the group’s activities and so the group quit in 2024. The group’s last victim was Change Healthcare, which paid the $22 million in ransom payments.

Because of the disturbance to LockBit and ALPHV/Blackcat operations, many affiliates changed ransomware groups, breaking up the ransomware environment. There are currently many lone threat actors and little ransomware groups that executed attacks on SMEs resulting in cheaper payments. The only ransomware group that increased its campaigns in H2 2024 was Akira.

The RansomHub group is known to actively recruit affiliates from ALPHV/BlackCat and LockBit and it became a very respected ransomware group last year. The growth in activity of RansomHub made it one of the top ten groups according to ransom payments.

Chainalysis also reported the law enforcement initiatives to put a stop to cryptocurrency mixers, which ransomware groups use to cover their ill-gotten funds. Because of this, ransomware groups are seeking other means to launder their money and cover up their activities, such as cross-chain bridges, though centralized exchanges remain their primary cash-out system. A lot of affiliates have chosen to retain their profits in personal wallets and not withdraw them for fear of being followed and detained.