After ransomware gangs extorted a record-breaking US$1.25 billion in 2023, and the value stolen in the first half of 2024 rose 2.38% year-on-year, cybercriminals seemed poised for another record payday. However, a sharp pullback in the latter half of 2024 radically changed the year’s outcome, instead resulting in overall ransomware payments seeing a sharp and encouraging 35% decline.
This is according to findings from the Chainalysis 2025 Crypto Crime report, which also noted that the US$813 million attackers extorted from their victims last year included a record-breaking outlier in the US$75 million paid by an undisclosed victim to the Dark Angels group. “For years now, the cybersecurity landscape seemed to be hurtling towards a so-called ransomware apocalypse, so this sharp decline, to levels even lower than those in 2020 and 2021, speaks to the effectiveness of law enforcement actions, improved international collaboration, and a growing refusal by victims to cave into attacker’s demands,” said Jacqueline Burns Koven, Head of Cyber Threat Intelligence at Chainalysis.
Another positive trend is the widening gap between the amounts demanded by bad actors and the actual payouts made by victims — in H2 2024, there was a 53% difference between the two. Moreover, despite the number of ransomware events actually increasing in the second half of 2024, the number of on-chain payments declined, suggesting that while more victims were targeted, fewer paid. In cases where victims did pay attackers, on average, the final amounts for these ransoms typically ranged between US$150,000 to US$250,000, regardless of attackers’ initial demands.
For attackers who received payments, Centralized Exchanges (CEXs) were a preferred means of converting their crypto gains into fiat currencies. Consequently, actions such as the sanctioning of Russia-based exchange, Cryptex, and the German Federal Criminal Police (BKA)’s seizure of 47 Russian language no-KYC crypto exchanges — both in September 2024 — have impacted the ability of ransomware actors to launder their illicit earnings. Chainalysis data shows that substantial volumes of crypto funds extorted by ransomware groups last year continue to be held in personal wallets.
“Ransomware operators, a primarily financially motivated group, are abstaining from cashing out more than ever. This potentially indicates a fear of being traced, identified, and prosecuted by law enforcement agencies, made possible with the help of crypto investigation tools such as those provided by Chainalysis,” added Koven.
While these developments bode well for businesses that have long battled the threat of ransomware, Chainalysis warned against complacency. “Today, 7-8 figure ransoms have become the outliers, as the ransomware actor landscape is dominated by groups extorting low- and mid-value payments,” Koven explained. “With smaller businesses also in the crosshairs, protecting these organisations is critical to economic resilience as in the UAE for example, the country’s over half a million SMEs contribute as much as 63% of the nation’s non-Oil GDP. It will take sustained collaboration and innovative defences to build on the progress made in 2024, and ensure organisations across all segments stay protected against the threat of ransomware.”
