The total amount in ransomware payments to attackers plummeted by 35% in 2024, with victims increasingly refusing to meet the demands of cybercriminals, according to new data from blockchain analysis firm Chainalysis. Despite a rise in reported ransomware incidents in the second half of the year, total ransom payments fell from a record $1.25 billion […]
The total amount in ransomware payments to attackers plummeted by 35% in 2024, with victims increasingly refusing to meet the demands of cybercriminals, according to new data from blockchain analysis firm Chainalysis.
Despite a rise in reported ransomware incidents in the second half of the year, total ransom payments fell from a record $1.25 billion in 2023 to $813.55 million in 2024, marking a significant shift in the cyber threat landscape.
Why did ransomware payments decline in 2024?
The drop in ransom payments coincided with an international crackdown on ransomware-as-a-service (RaaS) groups.
One of the most impactful operations was the dismantling of LockBit by the UK’s National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI) in early 2024, leading to a 79% drop in ransom payments attributed to the group in the latter half of the year.
Security experts attribute the declining payments to improved law enforcement collaboration, stronger corporate cybersecurity measures, and growing resilience among victims. “The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV,” Lizzie Cookson, senior director of Incident Response at Coveware, told Chainalysis.
“We saw a rise in lone actors, but no single group emerged to dominate the market as we’ve seen after past takedowns.”
Read more: LockBit leader unmasked?
Are small businesses more vulnerable to ransomware attacks in 2025?
With traditional ransomware groups facing disruption, attackers have adjusted their strategies. The report finds that new ransomware strains have emerged from rebranded, leaked, or purchased code, allowing for faster attacks and negotiations within hours of data exfiltration.
Many cybercriminals have also turned their focus to small and medium-sized enterprises (SMEs), which often lack the robust cybersecurity defences of larger corporations.
While ransom demands varied significantly, incident response data shows that the gap between the amounts demanded and the amounts paid widened in 2024, with a 53% difference in the second half of the year.
“Around 30% of negotiations actually lead to payment,” explained Dan Saunders, director of incident response for EMEA at Kivu Consulting.
“Many organisations are now choosing to rely on backups or decryption tools rather than paying the ransom.”
Data leak sites reveal a different picture
Despite the decline in ransomware payments, the number of victims listed on data leak sites reached an all-time high in 2024. Over 100 organisations were listed on multiple leak sites, sometimes because attackers inflated their numbers or recycled old victim data to maintain an appearance of activity.
Threat analysts warn that many claims made on these leak sites are misleading, with groups like LockBit posting fabricated victim information after law enforcement disrupted their operations.
Corsin Camichel, a threat researcher at eCrime, explained: “We have observed instances where attackers claim to have compromised multinational firms, when in reality, only a minor subsidiary was affected. The LockBit operators, in particular, engaged in deceptive practices to appear active post-disruption.”
Is Ransomware on a fragile decline?
While the decline in payments is seen as a positive sign, cybersecurity experts caution that ransomware threats remain persistent. “While I think this is great news, and I hope it dissuades would-be threat actors from getting into ransomware in search of a huge payout, the war is far from over,” said Roman Y. Sannikov, president at Constellation Cyber LLC, in a LinkedIn post.
“Cybercriminals are now targeting smaller organisations, where even a modest ransom demand can have devastating financial consequences.”
Governments are also taking further steps to curb ransomware payouts. In the UK, ministers are considering banning ransomware payments by schools, NHS trusts, and local councils.
Proposed regulations would also require private companies to report ransomware incidents, potentially giving authorities greater insight into attack trends and response strategies.
The 35% drop in ransomware payments signals progress in the fight against cyber extortion, largely driven by law enforcement interventions and victim resistance.
However, the report concludes that the ransomware landscape remains dynamic, with cybercriminals adapting tactics to evade crackdowns. As the battle between law enforcement and ransomware groups continues, organisations must prioritise cybersecurity resilience and incident response preparedness to stay ahead of emerging threats.
Read more: Should the UK ban ransomware payments or follow Australia’s lead?
