Ransomware attacks surged last year, but victim payments declined as users refused to meet demands amid increased recovery efficiency by law enforcement.
The lucrative ransomware business earned less from victim payouts year-over-year despite a rise in attacks launched by bad actors in 2024, according to a Chainalysis crime report.
The report found that ransomware payments fell by 35% last year, totaling $813 million compared to a record $1.25 billion the year before. Cybercriminals initially saw success in the first half of 2024, with a 2.3% uptick in successful extortion attempts, including $75 million collected by the illicit Dark Angels Group.
However, improved crypto investigative practices, sanctions, and asset seizures disrupted criminal networks in the latter half of the year. Chainalysis noted that restrictions on Russia’s crypto exchange Cryptex and Germany’s crackdown on 47 Russian-based platforms significantly hindered ransomware money laundering operations.
Jacqueline Burns Koven, Chainalysis’ head of cyber threat intelligence, wrote that bad actors increasingly hesitated to cash out criminal proceeds via centralized crypto exchanges. However, non-KYC CEX platforms remained the preferred channel for converting stolen crypto into fiat currency.
More victims also refused to pay ransoms despite the growing frequency of cyberattacks, encouraged by improved crypto-tracing tools and strengthened investigative efforts.
Less than 50% of ransomware campaigns yielded payouts in 2024. Those who complied typically paid up to $250,000 in ransom demands. However, attackers have adapted to evolving security measures, employing new strategies to breach databases and pressure victims into paying.
In response, many attackers shifted tactics, with new ransomware strains emerging from rebranded, leaked, or purchased code, reflecting a more adaptive and agile threat environment. Ransomware operations have also become faster, with negotiations often beginning within hours of data exfiltration. Attackers range from nation-state actors to ransomware-as-a-service (RaaS) operations, lone operators, and data theft extortion groups, such as those who extorted and stole data from Snowflake, a cloud service provider.
Chainalysis 2025 crime report
