Chainalysis’ recent report on the changing ransomware landscape from 2023 to 2024 highlights a positive shift: more victims are refusing to pay the ransom. According to the blockchain analysis firm, the total volume of ransom payments decreased by approximately 35% year-over-year, with victims paying $1.25 billion in 2023 compared to $813.55 million in 2024.
The decline in ransom payments in 2024 can be attributed to a number of high-profile attacks that garnered attention. For example, hackers breached Snowflake accounts of multiple organizations, leading to data theft. Additionally, a disruptive ransomware attack against pathology services provider Synnovis impacted patients and affected the National Health Service in England.
However, the year also saw law enforcement agencies worldwide taking action against ransomware gangs. Operations such as the takedown of LockBit’s infrastructure, the unmasking of the LockBit leader and affiliates, the charging of a LockBit developer, and the sentencing of NetWalker affiliates contributed to the disruption of ransomware activities. These actions had a direct impact on the global amounts paid to ransom stolen or encrypted data, with the market never fully recovering after the fall of LockBit and BlackCat/ALPHV.
Lizzie Cookson, Senior Director of Incident Response at Coveware, noted that the emergence of new actors in the ransomware ecosystem, focusing on smaller markets with modest ransom demands, also played a role in the decline of ransom payments in 2024. Improved cyber hygiene and overall resiliency among potential victims further contributed to the decrease in total ransom amounts paid out.
In addition to the decrease in ransom payments, other notable trends emerged in the ransomware landscape in 2024. The rise of groups like RansomHub, which absorbed former affiliates of LockBit and ALPHV/BlackCat, and the increased speed of ransomware operations were identified by Chainalysis. Negotiations often began shortly after data exfiltration, while attackers’ dwell times before deploying ransomware increased as they sought to expand access and evade defenses.
Cisco Talos incident responders observed a significant increase in the use of remote access tools by ransomware operators, suggesting a shift in tactics to identify valuable data for exfiltration. Rapid7’s 2024 Ransomware Landscape report also highlighted the trend of threat actors demanding multiple payments for stolen data release, encryption keys sharing, and even refraining from launching DDoS attacks.
Overall, the ransomware landscape in 2024 showcased a complex interplay of factors affecting ransom payments, with law enforcement actions, evolving attacker tactics, and victim resilience all shaping the outcomes of ransomware incidents. As the cybersecurity community continues to adapt to these challenges, the fight against ransomware remains a critical focus to protect individuals and organizations from cyber threats.