Ransomware attackers in 2024 collected over $815 million from victims, per a recent report.
Chainalysis 2025 crypto crime report shows that last year, ransomware attackers were able to pull in 35% less money from victims compared to 2023, when they were able to steal $1.25 billion.
The blockchain data analysis firm revealed that this the first time ransomware revenues have gone down since 2022, signaling that more victims are refusing to pay and instead finding other ways to recover their data.
Ransomware is a type of malicious software (malware) that locks or encrypts a victim’s files, rendering them inaccessible until a ransom is paid to the attacker.
Cybercriminals use this tactic to extort money from individuals, businesses, and even governments by threatening to delete or leak sensitive data if payment is not made.
These attacks typically occur when victims unknowingly download infected files, click on malicious links, or fall for phishing scams. Once activated, the ransomware can quickly spread across a network, locking crucial files and disrupting operations.
Comparing the figures of 2024 with those of previous years, Chainalysis noted significant changes in ransomware payments over time. In 2020, nearly $1 billion was paid to attackers, rising slightly to $1.07 billion in 2021.
In 2022, payments decreased to $655 million before surging to $1.25 billion in 2023. The notable decline in 2024 suggests that organizations are becoming more resilient in dealing with these attacks.
Attackers demand for action quicker
Chainalysis noted not only a decline in ransomware revenue but also a shrinking time difference between when attackers lock up victims’ data and demand ransom. Attackers now act swiftly, often contacting victims within hours of data theft.
Previously, victims had more time to assess the damage before being pressured to pay. Now, criminals demand immediate action, making it harder for businesses to respond effectively.
This shift is partly due to the fall of two major ransomware groups, LockBit and BlackCat/ALPHV. These groups were among the most dangerous in recent years, responsible for high-profile cyberattacks targeting businesses, government agencies, and critical infrastructure worldwide.
LockBit stood as one of the most enduring and successful ransomware groups. It operated on a ransomware-as-a-service (RaaS) model, allowing hackers to “rent” its ransomware tools in exchange for a portion of the ransom payments. This model enabled a variety of cybercriminals to launch attacks using LockBit’s technology.
Known for its rapid encryption speed and aggressive tactics, LockBit frequently targeted large organizations, demanding millions in ransom. The group employed double extortion, locking victims’ files and threatening to leak sensitive data if the ransom was not paid.
However, in 2024, LockBit collapsed after law enforcement agencies, including the FBI and Europol, disrupted its operations. Many members were arrested, and its infrastructure was dismantled.
BlackCat, also known as ALPHV, was a significant ransomware group operating with a Ransomware-as-a-Service (RaaS) model. Notably, it was among the first ransomware strains written in Rust, a programming language that complicated detection by security tools.
Similar to LockBit, BlackCat targeted large organizations, employing double extortion tactics to compel victims to pay. It was especially active against healthcare, education, and financial institutions.
In 2024, BlackCat disbanded following an exit scam, where the cybercrime leaders vanished with the funds instead of distributing them to their affiliates. This left many hackers associated with BlackCat stranded, pushing them to join other ransomware groups or establish new ones.
Read also: Chainalysis predicts illicit crypto could hit $51 billion in 2024, but will be the smallest market share in three years.
Following the collapse, Chainalysis noted that no single new group fully assumed their role aside from RansomHub. Instead, the market became more fragmented, with numerous smaller attackers emerging. These newcomers primarily focus on small and mid-sized businesses, demanding lower ransoms than their major predecessors.
The rise of RansomHub
RansomHub, a new ransomware-as-a-service (RaaS) group that emerged in February last year, has absorbed many cybercriminals who lost their place when the bigger groups shut down.
Although RansomHub only emerged in February 2024, it has become one of the most active ransomware spots of the year, attacking the most victims and ranking among the top 10 ransomware strains.
Demand vs payment
Another major trend in 2024 was the growing difference between the amounts that hackers demanded and what victims actually paid.
In the second half of the year, payments were, on average, 53% lower than the original ransom requests.
Reports from cybersecurity firms show that most companies now choose not to pay at all, meaning the real gap between demands and payments is likely even bigger.
Dan Saunders, Director of Incident Response at Kivu Consulting, explained that only about 30% of ransomware negotiations lead to payments. Victims are getting smarter about whether their stolen data is actually worth paying for.
Many now refuse to pay for data recovery, believing they can retrieve their information through other means. Tools are being developed to help recover stolen data without succumbing to ransomware demands.
Additionally, many businesses maintain solid backups, enabling them to restore data without paying. Even when negotiations occur, businesses often manage to reduce the final payment.
As more businesses refuse to pay and improve their recovery capabilities, ransomware groups may find it increasingly difficult to profit in the coming years. If this trend continues, cybercriminals might have to change their tactics—or risk losing even more profits.
