Ransomware payments drop for first time in years following law enforcement disruptions

Efforts to starve ransomware cybercriminals of their profits appear to finally be having an effect, with the extortion payments that have been funding the criminal ecosystem dropping last year according to a new report by Chainalysis.

The surprising and significant drop — down approximately 35% from $1.25 billion to $812.55 million — took place almost entirely in the second half of the year, with the first six months initially indicating 2024 would actually be “the worst year on record,” as the company said at the time.

“We were on pace for a record year,” said Jackie Burns Koven, the company’s head of cyberthreat intelligence, speaking to Recorded Future News. Around the half-way mark, the data suggested “we were surpassing the year prior, which was a record year.” 

But instead of reaching new heights, for the first time in two years ransomware payments dwindled — both in terms of the number of payments and the total sum being paid.

This came amid disarray in the ransomware ecosystem driven substantially by the disruption operation targeting LockBit, the market-leading ransomware group, as well as the exit scam by the AlphV/BlackCat group.

Koven said the company’s report, based on blockchain and other crypto asset ledger analysis, had been affirmed by incident response firms, several of which are quoted saying their clients were paying less and doing so less often.

She credited law enforcement disruptions on ransomware gangs as well as on crypto laundering services as a major driver behind the ecosystem’s troubles.

“Every major attack that we suffered last year, those groups behind them no longer exist. They’ve sent the message that if you stick your head up too much, we’re coming for you, you’re on the list,” she told Recorded Future News.

Laura Galante, a former director for cyber at the Office of the Director of National Intelligence, told journalists last September that disruptions such as those by the FBI and Britain’s National Crime Agency were intended to have a strategic effect on the problem, particularly by undermining the dominant ransomware-as-a-service providers and driving decentralisation across the criminal market.

“Disruption operations have been really key to making this harder for certain groups to really get deeper and more specialized and mature, and makes the organizations a little bit more chaotic, which ends up being helpful because it takes more time for them to reconstitute and have successful operations in the future,” said Galante. 

Koven noted that victims are increasingly “opting not to pay, and there’s a number of reasons for that. Not only did those disruptions of LockBit and the exit-scam of AlphV/BlackCat instill distrust amid affiliates, it also instilled district to victims and those that represent them. There’s no guarantee that data will be deleted. I think that’s abundantly clear from those, so the whole premise for paying has been shot to hell.

“And then — and I think this has been years in the making — I think we have victims that are better defended and better prepared for if and when they’re attacked,” she added.

But the Chainalysis researcher cautioned it was “premature to be celebrating” describing the new situation as “extremely fragile and could turn on a dime. … There’s always going to be a new kid on the block that comes through and is able to take advantage of the situation. There’s always going to be new vulnerabilities, and the attack numbers are still staggering,” said Koven.

In the past few months alone, ransomware disrupted a major New York blood donation center, an energy industry contractor, a state-owned energy company in Costa Rica, a supply-chain management software firm and the government of Rhode Island.  

“We are still facing the most vulnerable victims being targeted — and hospitals and schools — we’re still getting breach notifications,” said Koven “Critical infrastructure [is still being impacted.] It’s still very serious and very dangerous.”

Editor's Note: The spelling of Jackie Burns Koven's surname has been corrected.