Full Report
WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments. “Banks and other financial institutions play a key role in protecting our economy from ransomware and other... Source
Analysis Summary
# Incident Report: FinCEN Analysis of Major Ransomware Trends (2022-2024)
## Executive Summary
The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) released a trend analysis covering ransomware incidents reported via Bank Secrecy Act (BSA) data between 2022 and 2024. During this three-year period, total reported ransomware payments exceeded $2.1 billion across 4,194 incidents. The year 2023 marked an all-time high for reported incidents and payments, though activity slightly decreased in 2024 following law enforcement disruptions. The analysis highlights key attack vectors, dominant ransomware strains, and the most impacted industries based on BSA filings.
## Incident Details
- **Discovery Date:** Analysis released in December 2025, detailing data through December 2024.
- **Incident Date:** Analysis covers incidents occurring between January 2022 and December 2024.
- **Affected Organization:** Not applicable; this is a trend analysis aggregating data across all reporting financial institutions.
- **Sector:** Financial Services, Manufacturing, and Healthcare were the most impacted industries overall.
- **Geography:** United States (based on BSA filings).
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout the 2022 – 2024 period, with peak activity in 2023.
- **Vector:** The most commonly reported communication method between threat actors and targets was **The Onion Router (TOR)** protocol (67% of reports specifying communication). Other methods included email and private encrypted messaging systems.
- **Details:** The analysis focuses on the *incident date* rather than the filing date to provide better visibility into attack timing.
### Lateral Movement
- *Details on specific lateral movement techniques are not provided in the summary, only the cumulative impact and threat actor prevalence.*
### Data Exfiltration/Impact
- **Impact:** Total reported payments exceeded **$2.1 billion** between 2022 and 2024.
- **2023 Peak:** 1,512 incidents reported, totaling $1.1 billion in payments (a 77% increase YoY from 2022).
- **2024 Decrease:** 1,476 incidents reported, totaling $734 million in payments, following law enforcement disruption of major groups.
### Detection & Response
- **Detection:** Incidents were detected when financial institutions filed Suspicious Activity Reports (SARs) under the Bank Secrecy Act (BSA) related to unusual financial transactions associated with ransomware payments.
- **Response Actions:** Implicit response involves reporting suspicious activity to FinCEN, enabling law enforcement to track trends and potentially disrupt criminal activities.
## Attack Methodology
- **Initial Access:** Communication primarily via TOR, email, or encrypted messaging to initiate contact/extortion.
- **Persistence:** Not specified in the trend summary.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Not specified.
- **Exfiltration:** Implied by the requirement to pay ransom following system compromise.
- **Impact:** Encryption of systems leading to demands for monetary payment (ransomware).
**Most Prevalent Ransomware Variants (2022-2024):**
Akira, ALPHV/BlackCat (identified as the most prevalent), LockBit, Phobos, and Black Basta. The top 10 variants accounted for approximately $1.5 billion of the total reported payments.
## Impact Assessment
- **Financial:** Over **$2.1 billion** in reported ransomware payments across 4,194 incidents (2022-2024).
- **Median Payments:** $124,097 (2022), $175,000 (2023), $155,257 (2024). The most common payment range was below $250,000.
- **Data Breach:** Specifics on the volume/type of data are not detailed, but compromise required organizations to make ransom payments.
- **Operational:** Significant operational disruption implied for **Manufacturing (456 incidents, ~$284.6M paid)**, **Financial Services (432 incidents, ~$365.6M paid)**, and **Healthcare (389 incidents, ~$305.4M paid)**.
- **Reputational:** Not directly quantified, but FinCEN emphasizes the threat to the stability of the financial sector and national security.
## Indicators of Compromise
*Due to the nature of this being a high-level statistical trend analysis, specific IOCs (IPs, domains, hashes) are not provided. The following are general indicators mentioned:*
- **Network indicators:** Communication over The Onion Router (TOR).
- **File indicators:** Use of recognized ransomware strains (ALPHV/BlackCat, Akira, LockBit).
- **Behavioral indicators:** Ransom demands processed through financial systems leading to BSA reporting.
## Response Actions
The primary action discussed is the *reporting mechanism* utilized by financial institutions:
- **Containment:** Not specified.
- **Eradication:** Not specified.
- **Recovery actions:** The analysis notes that law enforcement disruptions contributed to the decrease in 2024 activity, indicating success in coordinated response efforts against key threat groups.
## Lessons Learned
- **Reporting is Vital:** Prompt reporting of suspicious activity via BSA mechanisms provides critical, actionable information to law enforcement regarding emerging threat trends.
- **Trend Volatility:** Ransomware activity is responsive to external pressure; targeted law enforcement action against major groups can lead to observable drops in reported payments and incidents.
- **Historical Context:** The $2.1 billion in payments over three years (2022-2024) is comparable to the $2.4 billion paid in the preceding nine years (2013-2021), demonstrating a significant acceleration in financial impact recently.
## Recommendations
- Financial institutions must maintain robust BSA reporting protocols to ensure real-time awareness of cybersecurity threat patterns.
- Organizations across high-risk sectors (Financial Services, Manufacturing, Healthcare) should review defenses against the most prevalent ransomware variants identified (e.g., ALPHV/BlackCat).
- Implement multi-layered defense strategies, given that threat actors rely heavily on anonymized communication methods like TOR.