Full Report
Researchers at Chainalysis report that ransomware payments dropped in 2024, down approximately 35% from $1.25 billion to $812.55 million. Global law enforcement actions may have helped.
Analysis Summary
# Incident Report: Decline in Global Ransomware Extortion Payments
## Executive Summary
Global ransomware extortion payments dropped significantly in the second half of the analyzed year, falling approximately 35% from $1.25 billion to $812.55 million, contrary to expectations of a record year. This decline is largely attributed to successful law enforcement disruption operations targeting major ransomware-as-a-service (RaaS) providers like LockBit and exit scams by groups such as AlphV/BlackCat, which fostered distrust among affiliates and increased victim preparedness. Despite this positive trend, the overall threat remains staggering, with critical infrastructure, including hospitals and schools, continuing to suffer attacks.
## Incident Details
- Discovery Date: Data analysis spanned the entire year, with the significant drop observed in the second half of the year.
- Incident Date: The analysis covers incidents throughout the year, noting trends shifting around the halfway mark.
- Affected Organization: N/A (Market-wide analysis)
- Sector: All sectors targeted by Ransomware-as-a-Service (RaaS) operations.
- Geography: Global observation based on blockchain analysis.
## Timeline of Events
### Initial Access
- Date/Time: Initial six months suggested a trend toward a record year for payments.
- Vector: Ransomware attacks generally, though specific vectors for individual attacks are not detailed in this overview.
- Details: Initial trends pointed toward surpassing the previous year's record extortion amounts.
### Lateral Movement
- Not detailed, as the report focuses on the financial impact and ecosystem disruption rather than specific intrusion steps.
### Data Exfiltration/Impact
- Overall monetary impact decreased substantially in H2.
- Key ransomware groups (LockBit, AlphV/BlackCat) faced major operational disruptions, undermining trust in their services for data protection guarantees.
### Detection & Response
- Detection: Analysis leveraged blockchain and crypto asset ledger data by Chainalysis, affirmed by incident response firms reporting lower client payment rates.
- Response actions taken: Law enforcement disruption operations targeting ransomware gangs and crypto laundering services were a major driver of the observed decrease.
## Attack Methodology
- Initial Access: Ransomware deployment (specific vectors not detailed).
- Persistence: Attributed to RaaS groups who have since been disrupted.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Not detailed.
- Exfiltration: Ransom payments decreased indicating less successful leveraging of data exfiltration threats.
- Impact: Targeted critical infrastructure sectors including blood centers, energy contractors, energy companies, and government entities (e.g., Rhode Island).
## Impact Assessment
- Financial: Total global ransomware payments dropped 35% to $812.55 million.
- Data Breach: Not quantified, but breaches continued to occur across vulnerable sectors.
- Operational: Disruption noted for specific victims, including a large New York blood donation center, an energy contractor, and the government of Rhode Island.
- Reputational: The collapse/disruption of major groups like LockBit and AlphV/BlackCat damaged the reputation of ransomware services regarding reliability for paying victims.
## Indicators of Compromise
- **Network indicators (Defanged):** N/A (General ecosystem analysis).
- **File indicators:** N/A.
- **Behavioral indicators:** Law enforcement disruption operations serving as a strong deterrent signal. Increased victim preparedness.
## Response Actions
- **Containment measures:** Law enforcement executed successful operations against market leaders (e.g., LockBit takedown).
- **Eradication steps:** Disruption of the underlying RaaS model and affiliated crypto laundering infrastructure.
- **Recovery actions:** Victims are reportedly better defended and prepared for successful recovery when attacked.
## Lessons Learned
- Law enforcement disruption operations against dominant RaaS providers have a significant strategic effect on decentralizing and destabilizing the criminal ecosystem.
- Victim distrust in paying ransoms is growing, especially when core promises (like data deletion) cannot be guaranteed following major group collapses.
- Better organizational cyber defenses are contributing to the reluctance to pay.
- Caution is warranted: The situation is "extremely fragile," and new threat actors or vulnerabilities could rapidly reverse this trend.
## Recommendations
- Continue and intensify collaborative international law enforcement efforts targeting the infrastructure and leadership of ransomware groups.
- Organizations must prioritize improving internal cyber defenses and ensuring robust backup and incident response plans, reducing their reliance on paying ransoms.
- Continuously monitor the ecosystem volatility, as the fragmentation caused by major disruptions often leads to new, specialized actors emerging.