After ransomware gangs extorted a record-breaking US$1.25 billion in 2023, and the value stolen in the first half of 2024 rose 2.38% year-on-year, cybercriminals seemed poised for another record payday. However, a sharp pullback in the latter half of 2024 radically changed the year’s outcome, instead resulting in overall ransomware payments seeing a sharp and encouraging 35% decline.
This is according to findings from the Chainalysis 2025 Crypto Crime report, which also noted that the US$813million attackers extorted from their victims last year included a record-breaking outlier in the US$75million paid by an undisclosed victim to the Dark Angels group. “For years now, the cybersecurity landscape seemed hurtling towards a so-called ransomware apocalypse, so this sharp decline, to levels even lower than those in 2020 and 2021 speaks to the effectiveness of law enforcement actions, improved international collaboration, and a growing refusal by victims to cave into attackers demands,” said Jacqueline Burns Koven, Head of Cyber Threat Intelligence at Chainalysis.
Another positive trend is the widening gap between the amounts demanded by bad actors and the actual payouts made by victims — in H2 2024, there was a 53% difference between the two. Moreover, despite the number of ransomware events actually increasing in the second half of 2024, the number of on-chain payments declined, suggesting that while more victims were targeted, fewer paid. In cases where victims did pay attackers, on average, the final amounts for these ransoms typically ranged between US$150,000 to US$250,000, regardless of attackers’ initial demands.
For attackers who received payments, Centralized Exchanges (CEXs) were a preferred means of converting their crypto gains into fiat currencies. Consequently, actions such as the sanctioning of Russia-based exchange Cryptex and the German Federal Criminal Police (BKA)’s seizure of 47 Russian language no-KYC crypto exchanges — both in September 2024 — have impacted the ability of ransomware actors to launder their illicit earnings. Chainalysis data shows that substantial volumes of crypto funds extorted by ransomware groups last year continue to be held in personal wallets.
“Ransomware operators, a primarily financially motivated group, are abstaining from cashing out more than ever. This potentially indicates a fear of being traced, identified, and prosecuted by law enforcement agencies, made possible with the help of crypto investigation tools such as those provided by Chainalysis,” added Koven.