in , ,

Sharp Drop in Ransomware Payments Signals Positive Trend

Throughout the previous year, the chaotic aftermath led by ransomware attackers was clear to see. Cybercriminals wreaked havoc on hundreds of American healthcare centers via an attack on Change Healthcare, manipulated weak spots in Snowflake’s customer accounts to infiltrate high-ranking victims, and squeezed out a historic $75 million from a single casualty. However, beneath such dramatic headlines, the data reveal an unexpected plot twist: instead of skyrocketing, ransomware payments experienced a drop overall in 2024 – falling even more steeply in the latter half of the year than any other six month timeframe.

Chainalysis, a cryptocurrency tracking company, unveiled a section of its annual crime report centering on the ransomware industry. The report noted that payment tolls due to ransomware in 2024 came to around $814 million, a significant decline from the previous year’s record of $1.25 billion. When broken down, the figures suggest a positive trend going forward: in the latter half of 2024, attackers were only able to rake in $321 million, a steep decline compared to the $492 million accrued in the first half of the year.

The stark turnover from mounting stats in the early part of the year to the notable slump experienced in the latter half was unforeseen. This decrease might stem from law enforcement interventions and disturbances, some potentially showing belated effects. These effects might not have been obvious as the cybersecurity industry battled severe attacks in the first part of the year. For several of the significant threats faced last year, the culprits have either ceased to exist or gone into hiding.

Law enforcement has sent a clear message: cross the line, and there will be repercussions. In 2024, U.S. and U.K. law enforcement managed to discharge two impactful interruptions to major ransomware rings. Just before 2023’s Christmas, the FBI claimed to have detected flaws in the encryption software used by a group known as BlackCat or AlphV. As a result, they distributed decryption keys to the group’s victims, sabotaging their extortion plans and taking down their dark-web platforms.

In the following February, the U.K.’s National Crime Agency (NCA) launched a campaign against the infamous Lockbit ransomware group. The NCA took over Lockbit’s base, confiscated its digital wallets, shut down its dark-web presence, and secured data about its associates and cybercriminal collaborators. However, both AlphV and Lockbit appeared to recover swiftly initially, resurfacing and regaining power.

AlphV quickly announced that it had targeted Change Healthcare, hindering payments for hundreds of American health facilities and pharmacies and coercing a $22 million payout. This strike is marked as a historically severe healthcare-related ransomware attack. Similarly, Lockbit also bounced back, creating a new dark-web platform to further extort previous and new victims.

However, it seems that law enforcement’s efforts proved more effective than initially apparent. Subsequent to obtaining its hefty payout from Change Healthcare, AlphV opted for an ‘exit scam,’ taking every last cent and vanishing instead of dividing the spoils with its hacker partners responsible for the breach. Lockbit also disappeared from the scene after the NCA operation, potentially due to distrust within the cybercriminal community when it was revealed NCA had identified their alleged leader, Dmitry Khoroshev. By May 2024, the US Treasury had also imposed sanctions on Khoroshev, making it complicated for victims to legally pay ransoms to Lockbit.

While the void left by the prominent players in the ransomware space was occupied by emergent groups in the second half of 2024, most lacked the expertise or experience to target large, well-secured victims like Lockbit and AlphV. The outcome was much smaller ransom payments, often not exceeding tens of thousands. Lacking the skillset of their precursors, these new cybercrime groups struggled and felt the aftermath of law enforcement actions, not only targeted at individuals but also the infrastructure which supported their operations.

Interestingly enough, there were more ransomware incidents reported last year than the year before. Yet, the smaller ransom sums received by the newly-formed ransomware groups suggest they had a focus on large-scale operations as opposed to quality targets. Additionally, global awareness about the looming ransomware threats has increased, leading to more sophisticated defenses and response strategies within governmental bodies and private institutions.

The role of law enforcement extended beyond initial disruption actions, as they also targeted money laundering systems, including mixers that aided criminals in masking the origins of their unlawfully obtained cryptocurrencies. Thus, the ability of ransomware actors to manage payments without crucial knowledge was also impeded.

Despite a significant drop in payments in the latter part of 2024, characterized as the most considerable in Chainalysis’s records, the frequency and volume of ransomware attacks have seen both increases and decreases over time. In 2022, researchers noticed a considerable reduction in activity, placing total ransom payments at lower levels of $655 million, compared to $1.07 billion in 2021 and close to $1 billion in 2020.

Initially, these figures gave hope to defenders and governments, believing that their prevention measures were working. However, ransomware bounced back as a stronger threat in 2023, with totals reaching $1.25 billion. Short-term fluctuations don’t provide a clear trend or indicate whether the problem is getting worse or better.

Moreover, researchers have cautioned about the challenges in obtaining accurate numbers related to ransomware attacks and payments made each year. Attackers can inflate their records and appear more threatening by claiming previous data infringements as new attacks or by inventing false attacks altogether. As such, societal stigma and regulatory rules often prevent victims from disclosing their experiences publicly, making ransomware predictions more of an art than an exact science.

The significant reduction in ransomware payments observed in 2024 does not secure future declines but provides an indicator of the ongoing work required. The fight against digital extortion is an ongoing process. Efforts must continue to guard against, disrupt, and ultimately defeat these cyber threats.