The ransomware ecosystem in 2024 experienced significant shifts, with cryptocurrency continuing to serve as the backbone of extortion schemes. However, according to Chainalysis, as law enforcement intensified efforts and global collaboration improved, the total volume of ransom payments dropped by 35% year-over-year, signaling a pivotal shift in the landscape. This decline marks the first drop in ransomware revenues since 2022, suggesting a growing resilience from organizations facing these increasingly sophisticated threats.
The most striking change in 2024 was not merely the reduced total payments but the diversification of attack strategies. Cybercriminals adapted quickly, with new strains emerging, often from rebranded or repurposed code, reflecting a more agile threat environment. These attacks, whether originating from nation-state actors, ransomware-as-a-service (RaaS) platforms, lone wolves, or data theft extortionists, evolved rapidly, with negotiations often beginning within hours of data exfiltration.
Ransomware-as-a-service platforms, in particular, continued to dominate, even as large players like LockBit and BlackCat faced disruption from international law enforcement. LockBit, once a dominant force, saw its ransom payments plummet by nearly 80% after a takedown effort led by the U.K.'s National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI). The collapse of BlackCat/ALPHV also left a notable gap in the market, one that was not swiftly filled by any single group, as has happened in the past after similar high-profile law enforcement actions. Instead, the landscape became more fragmented, with smaller groups targeting the mid- and small-market sectors, focusing on more modest ransom demands.
"The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV," said Lizzie Cookson, Senior Director of Incident Response at Coveware. "We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high-profile takedowns and closures. The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands."
Interestingly, while the number of ransomware incidents remained relatively high, the number of payments dropped significantly, indicating that victims were increasingly resisting extortion demands. This shift reflects a broader trend in organizational resilience, with many opting to restore from backups or leverage decryption tools rather than capitulating to demands. According to Dan Saunders, Director of Incident Response at Kivu Consulting, only about 30% of negotiations resulted in a payment, as organizations weighed the value of their compromised data against the cost of recovery.
"According to our data, around 30% of negotiations actually lead to payments or the victims deciding to pay the ransoms," Saunders explained. "Generally, these decisions are made based on the perceived value of data that’s specifically been compromised."
In the second half of 2024, the ransomware payment landscape shifted even further. While there were still outliers in the form of high-value ransoms, such as the record $75 million payment to Dark Angels, the overall trend saw a dramatic decrease in payouts, signaling a shift in the behavior of both attackers and victims. The growing adoption of advanced cybersecurity measures, including backup solutions, and the increasing use of digital forensics by organizations, has enabled faster response times and better decision-making when responding to extortion threats.
Cybercriminals, however, are not standing still. As noted, many attackers are diversifying their strategies and moving towards more innovative laundering methods. While previous years saw a reliance on mixers to obscure the flow of stolen funds, 2024 witnessed a sharp decline in their use. Instead, ransomware actors have turned to cross-chain bridges to facilitate the off-ramping of stolen funds, highlighting a significant adaptation to increased scrutiny from law enforcement. Centralized exchanges (CEXs) remain a primary tool for money laundering, with ransomware actors increasingly turning to personal wallets as well.
"Ransomware operators, a primarily financially motivated group, are abstaining from cashing out more than ever," observed Corsin Camichel, Threat Researcher at eCrime. "We attribute this largely to increased caution and uncertainty amid what is probably perceived as law enforcement’s unpredictable and decisive actions targeting individuals and services participating in or facilitating ransomware laundering."
While 2024 has brought about significant changes in the ransomware landscape, it is clear that the ecosystem remains highly adaptive. The emergence of new strains, including Akira and Fog, has intensified the threat, with both targeting critical vulnerabilities and focusing heavily on enterprise environments. These strains, along with others like INC and Lynx, reflect a trend of rebranding and cross-pollination among ransomware groups, further complicating efforts to disrupt their operations.
As cybersecurity measures improve and more organizations adopt proactive defenses, the ransomware landscape is likely to continue evolving. Yet, the fight against cybercriminals will remain a cat-and-mouse game, with attackers adapting and expanding their tactics, while law enforcement and industry response teams work tirelessly to level the playing field.
"Increasingly, organizations are becoming more tech-driven when it comes to incident response services, enabling them to identify the breached data much faster," said Christian Geyer, founder and CEO of Actfore. "Organizations are realizing that just because a ransom is paid doesn’t mean the information is safe from exposure. In fact, there’s been many instances where, despite payment and a ‘promise’, the information has still made its way to the Dark Web."
As the ransomware threat continues to evolve, 2024 may well prove to be a pivotal year in reshaping the future of cybercrime—and in the ongoing battle to protect sensitive data in an increasingly digital world.