The Extortion Deficit: Ransomware Payments Plunge by 33% as Victims Refuse to Pay

The U.S. Treasury is cautiously suggesting that the ransomware market may be beginning to cool. In a new report released Thursday by the Financial Crimes Enforcement Network (FinCEN), officials note that after the record surge of 2023, both attacks—and especially ransom payments—declined in 2024, even as the number of victimized organizations remained largely unchanged.

The most encouraging signal lies in the money. According to FinCEN, total ransom payments fell by roughly one third year over year, dropping from approximately $1.1 billion in 2023 to $734 million in 2024. Analysts and law-enforcement agencies have long viewed payments as the clearest barometer of ransomware activity: as long as extortion remains profitable, attackers will persist, and disrupting cash flows remains the most direct way to erode their incentives.

Yet the report itself urges restraint in drawing conclusions. Not long ago, the trend pointed in the opposite direction: in 2023, ransom payments surged by 77% year over year. Moreover, cumulative payments over the three-year period from 2022 through December 2024 exceeded $2.1 billion—only slightly below the $2.4 billion FinCEN attributes to the much longer nine-year span ending in 2021. In scale, the problem remains immense despite the recent downturn.

Even more telling is what has not changed. The “epidemic” in terms of victim count shows little sign of abating. Based on Bank Secrecy Act data and mandatory organizational filings, FinCEN recorded 1,476 ransomware incidents in 2024, compared with 1,512 in 2023—a decline of just 2%. In other words, organizations are paying less, but they are encountering ransomware almost as frequently as before.

In 2024, three sectors bore the brunt of the damage: manufacturing, financial services, and healthcare. The manufacturing sector reported 456 incidents, accounting for nearly $285 million in payments. Financial institutions disclosed 432 incidents and close to $366 million in losses. Healthcare organizations reported 389 attacks and approximately $305 million in ransom payments.

FinCEN also highlights the expanding “catalog” of ransomware strains. Between 2022 and 2024, the agency identified 267 distinct ransomware variants. The most frequently cited was ALPHV/BlackCat, followed by Akira, LockBit, Phobos, and Black Basta. Taken together, FinCEN estimates that just ten ransomware families were responsible for roughly $1.5 billion in payments over the 2022–2024 period.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy