“The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV,” said Lizzie Cookson, senior director of incident response at ransomware response firm Coveware. File Photo by Ritchie B. Tongo/EPA
Feb. 5 (UPI) — Payments for ransomware declined year-over-year through 2024 for the first time since 2022, according to data shared by blockchain analysis firm Chainanalysis on Wednesday.
The total volume of ransom payments decreased year-over-year by approximately 35%, according to the Chainanalysis 2025 Crypto Crime Report, which highlighted Russian ransomware group LockBit and Iran-based ransomware strains, Akira/Fog, and INC/Lynx, as bellwethers of the year’s trends.
“The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV,” Lizzie Cookson, senior director of incident response at ransomware response firm Coveware, wrote Wednesday.
Ransomware attackers, however, have gotten faster with negotiations often starting within hours of data exfiltration. Attackers have ranged from “nation-state actors” to ransomware-as-a-service operations, lone characters and data theft extortion groups.
“We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high-profile takedowns and closures,” said Cookson.
In 2024, ransomware attackers gained more than $813 million via victim payments. It was a 35% decrease from a record $1.25 billion in 2023.
A decline in ransomware payments was driven by “increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay,” which expanded a gap between payments versus demands, tech experts wrote.
Data leak sites posted more victims in 2024 than any year prior, the New York City-headquartered Chananalysis added, but experts say on-chain payments declined which suggested more online victims were targeted but fewer paid digital criminals.
LockBit claimed in June last year to have breached the U.S. Federal Reserve and threatened to release 33 terabytes of sensitive data, including “Americans’ banking secrets.”
“The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands,” Cookson said.
LockBit previously conducted a number of high-profile ransomware attacks on companies, banks and government departments around the world since 2019, including the U.S. Department of Justice, Japan’s Port of Nagoya, Boeing, British Royal Mail and Fulton County in Georgia.
Dmitry Yuryevich Khoroshev, a Russian national accused of leading LockBit, was indicted and sanctioned last year in May by the U.S. and its allies. It came with a $10 million bounty for Khoroshev’s arrest.
Since March 2023, Akira targeted more than 250 entities and was the only H1 top 10 ransomware strain to “have ramped up its efforts” in 2024.
The U.S. State Department announced early last year a $15 million reward for information leading to the arrest of anyone involved in LockBit.
Meanwhile, LockBit saw H2 payments decrease by roughly 79% after it was disrupted early last year by the FBI and Britain’s National Crime Agency which showcased the “effectiveness of international law enforcement collaboration.”
It published as high as 68% repeat or straight-up fabricated victims on its data leak site, experts continued.
“The LockBit operators played games to pretend to stay relevant and active after a law enforcement action called ‘Operation Cronos,'” according to Corsin Carmichael, a threat researcher at eCrime. LockBit, he added, “re-posted many previously listed claims again or added attacks that happened a long time ago, some even over one year ago.”
In addition, ALPHV/BlackCat was among 2023’s top-grossing ransomware strains before it exit scammed in January 2024 leaving a void in H2.
The federal government last year in February offered a reward of up to $10 million for info on those who held a key leadership role in ALPHV or Blackcat.
The Russia-based BlackCat ransomware group was responsible for cyberattacks against UnitedHealth, the company confirmed last year in February.
But RansomHub, added Camichel, posted the highest number of victims last year. Yet despite only emerging in February 2024, it ranked in the top 10 strains.
Fog, a new ransomware strain, entered the scene in September.
“The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands,” stated Coveware’s Cookson.
According to tech leaders, Fog demonstrated an ability to target critical vulnerabilities, like Akira did, by primarily focusing on exploiting VPN vulnerabilities which allow bad actors to gain unauthorized access to networks in order to deploy its ransomware strain.
However, Akira and Fog both used identical money laundering methods. But Chainanalysis officials say malicious actors face increasing challenges in laundering online payments from victims.
“Sustained collaboration and innovative defenses will remain critical to building on the progress made in 2024,” the firm wrote.