While ransomware remains a billion-dollar problem, total payments actually declined between 2023 and 2024, according to data from the Financial Crimes Enforcement Network (FinCEN).
The Financial Trend Analysis indicates that ransomware incidents dipped slightly in 2024 to 1,476 individual reports, with total payments amounting to $734 million. This is down from the 1,512 reported attacks and $1.1 billion in payments recorded in 2023—both all-time highs. The median ransom payment size also fell, dropping to $155,257 in 2024.
Still, ransomware continues to be a costly threat. Across the three years covered by the FinCEN report, entities paid out more than $2 billion in ransom payments.
Governments Team Up
The drop appears to stem from governments around the world taking a more aggressive stance against ransomware operations. The report specifically credited disruptions to two major hacking groups: ALPHV/Blackcat in December 2023 and LockBit in February 2024.
Since then, several government entities have taken additional steps to curb the ability of ransomware criminals to get paid. Last month, the U.S. Treasury Department, in partnership with Australia and the UK, announced sanctions against Media Land for supporting online ransomware operations. At the same time, the U.S. and UK sanctioned individuals affiliated with Aeza Group, which was charged with providing web hosting services to ransomware groups.
The UK is also moving forward with plans to make it a criminal offense for public entities to pay cybercriminals who are holding their data hostage, and to require businesses to notify the government before making any ransom payment. However, the exemptions would apply in cases involving national security.
Local Efforts
Smaller governments are also taking steps to fight the problem. In August, a year after the city of Columbus fell victim to a massive ransomware attack, the state of Ohio mandated that local governments establish cybersecurity training requirements for all employees and report cyberattacks to the Ohio Department of Public Safety. Additionally, officials may only pay a ransom with the approval of the government’s legislative body.
Similarly, the state of New York adopted new rules requiring municipal and public authorities to report any cybersecurity incidents within 72 hours. Any ransomware payment must be reported within 24 hours to the New York State Division of Homeland Security and Emergency Services.