Crypto ransomware payments drop 35% in 2024 amid crackdowns

The ransomware ecosystem saw a dramatic shift in 2024, with total ransom payments decreasing by 35% year-over-year (YoY), according to Chainalysis.

This decline — from a record $1.25 billion in 2023 to approximately $813.55 million in 2024 — was driven by intensified law enforcement actions, global cooperation, and increased victim resilience.

Despite an initial rise in ransomware payments in the first half of the year — peaking with a record-breaking $75 million payment to Dark Angels — activity sharply declined by 34.9% after July 2024. The second half of the year marked the most significant slowdown in ransomware earnings since 2021.

Law enforcement disruptions

One of the biggest factors behind the decline was the takedown of major ransomware groups. LockBit, one of the most prolific ransomware operations, was severely disrupted by joint action from the UK’s National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI) in early 2024.

According to Chainalysis, payments to LockBit dropped by approximately 79% following the crackdown.

Additionally, ALPHV/BlackCat — another top-grossing ransomware strain — exit scammed in January 2024, leaving a power vacuum in the ransomware economy. Unlike previous years, no single ransomware group quickly absorbed the market share left by these disrupted groups, leading to a more fragmented landscape dominated by smaller players.

“The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV,” said Lizzie Cookson, Senior Director of Incident Response at Coveware, in a statement to Chainalysis. “We saw a rise in lone actors, but we did not see any group swiftly absorb their market share.”

Fewer payments, more attacks

While ransomware payments declined, the number of reported attacks surged. Data leak sites posted more alleged victims in 2024 than in any previous year, but many of these incidents did not result in actual ransom payments. Analysts suggest ransomware operators may be exaggerating claims to maintain relevance.

According to Chainalysis, RansomHub, a newer ransomware-as-a-service (RaaS) operation, absorbed many former LockBit and BlackCat affiliates and became the most active ransomware group in 2024.

The future of ransomware

Improved cyber hygiene and better incident response played a key role in reducing ransom payments. Reports indicate that only around 30% of ransomware negotiations now result in payments, as more organizations opt for backups and alternative recovery solutions instead of paying cybercriminals.

Dan Saunders, Director of Incident Response at Kivu Consulting, explained, “According to our data, around 30% of negotiations lead to payments or the victims deciding to pay the ransoms. Generally, these decisions are made based on the perceived value of data that’s specifically been compromised.”