A new report from the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity reached its peak in 2023 and then dropped in 2024, following a series of law enforcement actions that targeted the ALPHV/BlackCat and LockBit ransomware gangs.
Incident Volume and Payments Across 2022–2024
FinCEN analyzed thousands of Bank Secrecy Act filings and documented 4,194 ransomware incidents between January 2022 and December 2024. These reports show that organizations paid more than $2.1 billion in ransom payments, nearly matching the total reported over the eight years from 2013 to 2021.
Altogether, from 2013 through 2024, FinCEN tracked approximately $4.5 billion in payments that went to ransomware gangs.
According to the report, 2023 became the most profitable year for ransomware gangs, as victims reported 1,512 individual incidents and approximately $1.1 billion in ransom payments — a 77 percent increase from 2022.
However, both numbers dropped in 2024, with incident reports dipping slightly to 1,476 and total ransom payments falling dramatically to $734 million. FinCEN links this decline to law enforcement operations that targeted BlackCat in 2023 and LockBit at the beginning of 2024.
Disruptions Push Threat Actors to Regroup
Both ransomware gangs operated as the most active groups at the time of their disruptions, and their threat actors either shifted to new operations or struggled to relaunch.
FinCEN notes that ransom payments varied widely, although most fell below $250,000. The analysis also shows that manufacturing, financial services, and healthcare suffered the most ransomware attacks, while financial institutions took the largest financial losses.
“Between January 2022 and December 2024, the most commonly targeted industries (by number of incidents identified in ransomware-related BSA reports during the review period) were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents),” explained FinCEN’s analysis.
“The most affected industries by the total amount of ransom paid during the review period were financial services (approximately $365.6 million), healthcare (approximately $305.4 million), manufacturing (approximately $284.6 million), science and technology (approximately $186.7 million), and retail (approximately $181.3 million) (see Figure 4).”
Most impacted industries
Source: FinCEN
Top Ransomware Families and Their Earnings
In total, FinCEN identified 267 distinct ransomware families, although only a small portion accounted for most reported attacks.
Akira appeared in the most incident reports (376). ALPHV/BlackCat followed closely and earned the most overall, collecting roughly $395 million in ransom payments. LockBit ranked next with $252.4 million.
Other frequent ransomware gangs included Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. Collectively, the top 10 most active ransomware gangs accounted for $1.5 billion in ransom payments from 2022 through 2024.
Most active ransomware operations
Source: FinCEN
FinCEN also tracked payment methods and found that victims paid the majority of ransom demands in Bitcoin (97%), with a small number paying in Monero, Ether, Litecoin, and Tether.
FinCEN encourages organizations to continue reporting attacks to the FBI and ransom payments to FinCEN, as consistent reporting helps disrupt cybercrime more effectively.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News
