Total ransomware payments fell 35% to $813 million in 2024. The number is real but the story it tells is harder to read than a simple win.
$813 million. That is how much ransomware gangs collected in 2024, according to Chainalysis's 2024 ransomware report. The year before, the number was $1.25 billion. So the headline writes itself: a roughly 35 percent drop, law enforcement wins, attackers are in retreat. I read that framing in a dozen places and every time something bothered me about it. The number is real. The optimism is premature.
The part that makes me pause is what happened inside the $813 million figure. The biggest single payment last year was approximately $75 million, paid to a group called Dark Angels. One gang, one victim, and the payment alone would rank among the largest ever recorded. The distribution of ransomware payments is deeply skewed. A few enormous payouts from large enterprises sit next to thousands of smaller ones from hospitals, school districts, and municipalities that cannot afford a protracted recovery. The aggregate falling does not tell you that attacks are less frequent or less damaging. It tells you that the flow of money from victim to attacker changed.
The Chainalysis data makes the mechanism more specific. A significant part of the drop came from the disruption of LockBit. The UK's National Crime Agency, working with the FBI and partners across ten countries, executed Operation Cronos in February 2024. They seized LockBit's infrastructure, arrested affiliates, and published decryption keys. LockBit had been one of the most active ransomware-as-a-service operations globally. After the takedown, ransomware payments in the second half of 2024 dropped approximately 79 percent compared to the same period in 2023. That is a meaningful causal signal. Law enforcement coordination, when it works, does move the market.
But here is what the payment data cannot capture. Only about 30 percent of victims who negotiated with attackers in 2024 ended up paying, according to Chainalysis. That means the other 70 percent did not pay. Some of them recovered from backups. Some of them brought in an incident response firm. Many of them still suffered weeks of downtime, significant recovery costs, and reputational damage that does not show up in any payment ledger. Not paying ransomware is genuinely the right advice. It is also advice that carries a real organizational cost that organizations absorb in silence. When a manufacturer's production line goes down for three weeks because they refused to pay, that cost is not counted in the $813 million figure.
I wrote about how organizational routines for vulnerability management break under volume pressure. Ransomware exploits exactly the failures those routines are supposed to prevent: unpatched systems, poor network segmentation, missing MFA on remote access. The payment data captures the ransom economy. It does not capture how the underlying vulnerabilities keep being exploited regardless of whether the victim pays. Colonial Pipeline, which did pay, and Equifax, which was breached through a known unpatched vulnerability, are in different parts of the statistics. Their organizational failures were structurally similar.
There is also a shift in attacker tactics that the payment figures obscure. A growing portion of ransomware attacks in 2024 involved data exfiltration without encryption. The attacker steals data and threatens to publish it rather than locking systems. This is sometimes called extortion-only ransomware, and it is harder to defend against because the threat is publication rather than operational disruption. A victim can restore from backup when files are encrypted. They cannot un-exfiltrate data. This tactic removes the attacker's reliance on deploying ransomware payloads that endpoint detection might catch. It also removes the technical leverage the victim had when backups were the answer to encryption. Chainalysis noted that encryption-free extortion is a growing component of what attackers are doing, which means that a payment decline driven partly by better backup hygiene may not indicate declining risk across the board.
The 2025 data, still early, shows another 35.82 percent year-over-year decrease in ransomware payments. That is encouraging if the trend holds. But I keep coming back to the structural asymmetry. Ransomware-as-a-service lowered the barrier to entry for attackers significantly. You do not need to build malware. You affiliate with a group, get access to a payload and infrastructure, execute attacks, and split the proceeds. The NCA and FBI can dismantle one operation, and a dozen affiliates reconstitute under a new brand within months. LockBit itself attempted to rebuild after Operation Cronos. The payment decline is partly a reflection of law enforcement success. It is also a reflection of a market adapting, with some attackers shifting to extortion-only models that leave no cryptocurrency trail to analyze in the first place.
The organizations most at risk are not the ones that show up in breach reports after paying. They are the ones quietly absorbing recovery costs, telling no one, and trying to get back to normal without triggering disclosure obligations. The $813 million is the visible surface of a much larger damage figure. I think the more honest metric would be total economic cost: ransom paid plus downtime, plus recovery labor, plus reputational loss, plus the cost of investigations and notifications. That number, for 2024, is almost certainly several times the payment total. We count what we can measure, and ransomware payments are measurable. The rest of the damage is not, and that asymmetry shapes how we read the good news.
About the author
Share
More notes
Related notes