Chainalysis reports ransomware payments fell 35% to $813 million in 2024, then another 35% in 2025. The $75 million single payment tells a different story.
Chainalysis reported that ransomware payments fell to $813 million in 2024, a 35% drop from the $1.25 billion peak in 2023. In 2025, they fell another 35.82%. This looks like progress. And in some ways it is.
I want to sit with that "in some ways" for a moment before letting the headline number do too much work. The aggregate payment figure is real and the direction is meaningful. But the mechanism behind the drop matters a great deal for what the number actually tells us, and the mechanism is not primarily organizational maturity.
The most significant event in the 2024 ransomware data is Operation Cronos, the NCA and FBI-led disruption of LockBit in early 2024. Chainalysis found that ransomware payments in the second half of 2024 dropped roughly 79% compared to what would have been expected. That is an enormous single-event effect. LockBit had been the dominant ransomware-as-a-service operation, responsible for a substantial share of the total payment volume. When law enforcement dismantled the infrastructure and arrested affiliates, the payment volume collapsed with it. What that means is that the aggregate drop is largely a law enforcement outcome, not an organizational behavior change. The calculus that individual organizations are making about whether to pay did not fundamentally shift. The infrastructure for collecting those payments was disrupted.
Protection motivation theory, as Rogers (1975, 1983) framed it, gives me a way to think about what would constitute a genuine behavioral shift versus what we seem to actually have. PMT describes two appraisal processes. Threat appraisal is about how severe the consequences would be and how likely an attack is. Coping appraisal is about whether the recommended response actually works and whether the organization can execute it. The theory predicts that protective behavior increases when both threat appraisal and coping appraisal are high. High threat with low coping appraisal produces avoidance or denial rather than protective action.
The refusal to pay, which is part of what the Chainalysis data shows, is a coping behavior. But PMT asks: what is driving that refusal? If organizations are refusing to pay because their coping efficacy has genuinely improved, meaning they have better backups, faster recovery capabilities, and tested incident response plans, then the drop in payments represents real organizational resilience. If they are refusing to pay because of government guidance not to pay, or because insurers have tightened ransomware coverage, or because they believe law enforcement is watching payment flows, then the refusal is a compliance response to external pressure rather than a capability change. Those two cases produce very different predictions about what happens when the external pressures shift.
The law enforcement argument matters here because of what happened to coping appraisal in environments where law enforcement is less present or less effective. The Chainalysis data shows that even as total payments fell, the number of organizations being targeted did not fall proportionally. Groups adapted. New ransomware-as-a-service operations emerged to fill some of the space LockBit vacated. The threat did not diminish; the specific infrastructure for monetizing that threat was disrupted.
Then there is the number that I find most revealing in the entire Chainalysis report. A single payment of approximately $75 million went to a group called Dark Angels in 2024, setting a record for a single ransomware transaction. That payment happened in the same year that aggregate payments fell 35%. What that combination tells me is that the ransomware market is not shrinking uniformly. It is consolidating. The volume of small and mid-size payments fell substantially, partly because of law enforcement and partly because more organizations have reached a floor of basic recovery capability that makes paying for small attacks unnecessary. But the high end of the market, the attacks targeting organizations with the most to lose and the highest ability to pay, is producing record-setting single transactions.
I wrote earlier about how institutional isomorphism shapes how organizations approach AI strategy. The same dynamic appears in ransomware response. Organizations adopt ransomware defenses partly because their peers are adopting them, partly because cyber insurance now requires certain controls, and partly because the regulatory environment increasingly mandates incident reporting. That normative and coercive isomorphic pressure produces a floor of defenses that is genuinely raising the cost of small attacks. But it does not reliably address the tail risk, the highly targeted, well-researched attack on an organization's most valuable data, because that kind of defense requires something more than compliance with standard frameworks.
The Chainalysis data also noted that roughly 30% of organizations that entered negotiations with ransomware operators ultimately paid. That 30% figure is the coping appraisal number I keep thinking about. Seven in ten organizations that negotiated ultimately refused, which is a behavioral shift from earlier years. But the organizations in that 30% presumably made a rational calculation that paying was cheaper than not paying given their recovery options. PMT predicts exactly this: if response efficacy, the belief that an alternative response will work, is low enough, the rational move under high threat is to pay. The 30% who paid are not irrational. They are organizations where the coping appraisal calculation came out in favor of payment because their non-payment alternatives were genuinely worse.
That is the IS governance research gap I keep bumping into. We have good frameworks for predicting whether individuals will comply with security policies. We have much weaker frameworks for understanding the organizational-level coping appraisal decision in a ransomware event, specifically what factors determine whether an organization concludes it can recover without paying. Backup quality, recovery time objectives, data sensitivity, regulatory exposure, reputational risk, cyber insurance coverage, and executive risk tolerance all feed into that calculation. None of those factors appear cleanly in PMT as originally specified, because PMT was designed to model individual protective behavior and ransomware response is an organizational decision.
The encouraging signal in the Chainalysis data is that law enforcement disruption works. Operation Cronos produced a 79% drop in payments in the second half of 2024. That is a better short-term result than any governance framework has produced. But it is also inherently unstable because the disruption targets specific actors rather than the underlying market structure. New groups emerge. Infrastructure migrates. The record $75 million payment to Dark Angels happened in the same period when LockBit was being dismantled. The market adapts faster than law enforcement can keep up, which means the aggregate payment trend over the next few years will depend more on how quickly new ransomware groups fill the LockBit vacuum than on whether organizations have become meaningfully more resilient.
My read is that 2024's decline is genuinely good news for the organizations that avoided paying. I am less confident it represents a structural shift. The number that would reassure me is not the aggregate, but the percentage of organizations with tested, functional backup and recovery capabilities that actually prevented payment in a live attack. That number is harder to measure and I have not seen it anywhere. Until I do, the 35% aggregate drop and the $75 million single payment will sit next to each other in my notes as a reminder that averages hide the distribution and the distribution is what matters.
About the author
Share
More notes
Related notes