Source: Chainalysis; Compiled by: Deng Tong, Golden Finance
In 2024, the ransomware landscape has undergone significant changes, and cryptocurrencies continue to play a central role in extortion. However, the total ransom amount fell by about 35% year-on-year due to increased law enforcement actions, improved international cooperation, and a growing number of victims refusing to pay.
In response, many attackers have changed their tactics, with new ransomware strains emerging from renamed, leaked, or purchased code, reflecting a more adaptive and agile threat environment. Ransomware operations have also become faster, with negotiations often beginning within hours of a data breach. Attackers include nation-state actors, ransomware-as-a-service (RaaS) operations, solo operators, and data theft extortion groups, such as those who extorted and stole data from cloud service provider Snowflake.
In this chapter, we explore these developments and their impact, including various case studies — LockBit, the Iranian ransomware strain, Akira/Fog, and INC/Lynx — to illustrate trends this year.
In 2024, ransomware attackers received an estimated $813.55 million in payments from victims, down 35% from the record $1.25 billion in 2023 and the first decline in ransomware revenue since 2022.
As we noted in our mid-year crime update, ransomware attackers have extorted $459.8 million between January and June 2024, about 2.38% more than the amount extorted during the same period in 2023. The first half of 2024 also saw several unusually large payments, such as a record $75 million payment to Dark Angels.
Despite a small half-time increase (HoH) in 2024, we expect 2024 to exceed 2023’s total by year end. Fortunately, however, payment activity slowed by about 34.9% after July 2024. This slowdown is similar to the decline in ransom payments since 2021 and the overall decline in certain types of crypto-related crime (such as stolen funds) in the second half of 2024. Notably, the decline this year has been more pronounced than in the past three years.
A closer look at the top 10 ransomware strains by revenue in the first half of the year provides insight into the groups driving these HoH trends. As shown in the chart below, Akira has targeted more than 250 entities since March 2023 and was the only one of the top 10 ransomware strains in the first half of the year to increase its activity in the second half of 2024. LockBit, which was disrupted by the UK National Crime Agency (NCA) and the US Federal Bureau of Investigation (FBI) in early 2024, saw its payments drop by about 79% in the second half of the year, demonstrating the effectiveness of international law enforcement cooperation. ALPHV/BlackCat, which was one of the highest-grossing strains in 2023, withdrew in January 2024, leaving a gap in the second half of the year.
Lizzie Cookson, senior director of incident response at ransomware incident response firm Coveware, told us: “After the takedowns of LockBit and BlackCat/ALPHV, the market never recovered to its previous state. We saw an increase in solo actors, but we did not see any groups quickly absorbing their market share like we had seen after previous high-profile takedowns and shutdowns. The current ransomware ecosystem is filled with many newcomers who tend to focus their efforts on small and medium-sized markets, which in turn are associated with more modest ransom demands.”
To further understand what led to the decrease in ransomware payment activity in the second half of the year, we first looked at data breach sites, which may be a proxy for ransomware incidents. In the figure below,we can see that the number of ransomware incidents increased in the second half of the year, but the on-chain payments decreased, indicating that the number of victims increased, but the amount paid decreased.
Data breach sites disclosed more victims in 2024 than in any previous year. Not only were there more alleged victims, but according to Recorded Future Threat Intelligence Analyst Allan Liska, there were 56 new data breach sites in 2024—more than double the number Recorded Future found in 2023. However, there are some caveats to consider with the data breach site information and what it reveals about the ransomware ecosystem.
eCrime Threat Researcher Corsin Camichel shared more information on the legitimacy of the leaks. "We observed leak site posts claiming the existence of organizations, but failing on deeper analysis. For example, we saw claims from multinational organizations, but in reality, only a smaller subsidiary was affected. In 2024, more than 100 organizations were listed on two or more data leak sites. The 'MEOW' leak site played a major role in this, appearing to have compromised the site and listed data taken from a web server or database." Another reason for the aforementioned inverse relationship between ransomware payments and data leak site victims could be that threat actors have been caught exaggerating or lying about victims or reposting claims from old victims. "LockBit operators played a trick following the law enforcement operation called 'Operation Cronos' to pretend to remain relevant and active, as they reposted many of the previously listed claims again or added attacks that happened long ago, some as much as a year ago," added Camichel.
Liska also shared with us information about illicit victims posted to data leak sites, saying: “This is particularly true of LockBit, which, in order to remain relevant after being ostracized by many underground communities following law enforcement actions, posted up to 68% of duplicate or outright fabricated victims on its data leak site.”
Another interesting phenomenon following the LockBit outage and BlackCat exit scam is the rise of the RansomHub RaaS, which has absorbed a large number of displaced operators from LockBit and BlackCat. According to Camichel, RansomHub had the highest number of victims in 2024, and despite only appearing in February 2024, it ranked among the top ten crime types in 2024 according to on-chain data.
Incident response data shows that the gap between the amounts demanded and the amounts paid continues to widen; in the second half of 2024, the difference between the two factors was 53%. Reports from incident response firms indicate that most clients choose not to pay at all, meaning the actual gap is larger than the numbers below suggest.
We spoke to Dan Saunders, EMEA director of incident response at cybersecurity incident response firm Kivu Consulting, to learn more about this victim resilience. “According to our data, around 30% of negotiations end in a payment or the victim’s decision to pay the ransom. Often, these decisions are made based on the perceived value of the data that was compromised,” he said. Similarly, Cookson noted that victims are increasingly able to resist demands and explore multiple options for recovering from an attack, thanks to improvements in cyber hygiene and overall resilience. “They may ultimately decide that a decryption tool is their best option and negotiate a reduced final payment, but more often they find that restoring from a recent backup is a faster, more cost-effective path,” she added. Regardless of the initial demand, the final payment is typically between $150,000 and $250,000.
In the graphic below we can see how the distribution of ransomware payments will evolve through 2024. In 2020, there was a long tail but only one peak in ransomware payments, but in 2024, ransomware actors fall into three clusters. Some ransomware actors, such as Phobos, have average payments of under $500 to $1,000. Another cluster is around $10,000, and a third cluster has payments over $100,000, with some reaching $1 million. We also see more events at the high end of the distribution, meaning a larger percentage of attacks are over $1 million.
This breakdown reflects the shift in the ransomware actor landscape that Cookson has observed, with smaller groups dominating low- and medium-value payments, while outlier 7-8 figure ransoms push the distribution right toward the third cluster of payments.
In the chart below, we can see which strains are the worst in terms of total ransom value (bubble size), median payment size (X-axis) and ransom incident index (Y-axis).
Understanding ransomware money laundering methods can provide important insights into post-exploitation threat actor behavior, allowing law enforcement to respond more effectively and, in some cases, predict future actions based on established patterns.
In the chart below, we see that ransom funds primarily flow through centralized exchanges (CEXs) (for outflows), personal wallets (for holding funds), and bridges (for attempts to obscure the flow of funds). We note a significant decline in mixer usage in 2024. Historically, mixers have typically accounted for 10% to 15% of ransomware quarterly money laundering traffic. The decline in mixing services among ransomware actors over the years is very interesting and demonstrates the disruptive impact of sanctions and enforcement actions such as those against Chipmixer, Tornado Cash, and Sinbad. We note that ransomware actors are increasingly relying on cross-chain bridges in lieu of mixers to facilitate their fund outflows. In contrast, CEXs remain a mainstay of ransomware money laundering strategies, with slightly above-average reliance on such services in 2024 (39% compared to 37% in the 2020-2024 period).
It is worth noting that a significant amount of funds are stored in personal wallets. Curiously, ransomware operators, a group primarily driven by financial motivations, are more reluctant than ever to cash out. We believe this is largely due to unpredictable and decisive actions by law enforcement against individuals and services involved in or facilitating ransomware money laundering, leading threat actors to feel insecure about where to safely store their funds. While there could be multiple factors behind any of the trends in the graph above, the decline in usage of KYC-free exchanges since October 2024 can likely be attributed to the designation of Russian exchange Cryptex and the seizure of 47 Russian-language KYC-free cryptocurrency exchanges by Germany’s Federal Criminal Police Office (BKA) — both of which occurred in September 2024. The timing of these enforcement actions, combined with the period of ransomware influx into KYC-free exchanges, is telling.
Between 2019 and 2024, Israeli-Russian dual national Rostislav Panev allegedly played a key role in supporting LockBit. He is accused of developing several tools for the group, one of which enabled attackers to print ransom notes from any printer connected to an infected system, for which he reportedly received approximately $230,000 in Bitcoin (BTC). While Russian nationals, including LockBit administrator Dimitry Yuryevich Khoroshev, have previously been sanctioned for their involvement in these attacks, it is important to recognize that ransomware is truly a global threat involving actors from around the world. Panev, who is currently in Israel awaiting extradition to the United States, is wanted for conspiracy to commit fraud, cybercrime, wire fraud, and other crimes.
In the Reactor chart, we can see that, according to the indictment, approximately $5,000 of BTC was transferred from Khoroshev every two weeks starting in 2022. Then, from July 2023 to early 2024, approximately $10,000 of BTC was transferred to Khoroshev each month.
Panev's arrest could deal a significant blow to LockBit's ability to reorganize and highlights that the transparency and immutability of the blockchain enables law enforcement to track illegal activity and disrupt transnational cybercrime groups even years after the crime was committed. The takedown of LockBit and Panev’s arrest are major wins for 2024 and spark a shift toward a more decentralized and less coordinated ecosystem.
In addition to Russian-speaking cybercriminals, Iranian nationals have been sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) over the past few years for their involvement in facilitating and conducting ransomware attacks. We have also previously noted on-chain evidence of LockBit affiliates working with Iranian ransomware strains and depositing funds on Iranian exchanges.
Fortunately, with our on-chain analysis, we can identify Iranian actors as they rebrand or pivot to different RaaSs. As we can see in the Chainalysis Reactor chart below, we link four different ransomware strains to the same Iranian threat actor, who is likely also deploying a popular RaaS strain. We also see deposit addresses being reused across multiple global exchanges, linking these seemingly disparate strains—not only to each other, but also confirming the operator’s ties to Iran.
Since its emergence, Akira has proven to be able to successfully exploit vulnerabilities (especially in enterprise environments) and has gained attention through a series of high-profile attacks. As we mentioned above, Akira is the only top ten ransomware that has increased its efforts in the second half of 2024.
In September 2024, a new ransomware, Fog, entered the scene and has since demonstrated very similar capabilities to Akira in targeting critical vulnerabilities. Both groups mainly focus on exploiting VPN vulnerabilities, which allows them to gain unauthorized access to networks and thus deploy ransomware.
Both Akira and Fog used the same money laundering methods, which is different from other ransomware, further supporting the connection between them. For example, the following Chainalysis Reactor chart shows that several wallets operated by Akira and Fog have transferred funds to the same KYC-free exchange.
In addition to Akira's relationship with Fog, we also found a connection between INC and Lynx ransomware variants by examining similar on-chain behavior. Cybersecurity researchers also noticed that the two variants share source code.
These overlapping relationships illustrate a broader trend in the ransomware ecosystem: cybercriminal strategies continue to evolve in response to increased scrutiny from law enforcement.
Ransomware in 2024 reflects changes driven by law enforcement actions, increased victim resilience, and emerging attack trends. Crackdowns and collaborations with incident response firms and blockchain experts have helped disrupt many ransomware groups and reduce their profitability. Victims have also shown greater resistance to ransom demands, widening the gap between ransom demands and payments.
Financial strategies continue to adapt under law enforcement pressure, even as malicious actors face increasing difficulties in laundering money. Continued collaboration and innovative defenses remain critical to building on progress made in 2024.
China showcases resilience and innovation in actively nurturing the growth of non-fungible tokens (NFTs) and decentralised applications, with a strategic focus on Web3 development.
Hui XinOriginally developed as a method to create token equivalents on Bitcoin, the Inscriptions process involves embedding data, such as text, images, videos, into each satoshi, the smallest denomination of BTC.
BrianChina's regulatory stance on cryptocurrency trading and mining has remained stringent since 2019. This move has prompted a shift towards other blockchain-based technologies within the country's borders. While cryptocurrencies face a ban, Chinese businesses are exploring alternative blockchain platforms to harness the potential of Web3 applications.
JoyX's CTO confirms plans to introduce Dogecoin payments, aligning with Musk's broader vision.
AlexRipple's approval in Ireland facilitates global expansion, enabling the provision of digital asset services and establishing a strategic foothold in the broader European market.
Hui XinJudge denies Bankman-Fried's request for sentencing delay; maintains March 28, 2024 date.
KikyoThis marks the first transaction in the domain of cross-border digital yuan (e-CNY) payments in the precious metals market.
BrianRamp Network (RAMP), a financial technology company, is facilitating access to The Open Network (TON) blockchain ecosystem for millions of Telegram users. This integration enables an easy entry into the world of Web3 for Telegram's massive user base.
JoySanctioned Russian, Mikhail Klyukin, stirs controversy with £15M crypto share sale via Copper, sparking legal scrutiny and regulatory concerns.
Hui XinX experiences a global outage, affecting user feeds.
Kikyo