Ransomware payments in 2024 are on track to once again hit a record total value, even as fewer victims are choosing to pay attackers, Chainalysis found in its 2024 Crypto Crime Mid-year Update published last week.
The blockchain intelligence firm revealed in a report published earlier this year that total ransomware payments exceeded $1 billion globally for the first time in 2023, and its mid-year report published Thursday indicated 2024 is also on track to hit, or even exceed, last year’s numbers.
While the total global ransomware inflows only increased by 2%, from $449.1 million to $459.8 million, between the first half of 2023 and first half of 2024, the cost of individual payments show a more drastic shift in trends.
For example, the median ransomware payment among the most severe ransomware groups — those whose maximum payments exceeded $1 million — increased nearly eight-fold from slightly less than $200,000 at the start of 2023 to about $1.5 million by the middle of June 2024.
The highest ransomware payment in history, a $75 million payment made by an unnamed Fortune 50 company to the Dark Angels ransomware gang in early 2024, also represents a nearly 100% increase over the highest payment of 2023, which was $37.8 million.
Chainalysis said these data points suggest that major ransomware groups “are prioritizing targeting larger businesses and critical infrastructure providers that may be more likely to pay high ransoms due to their deep pockets and systemic importance.”
Meanwhile, on a positive note, despite a 10% increase in victims posted to ransomware group leak sites so far this year, total ransomware payment events have decreased by more than 27%, suggesting a smaller proportion of victims are being successfully extorted after a ransomware attack.
Kiva Consulting, which contributed to Chainalysis’ report, corroborated the fact that a smaller proportion of victims are paying out ransoms to restore or protect their data.
“Approximately 65% of the matters in which Kivu has been engaged in to assist victim organizations have resolved without a resulting payment of the ransom, continuing the positive trend of resiliency on the part of impacted organizations and a lack of necessity to pay the attackers,” said Andrew Davis, general counsel for Kiva Consulting, in a statement.
Newer, smaller ransomware groups raking in more cash as US critical infrastructure takes a heavy hit
Another noticeable trend from Chainalysis’ report, as well as Malwarebytes’ ThreatDown 2024 State of Ransomware Report published Tuesday, is the emergence of new ransomware groups that appear to be sustaining overall ransomware attack volumes despite the disruption of large players like LockBit and ALPHV/BlackCat.
“Whether it be former affiliates of these well-known threat actor operations, or new upstarts, a large number of new ransomware groups have joined the fray, displaying new methods and techniques to carry out their attacks such as expansion in their means for initial access and lateral movement approaches,” Davis said.
According to the ThreatDown report, the proportion of ransomware attacks conducted by gangs outside of the top 15 most prolific threat actors increased from 25% to 31% between June 2023 and June 2024. Malwarebyte’s report also indicated an even more drastic increase in overall ransomware attacks than what is suggested based on postings to leak sites, citing a 33% increase in known attacks year-over-year.
Malwarebytes also recorded a 71% year-over-year increase in global ransomware attacks against the manufacturing sector, as well as a particular focus on United States education and healthcare organizations. The United States, while accounting for 48% of all ransomware targets, suffered 60% of all attacks on education and 71% of global attacks on healthcare organizations.
Overall, the U.S. saw a 63% increase in known attacks year-over-year, remaining the "epicenter of ransomware," according to Malwarebytes.