The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) found that total ransomware payments since 2013 have reached $4.5 billion, according to a December 2025 study.While that may sound like a whopping number, there are some shades of gray in the data that measured ransomware incidents and payments between January 2022 and December 2024.The all-time high for ransomware payments was approximately $1.1 billion from 1,512 incidents in 2023, an increase of 77% in total payments year-over-year from 2022 to 2023, reported FinCEN.Incidents decreased slightly in 2024 to 1,476 while total payments were approximately $734 million.But here’s the reality: During the 2022-2024 review period, FinCEN received 7,395 reports related to 4,194 ransomware incidents totaling more than $2.1 billion in ransomware payments. And for the previous nine-year period, from 2013 to the end of 2021, FinCEN received 3,075 reports and total ransomware payments hit $2.4 billion.Related reading
The FinCEN report found that the most commonly targeted industries were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). The most affected industries by the total amount of ransom paid during the review period were financial services ($365.6 million), healthcare ($305.4 million), manufacturing ($284.6 million), science and technology ($186.7 million), and retail ($181.3 million). Between January 2022 and December 2024, the most common payment range was below $250,000.“The $4.5 billion total figure is almost certainly an undercount since FinCEN only captures payments through regulated financial institutions, not direct cryptocurrency transactions,” said Michael Bell, chief executive officer, Suzu Labs. “The decline from 2023 to 2024 is encouraging, but one year doesn't make a trend. What’s more concerning is operational sophistication: groups like Clop are exploiting zero-days in enterprise software to hit hundreds of victims simultaneously, meaning fewer attacks can still yield massive payouts.”Bell added that progress in the industry on not paying ransoms has been uneven. Organizations with mature backups and incident response plans are increasingly recovering without paying, but the decision at 2 a.m. when systems are down still gets driven by operational desperation and data publication threats, not just encryption.“Real progress comes from making attacks less profitable through better defenses, faster detection, and law enforcement coordination like Operation Endgame, not from hoping victims will collectively refuse to pay,” said Bell.
Andi Ursry, threat intelligence analyst at Blackpoint Cyber, said there are a few contributing factors to payments decreasing from 2023 to 2024, including more organization refusing to pay the ransom, the increase of volume-driven ransomware-as-a-service (RaaS) operations, and the disruption of larger operations such as Hive, Alphv/BlackCat, and LockBit.“These disrupted operations were some of the most active groups during 2023 leaving a significant gap in the landscape,” said Ursry. “Despite the decrease in payments from 2023 to 2024, the overall number of attacks have increased, indicating that ransomware remains a credible and pervasive threat to organizations worldwide. Even organizations that refuse to pay suffer downtime and considerable cost to restore their data; organizations should treat the ransomware threat as an inevitable business risk and implement layered defensive strategies and remain prepared in the event of an incident.” Ira Winkler, vice president and Field CISO at CYE, added that mathematically, the total ransomware payments will only continue to increase unless criminals start paying back their victims. “The fact that a smaller number is added to the total from last year does not impact that the total will only continue to increase,” said Winkler. “Many companies are outsourcing their infrastructures to cloud providers, which typically minimizes the impact of successful ransomware attacks. Likewise, many organizations added resilience through their infrastructure, where a successful attack will not have the destructive impact it might have had in the past. So typically, smaller organizations will remain vulnerable while larger, and better-resourced organizations will be less vulnerable.”Austin Berglas, global head of professional services at BlueVoyant, said while the FinCEN report may indicate a year-over-year decline in average ransomware payments, the total aggregate amount of money paid out globally remains remarkably high. Berglas added that accurate numbers are difficult to obtain as many incidents and ransom payments remain unreported. However, Berglas said there may be several factors that contribute to these stats:
- Law enforcement led disruptions of major ransomware operations cause a decline in payments and activity: While median payment might decrease, successful attacks against large enterprises, critical infrastructure, or organizations with significant data exposure such as healthcare and financial services can still result in multi-million dollar payouts. A few such high-profile incidents can significantly inflate the total aggregate sum, even if the majority of smaller attacks yield lower amounts or are successfully mitigated without payment.
- Cyber insurance can inadvertently contribute: If an organization's policy covers ransomware payments, it can make the decision to pay seem more financially palatable, thereby sustaining the ransomware ecosystem. Insurers often prefer paying a ransom to avoid much larger business interruption costs. The true cost of a ransomware attack often far exceeds the ransom demand itself, encompassing downtime, recovery costs, legal fees, reputational damage, and lost revenue. Berglas noted that for many organizations, paying the ransom, even a large one, is perceived as the quicker and cheaper option to restore operations and mitigate further financial losses.
- Attackers target smaller orgs: Targeting smaller, less secure organizations will often result in smaller ransom payments, but require less time and effort to compromise — resulting in lower median payouts, but higher volume and gross dollars. The reduction in average or median payments, and potentially the number of organizations paying, is likely a combination of improved resilience, stronger incident response, and shifting attacker tactics. Organizations are increasingly implementing robust, segmented, and immutable backup strategies. This lets them restore systems without paying the ransom, directly reducing the need to pay or decreased amounts.
