Ransomware payments peaked in 2023 at $1.1 billion with 1,512 reported incidents, according to a Financial Trends Analysis released by the Financial Crimes Enforcement Network (FinCEN). In 2024 payments dropped by a third to $734 million on 1,476 incidents. During the previous nine-year period — from 2013 through the end of 2021 — FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments.

The median ransomware payment varied over the reporting period from:

• 2022 - $124,000
• 2023 - $175,000
• 2024 - $155,257

Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial services, healthcare, and manufacturing were the sectors most affected by ransomware during the review period. The most affected industries by the total amount of ransom paid during the review period were:

• Financial services -- approximately $365.6 million
• Healthcare -- approximately $305.4 million
• Manufacturing -- approximately $284.6 million –
• Science and technology -- approximately $186.7 million
• Retail -- approximately $181.3 million

FinCEN identified 267 ransomware variants reported in data during the review period. The 10 variants with the highest cumulative payment amounts identified in reports accounted for approximately $1.5 billion in suspicious activity.

While there are thousands of convertible virtual currency wallets in the market, FinCEN identified Bitcoin (BTC) as the most common ransomware-related payment method, accounting for 97% of reported transactions. Monero (XMR) was cited in two percent of reports involving ransomware.

Cyber Insurance Industry Claims

Cyber insurance claims reporting and data from their supporting incident response vendors on extortion events has also been a strong datapoint for tracking this criminal activity. Data from crypto-forensics firms show that extortion payments fell dramatically -- more than a third --  from 2023 to 2024. And while the frequency of incidents reported to a major insurance broker rose 22%, the average ransom payment fell by 77%. Market reporting also indicates alignment with FinCEN’s figures on extortion payments, with median cost dropping from their Q1 2024 all-time high of $250,000 to $110,000 by the end of the year.

Along with cost and frequency, frequency of payment rate can tell us if criminals are being successful in their extortions. Or to be blunt, are efforts to fight them working. Reviewing data from vendors who manage payment transactions and compliance for cyber insurance policy holders, we can see that between Jan 2022 and Dec 2024, payment rates trend decisively down: from half of victims paying in early 2020s to around one-quarter paying by mid-2025.

All this indicates that while total dollars criminals collect peaked in 2023, they fell in 2024 -- and have continued to fall -- as fewer victims paid and law-enforcement disruptions hit big gangs, like Hive in January 2023, the Quakbot botnet in august 2023, ALPHV/Blackcat in December of 2023, and the multi-national operation to disrupt LockBit in February of 2024. The market data supports that direct action by law enforcement has helped reduce the impact of this still serious threat.

Detection and Mitigation Recommendations

Ransomware is a serious cybersecurity concern for which FinCEN recommends the following actions:

• Incorporate into intrusion detection systems and security alert systems Indicators of Compromise (IOCs) from threat data sources to enable active blocking or reporting of suspected malicious activity.
• Contact law enforcement immediately regarding any ransomware-related activity and contact OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be a Specially Designated National (SDN) or otherwise have a sanctions nexus.
• Report suspicious activity to FinCEN, highlighting the presence of “Cyber Event Indicators.”
• Review and incorporate into AML/CFT programs financial red flag indicators of ransomware in the “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” issued by FinCEN in November 2021.

‍