Ransomware Gangs Extorted $2.1B in Two Years: FinCEN
▼ Summary
– Ransomware activity peaked in 2023 with 1,512 incidents and $1.1 billion in payments before declining in 2024 following law enforcement actions against major gangs like ALPHV/BlackCat and LockBit.
– From 2022 to 2024, organizations reported 4,194 ransomware incidents and paid over $2.1 billion in ransoms, nearly matching the total reported over the previous eight years.
– The most targeted industries by number of incidents were manufacturing, financial services, and healthcare, while financial services suffered the highest total ransom payments.
– Akira was the most frequently reported ransomware family, but ALPHV/BlackCat earned the most money at roughly $395 million, with the top 10 gangs collectively accounting for $1.5 billion in payments.
– Bitcoin was the dominant payment method for ransoms at 97%, and FinCEN encourages continued reporting of attacks and payments to help disrupt cybercrime.
A new analysis from the Financial Crimes Enforcement Network reveals a staggering financial toll from ransomware, with criminals extorting over $2.1 billion in just two years between 2022 and 2024. This figure nearly matches the total reported for the entire eight-year period from 2013 to 2021, underscoring a dramatic escalation in the scale of these cyberattacks. The data, drawn from thousands of Bank Secrecy Act filings, documents 4,194 separate incidents during that two-year window, bringing the total tracked payments since 2013 to approximately $4.5 billion.
The report indicates that 2023 represented a peak for ransomware gangs, with victims reporting 1,512 incidents and paying roughly $1.1 billion in ransoms. This marked a sharp 77 percent increase from the previous year. However, 2024 saw a notable shift. While the number of incidents remained high at 1,476, the total ransom paid plummeted to $734 million. Analysts attribute this significant financial drop largely to coordinated law enforcement actions that disrupted major criminal operations, specifically targeting the ALPHV/BlackCat gang in late 2023 and the LockBit network in early 2024.
These enforcement operations appear to have had a tangible impact, as the targeted groups were among the most active at the time of their disruption. Following these takedowns, the associated threat actors were forced to either migrate to new operations or struggled to regain their former operational capacity. The analysis further breaks down the financial impact by sector, showing that while certain industries faced more frequent attacks, others suffered the greatest monetary losses.
In terms of the sheer number of attacks, manufacturing, financial services, and healthcare were the most frequently targeted industries. When measured by the total dollar amount extorted, however, the ranking shifts. Financial institutions bore the heaviest financial burden, with approximately $365.6 million in ransom payments, followed closely by the healthcare sector at $305.4 million. Manufacturing, science and technology, and retail rounded out the top five industries by total ransom paid.
The report identified 267 distinct ransomware variants, but a small cluster of gangs was responsible for the lion’s share of the damage. The Akira ransomware family was linked to the highest number of individual incident reports. Meanwhile, the ALPHV/BlackCat operation was the most financially successful, collecting an estimated $395 million in payments, with LockBit following at $252.4 million. Other prominent gangs like Black Basta, Royal, and Hive contributed to a collective haul of $1.5 billion for the top ten most active groups during the review period.
Regarding payment methods, Bitcoin remained the overwhelmingly dominant currency for ransom transactions, accounting for 97 percent of the tracked payments. A tiny fraction of payments utilized other cryptocurrencies like Monero, Ether, Litecoin, and Tether. FinCEN continues to urge organizations to bolster their cybersecurity defenses and to maintain vigilant reporting, submitting details of attacks to the FBI and information on any ransom payments to FinCEN, as this data is critical for ongoing efforts to disrupt these costly criminal enterprises.
(Source: Bleeping Computer)
