In 2024, the cybersecurity landscape has taken an interesting turn with an increase in ransomware incidents but a noticeable decline in payments by the victims. Despite a slight increase in ransomware revenues in the first half of 2024 compared to the first half of 2023, overall extortion payments plummeted by 35% year-over-year. In numbers, ransomware groups collected approximately $813.55 million in 2024, a significant drop from the $1.25 billion recorded in 2023. The second half of 2024 witnessed a dramatic deceleration in payment activity, signaling a shift in the behavior of targeted organizations.
Growing Refusal to Pay Ransom Demands
A primary factor contributing to the decline in ransomware payments is the increasing refusal of victims to comply with ransom demands. Although the number of ransomware incidents has risen, the volume of on-chain payments, which can be tracked on the blockchain, has dropped. This trend indicates that more victims are opting out of paying ransoms, choosing instead to handle the breach in alternative ways. The gap between the number of victims listed on data leak sites and those actually making payments has widened considerably. Improved cyber resiliency has empowered many organizations to withstand ransomware attacks without yielding to extortion demands. Many victims have invested in better backup solutions and are now more capable of restoring their systems from recent backups, circumventing the need to pay ransoms. For some, the process of restoration from backups has proven to be quicker and more cost-effective than negotiating and paying ransoms. Dan Saunders from Kivu Consulting disclosed that only 30% of negotiations led to victims deciding to pay, heavily influenced by the perceived value of the compromised data. These findings indicate that a strong emphasis on cyber preparedness and resilience can dramatically reduce the financial impact of ransomware attacks.
Disruption of the Ransomware Ecosystem
Several key disruptions within the ransomware ecosystem in 2024 have also played a crucial role in the reduction of ransomware revenue. Law enforcement actions, such as the takedown of the notorious LockBit group in February 2024, had a significant impact on the ecosystem. Even though LockBit rebranded and resumed its operations, its payment receipts fell by a staggering 79% in the second half of 2024, demonstrating the long-lasting effects of such interventions. Furthermore, the BlackCat group’s exit scam caused additional disruption, contributing to the fragmentation of the ransomware landscape.
This fragmentation has led to a rise in smaller, less organized groups and lone wolf actors, who find it more challenging to target major organizations. Consequently, these actors have shifted their focus towards small to mid-sized businesses. This shift has resulted in more modest ransom demands, which, in turn, have contributed to the overall decline in ransomware revenue. Additionally, targeted organizations in this market segment often possess less valuable data or fewer resources to pay exorbitant ransoms, further diminishing the returns for ransomware attackers.
The Road Ahead for Cybersecurity
This unusual trend has led many experts to investigate the underlying causes. Although there was a slight increase in ransomware revenues during the first half of 2024 compared to the same period in 2023, the overall extortion payments saw a remarkable 35% year-over-year drop. In concrete numbers, ransomware groups collected about $813.55 million in 2024, which is quite a decrease from the $1.25 billion amassed in 2023. The second half of 2024 showed an even more dramatic slowdown in payment activities, indicating a significant change in the behavior of the targeted organizations. This shift could be attributed to better cybersecurity measures, increased awareness, and possibly tougher regulations, making it harder for cybercriminals to successfully extort money from their targets. The evolving scenario clearly reflects a changing attitude towards handling ransomware attacks.