Ransomware Payment Trends: 2024 Statistics, Trends, and Analysis

Methodology

These figures draw from two primary datasets with fundamentally different measurement scopes.

Chainalysis tracks on-chain cryptocurrency flows to wallets attributed to ransomware operators. Their 2025 Crypto Crime Report covers payments received from January through December 2024, expressed in USD at the time of transaction. It's the broadest available view of global payment volumes, though it captures only cryptocurrency. Chainalysis initially reported $813.55 million for 2024; as additional wallet clusters were identified during ongoing attribution work, the figure reached approximately $892 million in later internal analysis. This page cites the published February 2025 figure of $813.55 million.

FinCEN's Financial Trend Analysis, published December 2025, draws on Bank Secrecy Act (BSA) reports, including Suspicious Activity Reports (SARs), filed by U.S. financial institutions under Section 6206 of the Anti-Money Laundering Act of 2020. The analysis covers January 2022 through December 2024. For 2024 alone, FinCEN recorded 1,476 incidents totaling $734 million in reported payments. The gap between this and Chainalysis's global figure reflects the FinCEN dataset's U.S.-only, reporting-triggered scope: it only captures incidents where victims moved funds through the U.S. financial system and triggered a BSA filing obligation.

Sophos's State of Ransomware 2024 report surveyed 5,000 IT and cybersecurity leaders across 14 countries and captures self-reported incident and sector-specific payment data. Its financial-services breakdown supplements the global totals. The FBI's Internet Crime Complaint Center (IC3) 2024 Annual Report covers complaints filed directly by U.S. victims.

All dollar figures are in USD. FinCEN figures represent a subset of global payment volumes and should not be compared directly to Chainalysis totals without accounting for scope differences.

Full data table

Sources: Chainalysis 2025 Crypto Crime Report (global on-chain figures); FinCEN Financial Trend Analysis on Ransomware, December 2025 (U.S. BSA-reported figures only, not directly comparable to Chainalysis totals).

Key findings

• A single payment broke every prior record. A Fortune 50 company paid $75 million to the Dark Angels ransomware group in mid-2024, the largest single ransom payment ever documented, per Chainalysis. The victim's identity has not been confirmed publicly. This payment alone equals roughly 9% of the year's entire global total, and it demonstrates that the headline decline in aggregate payments coexists with extreme exposure at the high end.

• Attack volume rose while total payments fell. The FBI's IC3 received 3,156 ransomware complaints in 2024, up 9% from 2,825 in 2023. Total payments dropped sharply at the same time. Chainalysis estimates roughly 30% of ransomware negotiations resulted in payment in 2024, down from prior years. Organizations are refusing payment more often, and improved backup capabilities are a primary driver.

• Financial services paid a median $2 million per incident. Sophos's State of Ransomware in Financial Services 2024 found a median ransom payment of $2 million in the sector. Recovery costs averaged $2.58 million per incident, up from $2.23 million in 2023. Paying organizations settled for approximately 75% of the initial demand on average, with 67% of payers ending up below the original ask.

• Ten variants drove most documented damage. FinCEN identified over 200 ransomware variants in U.S. BSA reports from 2022 to 2024. The top 10 variants accounted for approximately $1.5 billion of the $2.1 billion in FinCEN-reported payments over that three-year period. The most frequently reported variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.

• LockBit's second-half collapse was measurable. After Operation Cronos in February 2024, LockBit's H2 payments fell approximately 79% against H1, per Chainalysis. ALPHV/BlackCat, which had been among the most active groups, conducted an exit scam in early 2024: after allegedly receiving a $22 million ransom from Change Healthcare, the group vanished without distributing proceeds to affiliates.

Year-over-year trends

Ransomware payments crossed $1 billion for the first time in 2023, reaching $1.25 billion per Chainalysis. That record followed a sharp 2022 decline to $567 million, itself a 42% drop from 2021's $983 million. The 2022 trough had a specific cause: the FBI covertly infiltrated the Hive ransomware network in mid-2022, obtaining decryption keys and distributing them to victims without notifying Hive operators. The Conti group also imploded that year after its attack on Costa Rica's government infrastructure drew unusually intense law enforcement and political attention.

2023 reversed the decline completely. The Cl0p group's mass exploitation of the MOVEit file transfer vulnerability exposed over 2,700 organizations in a matter of weeks. LockBit operated throughout the year at industrial scale. ALPHV/BlackCat ran targeted campaigns against MGM Resorts and Caesars Entertainment in late 2023. The net effect was a 121% year-over-year surge.

The 2024 decline to $813.55 million came from two directions simultaneously. Law enforcement removed capacity: Operation Cronos on February 20, 2024, saw the NCA, FBI, and Europol seize LockBit's infrastructure, recover over 1,000 decryption keys, and expose the alleged operator, Dmitry Khoroshev, whose identity had been protected for years. The U.S. Treasury sanctioned Khoroshev in May 2024. ALPHV's exit scam in March 2024 effectively ended that group as a functioning operation.

Victim behavior shifted in parallel. Cyber insurance carriers tightened policy language around ransom coverage. Legal guidance from regulators and law firms clarified the sanctions exposure involved in paying designated groups. Backup and recovery capabilities improved at enough large enterprises to reduce the leverage attackers held.

H2 2024 payments fell roughly 34.9% below H1 levels, per Chainalysis data. Whether this represents a durable structural shift is an open question. RansomHub emerged rapidly after LockBit's disruption, absorbing many former LockBit affiliates. Attack complaint volumes at the FBI's IC3 rose 9% for the full year. The threat actor base is intact; only some of its infrastructure was disrupted.

What this means for compliance teams

The $813.55 million figure understates compliance exposure for financial institutions in one specific way: their infrastructure is the movement channel for ransomware proceeds. When a victim pays in cryptocurrency, those funds typically pass through exchange accounts or get converted via correspondent banking relationships with regulated firms. Compliance teams aren't observers of this data. They're gatekeepers.

Transaction Monitoring programs need calibration for the specific patterns ransomware payments generate. Large round-number cryptocurrency transfers, rapid conversion to stablecoins, and layering through multiple wallets in short windows are the typological indicators. A generic AML model trained on trade-based fraud won't surface them reliably. Real-time behavioral scoring against known ransomware payment typologies is where the gap sits.

Sanctions Screening became operationally critical here after OFAC added multiple LockBit affiliates to the SDN list and fully designated Dmitry Khoroshev in May 2024. Any institution that processed payments to or from a designated ransomware operator faces potential enforcement action. Screening must cover wallet addresses alongside corporate names. Many institutions still don't do this systematically, and FinCEN's guidance makes clear that BSA obligations apply to transactions involving proceeds of ransomware regardless of the payment mechanism.

Under FATF Recommendation 20 on suspicious transactions, banks and money services businesses detecting ransomware-linked activity must file SARs promptly. The 7,395 BSA reports FinCEN received over the 2022-2024 period show that reporting is happening, but the gap between FinCEN's $734 million for 2024 and Chainalysis's $813.55 million suggests meaningful unreported volume passing through the financial system.

AI-Powered Fraud Detection is the only realistic way to keep pace with the rotation speed ransomware groups now operate at. Wallet cycling, cross-chain bridging, and mixer usage mean the threat surface changes faster than manual review can track. Automated behavioral analysis against current threat intelligence closes the gap without adding manual headcount.

Zero Trust Security Solutions address the upstream problem: ransomware enters the network before it generates any payment signal. Network segmentation, least-privilege access, and continuous authentication reduce the blast radius of a successful intrusion. The FinCEN data shows a median transaction of $155,257 in 2024, well below the wire-transfer thresholds that typically trigger enhanced scrutiny. Ransomware operators know this. Structuring payment chains to stay below detection thresholds is a documented tactic, and compliance programs that rely on amount-based triggers are structurally exposed to it.

Sources

• Chainalysis, "Crypto Ransomware: 35.82% YoY Decrease in Ransomware Payments," 2025 Crypto Crime Report, February 2025
• FinCEN, "FinCEN Issues Financial Trend Analysis on Ransomware," December 2025
• Sophos, "The State of Ransomware in Financial Services 2024"
• U.S. Department of Justice, "U.S. and U.K. Disrupt LockBit Ransomware Variant," February 2024
• Sophos, "Ransomware Payments Increase 500% In the Last Year," State of Ransomware 2024, April 2024