Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 9 December 2025 15:26
According to a recently released report by the Financial Crimes Enforcement Network (FinCEN) , global ransomware activity peaked in 2023, only to plummet in 2024. This decline is attributed to successive attacks on large-scale ransomware groups, including ALPHV (BlackCat) and LockBit, through collaborative international investigations.
FinCEN analyzed thousands of reports under the Bank Secrecy Act (BSA) filed by financial institutions between January 2022 and December 2024, identifying 4,194 cases of ransomware and over $2.1 billion in ransoms. This figure is nearly equal to the total reported in the eight-year period from 2013 to 2021.
Considering the entire period (2013-2024), this comes to approximately $4.5 billion, demonstrating that the ransomware industry’s massive criminal economy is still booming. According to the report , 2023 was “the most profitable year on record” for ransomware groups , with 1,512 attacks and $1.1 billion in reported ransom payments , a 77% increase over the previous year.
But this trend reversed in 2024.
While the number of incidents decreased slightly to 1,476, the total ransom paid plummeted to $734 million. The report attributes this decline to large-scale operations conducted by US and European authorities against Black Cat (late 2023) and Lockbit (early 2024) . Indeed, both groups were reportedly among the “most active” attack groups at the time and are reportedly struggling to reorganize after the destruction of their infrastructure.
“Most ransom payments were less than $250,000,” FinCEN said, noting that small and medium-sized businesses, as well as large corporations, continue to suffer losses. The hardest-hit sectors are manufacturing, finance, and healthcare.
The sectors most affected by ransomware attacks between 2022 and 2024 are:
In terms of the extent of damage, the financial sector suffered the most, followed by the medical sector and the manufacturing sector.
In particular, financial institutions were found to be the largest sector not only in terms of the scope of attacks but also in terms of total ransoms paid. There are 267 active ransomware families, with ” Akira ” appearing most frequently.
FinCEN reported that a total of 267 different ransomware families were reported between 2022 and 2024.
A small number of groups led the general attack, and the following families are those mentioned most frequently:
Other top-ranking organizations include Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. These top 10 organizations alone paid over $1.5 billion in ransoms between 2022 and 2024.
Approximately 97% of ransom payments were made in Bitcoin , confirming that the cryptocurrency remains a key means of transaction in the ransomware economy. A decisive blow for investigative agencies: “The ransom will decrease, but the attacks will continue.”
The report cited international cooperation between investigative agencies in the United States and Europe as a key factor in the significant reduction in ransoms in 2024. With Black Cat and Lockbit’s infrastructure neutralized, the attackers’ profitability has dropped dramatically, and several organizations are believed to be experiencing disruption as they reorganize.
However, the fact that the number of attacks hasn’t decreased is another warning sign. Even with lower ransoms, the number of attempted attacks continues to rise. The report predicts that “new, smaller groups will continue to emerge and fill the market.”
FinCEN urges all organizations to “immediately report any ransomware attack to the FBI and FinCEN,” stressing that it is critical to monitor criminal networks and block funds through the sharing of financial information.
Redazione