Ransomware gangs are as busy as ever, but the amount of money they’re getting from their attacks is declining, according to blockchain analysis firm Chainalysis.

In a report this week, the firm’s researchers said that in 2024, victims paid $813.55 million in ransom, a significant amount but 35% lower than the record high the year before of more than $1.25 billion, and the second lowest amount since 2020. Only the total ransom paid in 2022 — $655.44 million – was lower than last year.

More aggressive law enforcement operations – including those against high-profile and highly active groups like LockBit and BlackCat/ALPHV – that crossed international borders and simply the refusal of more companies to pay the demanded ransoms were key drivers behind the drop in payments, according to the researchers.

Chainalysis also gathered insights from other analysts in the cybersecurity field who also saw the downward trend in payments. Lizzie Cookson, senior director of incident response at Coveware, said the quick removal of those two major ransomware players rippled through the landscape.

“The market never returned to the previous status quo following the collapse of LockBit and BlackCat/ALPHV,” Cookson told Chainalysis. “We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share, as we had seen happen after prior high profile takedowns and closures. The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands.”

Chainalysis’ report echoes what the researchers wrote earlier last year, when they noted the slowing of ransom payments. They wrote this week that halfway through last year, they expected the total amount in 2024 to surpass the recent year. However, payments after July slowed by almost 35%, and the payment decline from 2023 was more pronounced.

The Effort is There, Even If the Payment Isn’t

The researchers also looked at data leak sites, one measure of ransomware activity, and found that threat groups posted more victims in 2024 than in any year previously, and cybersecurity firm Recorded Future found there were 56 new such sites created. However, there also were a times when bad actors claimed victims on leak sites but couldn’t prove it.

Another data point: The gap between what was demand and what was paid increased to 53%, with the researchers adding that “reporting from incident response firms suggests a majority of clients opt not to pay altogether, which means the actual gap is larger than the below numbers suggest.”

Dan Saunders, director of incident response in EMEA for Kivu Consulting, told Chainalysis that his firm’s data found that about 30% of negotiations lead to payments or victims deciding to pay the ransoms, with the decisions usually made based on the value the victims put on the data stolen.

Coveware’s Cookson added that improved cyber hygiene and resiliency allow organizations to better resist ransom demands and to evaluate other options.

“They may ultimately determine that a decryption tool is their best option and negotiate to reduce the final payment, but more often, they find that restoring from recent backups is the faster and more cost-effective path,” said said.

The final payments ranged from $150,000 to $250,000, Chainalysis found.

Bad Actors Adapted to Changes

As the amounts of payments declined, threat groups adapted to respond to the change.

“Many attackers shifted tactics, with new ransomware strains emerging from rebranded, leaked, or purchased code, reflecting a more adaptive and agile threat environment,” Chainalysis researchers wrote. “Ransomware operations have also become faster, with negotiations often beginning within hours of data exfiltration.”

There also is a wide range in the kinds of bad actors running campaigns, from nation-state groups to ransomware-as-a-service (RaaS) operators, lone attacks, and data and theft extortion groups, such as those who grabbed data from customers of cloud storage provider Snowflake and looked to extort money from the victims.

Ransomware Groups on the Rise

In the wake of law enforcement operations against LockBit and BlackCat/ALPV, other groups rose to fill the vacuum and recruit bad actors from those operations. RansomHub, a RaaS player, absorbed many of them and, even though they only hit the scene in February 2024, still posted the most victims for the year.

Other strains, like Akira and Fog, also rose in prominence, with the former ramping up efforts in the second half of the year. Both target critical vulnerabilities and both primarily exploit VPV security flaws, the researchers wrote. They also use the same methods – which are different from other groups – to launder their money, which suggests a connection between them. For example, cryptocurrency wallets operated by Akira and Fog transferred funds to the same no-KYC crypto exchanges.

As another nod to international law enforcement actions and government sanctions, ransomware actors used crypto mixers to launder money, opting instead for other techniques like central exchanges, personal wallets, and bridges.

“The decline of mixing among ransomware actors over the years is very interesting and a testament to the disruptive impact of sanctions and law enforcement actions, such as those against Chipmixer, Tornado Cash, and Sinbad,” Chainalysis researchers wrote.