Ransomware-as-a-Service (RaaS) is under pressure. In 2024, we saw a drop in total payments even as the number of incidents—and the severity of attacks—continued to climb. For security leaders, this is a turning point: understanding how economics are shifting within RaaS is essential to adjust defence, negotiation, and resilience strategies.

Trend Overview

According to Chainalysis, ransom payments globally dropped by about 35 percent, from approximately USD 1.25 billion in 2023 to USD 813.55 million in 2024 35 Year-over-Year Decrease in Ransomware Payments. Despite that drop, reported ransomware incidents continued to increase in many sectors, with threat actors more frequently using leak sites to pressure victims without follow-through on ransom demands.

Victims are refusing to pay more often, combining stronger backup systems, insurance constraints, and legal/regulatory risk. Law enforcement disruptions of major groups—LockBit, ALPHV/BlackCat among them—played a central role. Per Chainalysis, the second half of 2024 saw significantly fewer large payouts, even as ransomware operations attempted to compensate by increasing ransom demands – Ransomware Payments Drop 35 % in 2024.

Case Studies

Qilin’s Leak of 842 GB From the Orleans Parish Sheriff’s Office

In September 2025, the Qilin RaaS group published approximately 842 gigabytes of data allegedly stolen from the Orleans Parish Sheriff’s Office (Louisiana), following their ransomware intrusion. The attack disrupted the county’s online court docket system for days, though reports suggest some systems (e.g. jail management) remained unaffected – Hackers start leaking New Orleans sheriff ransomware data. This case underscores data-exfiltration leverage: Qilin appears to monetise not just encryption, but the risk of exposure via leaks.

Qilin Surges, RansomHub Declines in April 2025

Cyble reported in May 2025 that Qilin led all ransomware groups in attack volume for April with 74 claimed victims, while RansomHub dropped dramatically after its leak site went offline – Ransomware Attacks April 2025: Qilin Emerges from Chaos. The shift suggests affiliates and victims are recalibrating: threat actors are aligning under newer brands, while older groups lose liquidity, trust, or infrastructure.

LockBit and BlackCat Disruption Effects on Payments

The disruption of LockBit by combined law enforcement operations and the disappearance of BlackCat/ALPHV in late 2023-2024 correspond with the steepest declines in ransom revenue in H2 2024. Chainalysis notes these takedowns, plus targeted sanctions and cryptocurrency laundering crackdowns, contributed heavily to the 35 percent drop in payments 35 Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim Payments.

Detection Vectors and Tactics

Threat actors are changing models. Many no longer rely solely on encryption; data exfiltration, followed by threats to leak, may yield a profit even if the ransom is unpaid. Organisations should monitor for indicators of data staging—large outbound transfers, use of new accounts, or anomalous cloud storage activity. These align with ATT&CK techniques T1530 (Data from Cloud Storage Object), T1041 (Exfiltration Over C2 Channel), and T1002 (Data Encrypted for Impact).

Another emerging vector: pricing vs demand mismatch. As ransom demands increase across big-game targets, the gap between what is asked and what is paid widens. Victims with strong recovery capabilities (good backups, robust DR plans) refuse payment; others negotiate down. Monitoring ransom note history, affiliate reputation, and public disclosures are now as crucial as traditional IV&V (inspection, verification, validation) of incidents.

Industry Response & Legal Pressure

Law enforcement agencies worldwide have intensified their operations. Chainalysis reports that seizures, infrastructure takedowns, and sanctions against mixer services significantly degraded the ability of ransomware actors to launder large payments – 2025 Crypto Crime Trends from Chainalysis. Entities such as ALPHV/BlackCat were severely impacted: core affiliates lost access to infrastructure and functionality.

Regulators are also considering more aggressive policy levers. Several U.S. states and UK bodies have proposals to ban ransomware payments by public agencies. Insurance is changing: many cyber insurance contracts now require validated backup systems and incident response protocols, or refuse to cover ransom payments past specific amounts. Victims are increasingly reporting dark web leak threats and pressure even when encryption is not used, tying back to dynamics tracked in Emerging Darknet Marketplaces of 2025: Anatomy, Tactics & Trends.

CISO Playbook

• Ensure off-site, immutable backups verified against restoration scenarios—Prioritise recovery without payment capability.
• Monitor dark web leak forums and affiliate chatter for early indicators of ransomware group shifts or rebranding.
• Engage law enforcement and regulatory compliance early in incident response; consider public body policies in your jurisdiction.
• Audit and document ransom demands over time to build comparative intelligence on group reputation and negotiation patterns.
• Review insurance policy terms to ensure coverage is based on robust evidence of preparation (DR plans, backups, etc.), not simply revenue size.

Closing Insight

The decline in ransomware payments in 2024 is not a sign of victory—but a crack in a long-standing business model. RaaS actors are adapting: new groups emerge, affiliate networks shift, and data leak threats grow in prominence. For defenders, the essential distinction is not whether a ransom demand occurs but whether the model is sustainable for attackers in a world where payments are harder, scrutiny is higher, and risks escalate.

Use data from public ransomware reports responsibly and comply with laws when interacting with leak sites or making disclosures.