A new report by the Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity peaked in 2023 before falling in 2024, following a series of law enforcement actions targeting the ALPHV/BlackCat and LockBit ransomware gangs.

From thousands of Bank Secrecy Act filings, the report documents 4,194 ransomware incidents between January 2022 and December 2024. These reports show that organizations paid more than $2.1 billion in ransom payments, nearly reaching the total reported over 8 years from 2013 to 2021.

In total, from 2013 through 2024, FinCEN tracked approximately $4.5 billion in payments to ransomware gangs.

Law enforcement operations show impact

According to the report, 2023 was the best year for ransomware gangs, with victims reporting 1,512 individual incidents and approximately $1.1 billion in ransom payments, a 77 percent increase from 2022.

However, both stats fell in 2024, with a slight dip to 1,476 incidents, but a dramatic decrease to $734 million in payments. This decrease is believed to be due to law enforcement operations targeting BlackCat in 2023 and LockBit at the beginning of 2024.

Both of these ransomware gangs were the most active at the time of disruption, with the threat actors moving to new operations or struggling to relaunch.

FinCEN says the amount paid varied, with most ransom payments below $250,000. The analysis also showed that manufacturing, financial services, and healthcare suffered the most ransomware attacks, with financial institutions reporting the most significant dollar losses.

"Between January 2022 and December 2024, the most commonly targeted industries (by number of incidents identified in ransomware-related BSA reports during the review period) were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents)," explained FinCEN's analysis.

"The most affected industries by the total amount of ransom paid during the review period were financial services (approximately $365.6 million), healthcare (approximately $305.4 million), manufacturing (approximately $284.6 million), science and technology (approximately $186.7 million), and retail (approximately $181.3 million) (see Figure 4)."

In total, FinCEN identified 267 distinct ransomware families, with only a small number responsible for most of the reported attacks.

Akira appeared in the most incident reports (376), followed by ALPHV/BlackCat, which also earned the most, at roughly $395 million in ransom payments, and then LockBit at $252.4 million in payments.

The other ransomware gangs included Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. Collectively, the top 10 most active ransomware gangs accounted for $1.5 billion in ransom payments from 2022 through 2024.

The payment methods were also tracked, with the majority paid via Bitcoin (97%), and a small number paid in Monero, Ether, Litecoin, and Tether.

FinCEN encourages organizations to continue reporting attacks to the FBI and ransom payments to FinCEN to help disrupt cybercrime.