Ransomware payments fell by 35% year-over-year in 2024 amid a growing refusal by victims to pay demands, according to a new Chainalysis report.
Ransomware groups received approximately $813.55m in extortion payments from victims last year, which compares to a record $1.25bn in 2023.
Notably, in the first half of 2024, ransomware revenues were 2.38% higher than compared to H1 2023. However, payment activity slowed significantly in H2 2024.
A major factor in the fall in ransomware payments appears to be a growing refusal of victims to pay.
The researchers observed that while the number of ransomware events increased into H2, on-chain payments declined.
There was a significant widening of the gap between data leak site victims being posted and payments being made during the latter part of 2024. This suggests that more victims were targeted, but fewer paid.
Commenting on the research, Lizzie Cookson, Senior Director of Incident Response at ransomware recovery specialist Coveware, argued that improved cyber resiliency is enabling many victims to resist demands and explore multiple options to recover from an attack.
“They may ultimately determine that a decryption tool is their best option and negotiate to reduce the final payment, but more often, they find that restoring from recent backups is the faster and more cost-effective path,” she explained.
Dan Saunders, Director, Incident Response, EMEA at Kivu Consulting, cited data from his firm which showed that around 30% of negotiations actually lead to the victims deciding to pay the ransoms.
“Generally, these decisions are made based on the perceived value of data that’s specifically been compromised,” he stated.
A Ponemon Institute survey in January 2025 found that just over half (51%) of ransomware victims paid a ransom demand to the attackers. Preventing stolen data from being leaked and downtime were the primary factors in deciding to pay a ransom.
Fragmented Ecosystem Leads to Reduced Ransomware Payments
The Chainalysis report found that major disruptions to the ransomware ecosystem in 2024 also contributed to the decline in ransomware revenue last year.
This included the law enforcement takedown of LockBit in February 2024 and the BlackCat group’s apparent ‘exit scam’ following its attack on Change Healthcare.
While LockBit has rebranded and made a comeback, Chainalysis found that payments to the group fell by around 79% in H2 2024 compared to H1. This suggests the law enforcement operation has had a lasting impact on the group’s capabilities.
These disruptions have resulted in a highly fragmented ransomware ecosystem, with an increase in the number of smaller groups and lone wolf actors to fill the void. This has in turn resulted in reduced attacks on “big game” targets.
Cookson noted: “The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small to mid-size markets, which in turn are associated with more modest ransom demands.”
