For years, ransomware has been a digital plague, infecting businesses, hospitals, and governments worldwide. But something remarkable happened in 2024—something so unusual that cybersecurity experts took notice: ransomware pay-outs fell, and they fell hard.
According to research from blockchain data platform Chainalysis, the amount of money victims paid to ransomware gangs dropped by 35% in 2024, plummeting from $1.25 billion in 2023 to $813.6 million last year. That’s a massive decline for a cybercrime sector that seemed unstoppable just a few years ago.
So, what’s behind this sudden shift? The answer isn’t simple. A mix of aggressive law enforcement action, improved victim defences, and internal chaos within cybercriminal networks is making it harder for hackers to extort money. Let’s break down exactly why ransomware groups are losing their grip.
The FBI and Global Crackdowns Hit Hard
One of the biggest reasons ransomware payouts shrank in 2024? Law enforcement wasn’t messing around.
Authorities worldwide executed some of their most successful operations against cybercriminal gangs, disrupting some of the largest and most notorious players in the ransomware space.
- The FBI, Europol, and the UK’s National Crime Agency took down LockBit, one of the most prolific ransomware groups, in February 2024. The group’s ransomware payouts dropped by an astonishing 79% in the second half of the year, according to Chainalysis.
- Spanish police arrested a 22-year-old British man in June, suspected of being the leader of the Scattered Spider ransomware gang. While the group remains active, the arrest disrupted its operations significantly.
- Other major groups simply didn’t bounce back. Unlike past law enforcement takedowns, which often led to rival gangs absorbing the market share, no dominant player stepped in to replace LockBit. As a result, the ransomware ecosystem fragmented into smaller, less effective groups.
“It’s difficult to determine one key factor,” said Jacqueline Burns Koven, Head of Cyber Threat Intelligence at Chainalysis. “But the decrease was driven by a combination of increased law enforcement actions, improved international collaboration, fragmentation of the ransomware ecosystem, victim preparedness, and a growing refusal by victims to pay.”
The Ransomware Ecosystem is Falling Apart
Ransomware groups used to operate like well-oiled machines, with specialized roles for hackers, negotiators, and money launderers. But after high-profile law enforcement actions, the ecosystem has splintered.
Cybersecurity experts noted a rise in lone-wolf attackers—independent hackers without the sophisticated infrastructure or connections to demand massive ransoms.
Lizzie Cookson, Senior Director of Incident Response at Coveware, explained: “We saw a rise in lone actors, but we did not see any group(s) swiftly absorb [LockBit’s] market share, as we had seen happen after prior high-profile takedowns and closures.”
This shift is a big deal. The major ransomware syndicates had the infrastructure to pull off massive attacks, but these smaller, fragmented operations are struggling to fill the void. They lack the resources, organization, and experience to extort companies at the same scale.
In other words, it’s a cybercriminal free-for-all right now, and no one is winning.
Businesses Are Fighting Back—and Winning
Victims are also getting smarter. After years of high-profile attacks, many organizations are no longer panicking and paying up. Instead, they’re investing in better security measures, cyber insurance, and incident response teams.
Three key trends are making companies more resilient to ransomware:
- More businesses refuse to pay. As companies strengthen their defenses and back up critical data, they’re less likely to cave to ransom demands.
- Cyber insurance policies are tightening up. Insurance providers have become more selective, refusing to cover ransom payments in many cases, which discourages victims from paying hackers.
- International collaboration is improving. Governments and private companies are sharing threat intelligence faster than ever, making it harder for ransomware groups to operate undetected.
The end result? Fewer victims paying up, and hackers making less money.
Fake Leaks and Desperate Tactics
Ransomware gangs are also struggling to maintain credibility. Some groups have resorted to faking leaks, claiming to have stolen sensitive data when, in reality, they haven’t.
A prime example is LockBit. After law enforcement crippled its operations, the group tried to stay relevant by inflating its list of victims.
“Allan Liska, threat intelligence analyst at Recorded Future, told Chainalysis that LockBit has published as high as 68% repeat or straight-up fabricated victims on its data leak site.”
Why would a ransomware gang fake attacks? Simple: to keep the fear alive. If businesses believe they’ve been hacked, they might pay up—even if no data was actually stolen.
But this tactic is backfiring. Once companies realize they’re being bluffed, they’re even less likely to negotiate with hackers in the future.
Is This the Beginning of the End for Ransomware?
Does this mean ransomware is dead? Not quite. Cybercriminals are nothing if not adaptable, and experts warn that new threats will likely emerge.
However, for the first time in years, the industry is seeing real progress in the fight against ransomware. With law enforcement cracking down, businesses refusing to pay, and hackers struggling to regroup, the landscape has shifted dramatically.
Liska sums it up well: “The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands.”
The golden era of massive ransomware payouts might be coming to an end. And if 2025 continues this downward trend, hackers might have to find a new way to make a living.
For now, at least, the good guys are winning.