Full Report
Ransomware gangs continued to wreak havoc in 2024, but new research shows that the amounts victims paid these cybercriminals fell by hundreds of millions of dollars.
Analysis Summary
# Incident Report: 2024 Decline in Ransomware Payments Following Major Law Enforcement Disruptions
## Executive Summary
While high-profile ransomware attacks, such as the one against Change Healthcare, continued into early 2024, overall ransomware extortion payments saw a significant 35% decline in 2024 compared to the previous year, reaching \$814 million. This drop was precipitated by successful law enforcement operations against major threat actors like BlackCat/AlphV and Lockbit, which disrupted infrastructure and created community distrust, leading to the rise of less skilled successor groups that generated smaller payouts.
## Incident Details
- **Discovery Date:** Data tracking occurred throughout 2024, with critical findings released toward the end of the year via Chainalysis reports.
- **Incident Date:** Data covers the full year 2024, showing a peak in the first half and a significant drop in the second half.
- **Affected Organization:** Multiple organizations targeted, including hundreds of US pharmacies and clinics (via Change Healthcare breach), and various high-profile targets exploiting Snowflake customer accounts.
- **Sector:** Healthcare, Cloud Services, Finance (implied).
- **Geography:** Primarily focused on impacts within the US.
## Timeline of Events
### Initial Access
- **Vector:** Exploitation of security vulnerabilities in customer accounts of cloud provider *Snowflake*. Targeted attacks on critical infrastructure like healthcare systems (e.g., Change Healthcare).
- **Details:** Specific initial access vectors for individual victims are not detailed, but cloud provider compromise was a major vector exploited by subsequent actors.
### Lateral Movement
- *No specific details on lateral movement techniques are provided, only the resulting impact.*
### Data Exfiltration/Impact
- **Details:** Extortion demands led to total payments of \$814 million in 2024. The Change Healthcare breach resulted in an estimated \$22 million payment to AlphV.
### Detection & Response
- **How it was discovered:** Chainalysis tracked cryptocurrency payments to identify the financial scale of impacts. Law enforcement actions were visible through public announcements (FBI, NCA).
- **Response actions taken:**
* **Late 2023/Early 2024:** FBI disrupted BlackCat/AlphV by finding vulnerabilities in their encryption software and distributing decryption keys.
* **February 2024:** UK NCA operation against Lockbit, seizing infrastructure, taking down dark-web sites, and seizing crypto wallets.
* **May 2024:** US Treasury sanctioned Lockbit's alleged leader, Dmitry Khoroshev.
## Attack Methodology
Since the report focuses on industry trends rather than a single forensic case, the methodologies referenced are generalized based on the actors mentioned:
- **Initial Access:** Exploitation of security vulnerabilities (specifically noted for *Snowflake* access).
- **Persistence:** Not detailed for the succeeding, less skilled groups.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Implied through data theft in major incidents.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Data was gathered leading to extortion demands.
- **Exfiltration:** Not detailed, but was sufficient to justify multi-million dollar payouts.
- **Impact:** Digital extortion, system paralysis (Change Healthcare).
## Impact Assessment
- **Financial:** Ransomware payments totaled **\$814 million** in 2024, a 35% decrease from 2023's \$1.25 billion. The second half of 2024 saw payments drop to \$321 million (\$492 million in the first half).
- **Data Breach:** Significant data compromise led to extortion, including widespread disruption in the healthcare sector (millions affected by Change Healthcare outage).
- **Operational:** Catastrophic impact on critical services, such as paralyzing hundreds of US pharmacies and clinics via the Change Healthcare incident.
- **Reputational:** High-profile incidents damaged the reputation of affected organizations and the cybercriminal community through scams (AlphV exit scam).
## Indicators of Compromise
*The article does not list specific technical IoCs (IPs, domains, hashes) as it focuses on overall financial and operational trends.*
- **Behavioral indicators:** Threat actors shifting focus post-law enforcement disruptions; emergence of less skilled ransomware groups; major groups (AlphV, Lockbit) appearing to fold or go quiet.
## Response Actions
- **Containment:** Decryption key distribution (BlackCat/AlphV incident).
- **Eradication:** Seizure of criminal infrastructure and takedown of dark-web infrastructure (Lockbit operation).
- **Recovery actions:** Victims of BlackCat/AlphV received keys due to law enforcement action.
## Lessons Learned
- Law enforcement actions targeting infrastructure, tools, and key individuals (as seen with Lockbit and AlphV) can have delayed but significant positive effects on collective payment volume.
- Ransomware trends exhibit inevitable "ebbs and flows"; short-term dips do not guarantee long-term success and sustained defense investment is necessary.
- The cybercriminal ecosystem is vulnerable to interpersonal failures, as evidenced by the AlphV "exit scam" which created distrust among partners.
## Recommendations
- Maintain aggressive, coordinated law enforcement operations to disrupt ransomware infrastructure globally.
- Invest continuously in robust defense mechanisms, especially for critical infrastructure, as successor groups will continue to emerge, even if initially less skilled.
- Organizations must remain vigilant as threat actors adapt; the decrease in payment volume should not lead to complacency or reduced security investment.