7,395 Reports, 4,194 Attacks – Ransomware Spreading Faster Than Ever

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has released a new Financial Trend Analysis on ransomware incidents reported in Bank Secrecy Act (BSA) data from 2022 to 2024. According to the report, ransomware payments during this three-year period totaled more than $2.1 billion.

During the three-year review period, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents, totaling more than $2.1 billion in ransomware payments. During the previous nine-year period, from 2013 through the end of 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments. Ransomware incidents and payments reached an all-time high in 2023 with 1,512 incidents and about $1.1 billion in payments, representing a 77 percent increase in total payments from 2022 to 2023. In 2024, incidents decreased slightly to 1,476, while total payments were around $734 million. Overall, the number of incidents and total payments fluctuated throughout the review period.

Reported ransomware incidents and payments reached an all-time high in 2023. That year, reported ransomware payments totaled approximately $1.1 billion, marking a 77 percent increase from 2022 to 2023. The number of reported incidents also reached a record high of 1,512 in 2023. In 2024, there were 1,476 reported ransomware incidents and about $734 million in reported payments. The total value of payments in 2024 was the third-highest yearly amount since ransomware reporting began in 2013. In 2022, both the number of reported incidents and the value of payments declined after previously hitting record highs in 2021.

The median ransomware payment amount changed over the years: $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024. Between January 2022 and December 2024, the most common payment amount was below $250,000.

The financial services, manufacturing, and healthcare industries were the most affected during the review period, both in terms of the number of incidents and the total payments made to ransomware actors. FinCEN identified 267 unique ransomware variants in BSA data during the review period. The most frequently reported variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.

Regarding communication methods, about 42 percent of BSA reports mentioned how ransomware actors contacted their targets. Among those reports, 67 percent said the attackers used The Onion Router (TOR), while 28 percent said attackers used email to communicate.

FinCEN found that Bitcoin (BTC) was the most commonly used payment method in reported ransomware cases, making up 97 percent of all transactions. Monero (XMR) appeared in about two percent of the BSA reports related to ransomware. FinCEN also identified several common money laundering methods used by ransomware actors. These actors mainly collected payments through unhosted convertible virtual currency wallets and continued to use cryptocurrency exchanges to launder the money after receiving it. Many ransomware groups also relied on commonly used malicious cyber facilitators, such as shared initial access vendors, to support their activities.

In 2023, the value of reported ransomware payments reached an all-time high of approximately $1.1 billion, representing a 77 percent increase from 2022 to 2023. However, after U.S. federal law enforcement disrupted the ALPHV/BlackCat ransomware group in December 2023 and U.S. and UK authorities took action against the LockBit ransomware group in February 2024, the total number of reported ransomware incidents declined in 2024. That year, there were 1,476 incidents and about $734 million in reported payments, showing a significant drop in the total value of ransomware payments compared to the previous year.

Between January 2022 and December 2024, the industries most commonly targeted by ransomware, based on the number of incidents reported in ransomware-related BSA filings, were manufacturing with 456 incidents, financial services with 432 incidents, healthcare with 389 incidents, retail with 337 incidents, and legal services with 334 incidents. The industries that paid the highest total amounts in ransom during the review period were financial services with about $365.6 million, healthcare with about $305.4 million, manufacturing with about $284.6 million, science and technology with about $186.7 million, and retail with about $181.3 million.

Download Report PDF (This PDF is available for Premium Users Only. Click here to join premium)