Major US industries continue to encounter a steady stream of ransomware attacks, despite a substantial decrease in the dollar value of ransoms paid to criminal groups. The Treasury Department, through its Financial Crimes Enforcement Network (FinCEN), released new figures indicating a significant drop in payments linked to ransomware. While this downturn brings some optimism, organizations remain under persistent pressure as attackers continue to target critical sectors such as manufacturing, financial services, and healthcare. The nature of these attacks continues to evolve, challenging both public and private defenders. As ransomware groups adapt, the financial implications for victims fluctuate, pointing to complex underlying trends rather than a straightforward resolution.
A review of reports from previous years shows that ransomware attacks had reached unprecedented peaks in both frequency and financial impact, with total payments surpassing $2 billion in a three-year window leading up to 2024. However, the newest Treasury analysis suggests a shift. While the frequency of attacks remained nearly static, the scale of demanded and paid ransoms shifted downward. This suggests attackers may be facing additional hurdles from increased defensive measures or changes in payment behavior among victims and insurers, compared to the peak years.
Payments Decline as Law Enforcement and Defenses Improve
Data compiled by FinCEN indicates a marked decline in ransom payments, with a 33% decrease from approximately $1.1 billion in 2023 to $734 million in 2024. Despite the financial downturn in payments, authorities urge caution, noting that it remains uncertain whether this trend will be sustained. According to FinCEN,
“Total ransomware payments are still historically high, signaling an ongoing threat.”
Are Industries Seeing Fewer Ransomware Attacks?
Although the financial impact has lessened, the actual number of ransomware incidents has not substantially changed. FinCEN recorded 1,476 ransomware attacks in 2024, only a slight reduction from 1,512 in the prior year. The manufacturing sector reported 456 incidents, financial services faced 432, and healthcare saw 389 cases—collectively causing hundreds of millions in losses. A FinCEN spokesperson stated,
“Manufacturing, financial services, and healthcare organizations remain prominent targets for ransomware threat actors.”
Which Ransomware Groups Dominate Recent Attacks?
The analysis pointed to 267 unique ransomware variants active between 2022 and 2024, with ALPHV/BlackCat identified as the most commonly reported variant. Other significant threats included Akira, LockBit, Phobos, and Black Basta. A small subset of variants accounted for the bulk of ransom payments, with roughly 10 top groups responsible for about $1.5 billion in demands over the last two years. This consolidation suggests that the criminal ecosystem remains highly concentrated, even as payment sums waver.
Ransomware remains a persistent cyber risk for companies across multiple sectors, and organizations must keep adapting strategies to counter these risks. While the sharp dip in payment volumes offers cautious optimism, the near-constant rate of attacks signals a shift in attacker tactics rather than an end to the threat. Understanding the identities and methodologies of prolific variants like ALPHV/BlackCat and LockBit can benefit organizations’ defensive strategies. Developing coordinated efforts—strengthening cyber resilience, refining incident reporting, and emphasizing sector-specific protections—will likely play a vital role in curtailing further attacks as cybercriminals adjust their efforts to bypass traditional defenses.
