The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has released updated ransomware statistics based on thousands of suspicious activity reports filed under the Bank Secrecy Act. The data confirms that ransomware remains one of the most lucrative forms of cybercrime, with victims paying more than $4.5 billion to extortion groups between 2013 and 2024.
FinCEN ransomware statistics: scale of payments and incident volume
From January 2022 through December 2024, FinCEN identified 4,194 ransomware-related incidents. Over this three‑year period, organizations transferred in excess of $2.1 billion in ransom payments to threat actors. These figures are derived from mandatory reports submitted by banks and other financial institutions when they detect transactions potentially tied to money laundering or cyber extortion.
Ransomware trends 2022–2024: record 2023, then a sharp decline in 2024
The peak year for ransomware revenue was 2023. FinCEN recorded 1,512 attacks, with ransoms totaling approximately $1.1 billion—a 77% increase compared with 2022. In 2024, however, the picture changed: incident volume dipped slightly to 1,476 cases, while total payments fell almost by half to around $734 million.
This decline in paid ransoms does not indicate that the ransomware threat is disappearing. Instead, it reflects a shift in power dynamics within the ransomware ecosystem, stronger disruption by law enforcement, growing regulatory pressure, and a gradual increase in cyber maturity and incident readiness among targeted organizations.
Law enforcement pressure on major ransomware operations
Analysts closely link the change in FinCEN’s ransomware statistics to high‑profile international operations against leading ransomware‑as‑a‑service (RaaS) groups. In late 2023, law enforcement disrupted the infrastructure of ALPHV/BlackCat, while in early 2024 a coordinated operation targeted LockBit, another dominant RaaS syndicate.
These groups had served as platforms for dozens of affiliate crews, providing ready‑made ransomware tools, payment portals, and negotiation infrastructure in exchange for a percentage of each ransom. Following the takedowns, some affiliates attempted to rebrand or migrate to competing RaaS programs. Nonetheless, the operations demonstrated the technical, legal, and diplomatic capabilities of international cyber coalitions—reducing trust within the criminal ecosystem and influencing both attack volumes and victims’ willingness to pay.
Ransomware attack targets: sectors bearing the highest risk
FinCEN’s data shows that most individual ransom amounts remained below $250,000. This underlines that ransomware is not limited to global enterprises; mid‑sized organizations are frequent victims, for whom even a six‑figure payment can be existential.
By number of attacks, the hardest‑hit sectors were manufacturing (456 incidents), financial services (432), healthcare (389), retail (337), and legal services (334). These industries depend heavily on operational continuity and sensitive data, making them especially vulnerable to extortion based on downtime, data theft, or both.
When measured by total ransom volume, the financial sector leads with roughly $365.6 million in payments, followed by healthcare (about $305.4 million), manufacturing (around $284.6 million), science and technology (approximately $186.7 million), and retail (nearly $181.3 million). For finance and healthcare, these losses are amplified by regulatory penalties, litigation risk, and long‑term reputational damage.
Key ransomware groups and the ransomware-as-a-service economy
FinCEN references 267 distinct ransomware families, but the majority of incidents and revenue are linked to a relatively small number of dominant brands. By incident count, Akira is the most frequently cited family, associated with 376 attacks.
In terms of revenue, ALPHV/BlackCat tops the list with an estimated $395 million in ransom inflows, followed by LockBit with roughly $252.4 million. Other high‑impact groups include Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. Collectively, the 10 largest ransomware groups extracted around $1.5 billion from victims between 2022 and 2024.
This concentration of income is characteristic of the ransomware‑as‑a‑service model, where core operators develop and maintain the malware and infrastructure, while affiliates conduct the intrusions. RaaS significantly lowers the barrier to entry for cybercriminals, enabling even relatively unsophisticated actors to run profitable extortion campaigns.
Bitcoin and cryptocurrency laundering in ransomware operations
According to FinCEN, approximately 97% of observed ransomware payments were made in Bitcoin. Other cryptocurrencies such as Monero, Ether, Litecoin, and Tether appear much less frequently. Bitcoin remains the primary choice due to its liquidity, exchange support, and established tooling for cross‑border transfers.
At the same time, tighter regulation of cryptocurrency exchanges, widespread Know Your Customer (KYC) and Anti‑Money Laundering (AML) controls, and advances in blockchain analytics are making it harder for threat actors to launder funds. FinCEN’s reporting framework enables authorities to correlate wallet addresses, track payment flows, and impose sanctions against infrastructure linked to specific ransomware groups.
How organizations can reduce ransomware risk
The FinCEN findings underscore that no sector and no company size is immune from ransomware. Effective risk reduction requires a layered approach that combines technical, procedural, and human‑centric controls. Core measures include regularly tested offline backups, strong network segmentation, enforced multi‑factor authentication, rapid patch management, and deployment of modern detection and response tools such as EDR/XDR.
Equally important are security awareness training focused on phishing and social engineering, clearly defined incident response playbooks, and regular tabletop exercises involving IT, legal, compliance, and executive leadership. Early engagement with law enforcement and regulators, as well as continuous monitoring of emerging ransomware groups and tactics, significantly increases resilience and narrows the attackers’ room for maneuver.
The trajectory reflected in FinCEN’s ransomware statistics is a warning and an opportunity: while law enforcement pressure and improved defenses can drive down payments, threat actors will continue to adapt. Organizations that treat ransomware as a core business risk—investing in cyber resilience, crisis readiness, and transparent cooperation with authorities—are far better positioned to withstand extortion attempts without being forced to choose between prolonged disruption and paying criminal demands.
