The US Treasury Department's Financial Crimes Enforcement Network (FinCEN) released a comprehensive report analyzing ransomware activity and payments from January 2022 to December 2024. The report revealed that over this three-year period, organizations reported 4,194 ransomware incidents and paid more than $2.1 billion in ransoms, nearly matching the $2.4 billion paid over the previous nine years. Ransomware payments peaked in 2023 at approximately $1.1 billion, followed by a significant decline to $734 million in 2024, a drop attributed to major law enforcement actions against prominent ransomware groups such as ALPHV/BlackCat and LockBit. Despite the decrease in payments, the number of reported incidents only slightly declined, indicating that while attacks remain frequent, fewer victims are paying ransoms.
The report highlighted that the manufacturing, financial services, and healthcare sectors were the most targeted, with financial institutions suffering the largest monetary losses. The vast majority of ransom payments (about 97%) were made in Bitcoin, and most funds were laundered through unregulated cryptocurrency exchanges. The median ransom payment peaked at $174,000 in 2023 before dropping to $155,257 in 2024. The data underscores the evolving nature of the ransomware threat landscape and suggests that coordinated law enforcement efforts can have a measurable impact on the financial incentives driving ransomware operations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
On December 8, 2025, multiple outlets reported the release of a U.S. Treasury Department FinCEN study summarizing ransomware payment trends, dominant variants such as ALPHV/BlackCat, Akira, LockBit, Phobos, and Black Basta, and the concentration of payments in Bitcoin.
FinCEN data shows reported ransomware payments dropped to about $734 million in 2024, down roughly 33% to 35% from 2023, while incident counts remained relatively steady at 1,476 versus 1,512 the year before. Manufacturing, financial services, and healthcare were the most targeted sectors.
U.S. and partner law enforcement actions against ALPHV/BlackCat and LockBit in 2023 and 2024 were cited as a major factor in reducing ransomware activity. Multiple reports say these takedowns contributed to lower incident and payment totals in 2024.
FinCEN data shows ransomware activity peaked in 2023 with about 1,512 incidents and roughly $1.1 billion in payments, the highest annual total in the reporting period. Median ransom payments were reported at about $174,000.
From January 2022 through December 2024, FinCEN recorded 4,194 reported ransomware incidents and more than $2.1 billion in payments. The report identified 267 unique ransomware variants during this period, with the top 10 accounting for about $1.5 billion.
FinCEN's report says it has tracked more than $4.5 billion in ransomware payments from 2013 through 2024, establishing 2013 as the start of the reporting period referenced in the study.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
fortra.com
Open sourcesecurityaffairs.com
Open sourcecyberscoop.com
Open sourcetherecord.media
Open sourcedarkreading.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.