According to a recent report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), U.S. companies made ransomware payments totaling over $2 billion from 2022 through 2024. This marks a significant spike, nearly matching the total ransoms paid in the previous nine years leading up to this period.
The report analyzed threat patterns based on data collected from Bank Secrecy Act (BSA) filings. Between January 1, 2022, and December 31, 2024, FinCEN received 7,395 BSA reports concerning 4,194 ransomware incidents, generating payments exceeding $2.1 billion. For context, the prior nine-year influx, from 2013 to 2021, saw 3,075 BSA reports and around $2.4 billion in payments.
Understanding the Data Collection Limitations
It’s important to note the inherent limitations of FinCEN’s data, which relies on BSA filings; hence, the actual volume of ransomware incidents is likely understated. Reports indicate that 4,194 incidents recorded by FinCEN represent less than 40% of the nearly 11,000 ransomware attacks identified by Cyble’s threat intelligence during the same timeframe.
Ransomware Trends: Impact of Enforcement Actions
The year 2023 witnessed a record-high number of ransomware reports, with 1,512 incidents that totaled approximately $1.1 billion in payments—a 77% increase from the previous year. Although reports from 2024 showed a slight decline, with 1,476 incidents and about $734 million paid, this drop was largely attributed to law enforcement efforts that disrupted notable ransomware groups, including ALPHV/BlackCat and LockBit.
However, LockBit has begun to resurface, claiming 21 new victims in just the first month of 2024. During the reporting period, FinCEN identified 267 different ransomware variants, with Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta being the most prevalent. Notably, the Qilin group has quickly emerged as a top contender in 2025, suggesting that FinCEN’s upcoming BSA data will reflect this evolving landscape.
Despite the downward trend in total payments, the figures for 2024 still represent the third-highest annual total since these reports began in 2013. The median payment for ransomware incidents reflected a rise from $124,097 in 2022 to $175,000 in 2023, settling at $155,257 in 2024. Throughout this period, ransom amounts predominantly fell below $250,000.
Industries Under Siege: Financial Services, Manufacturing, and Healthcare
Evaluating the number of attacks and total ransom payments, the financial services, manufacturing, and healthcare sectors emerged as the most frequently targeted industries during the specified timeframe. From January 2022 through December 2024, manufacturers faced 456 incidents, financial services had 432 incidents, and healthcare experienced 389 incidents. Other significantly impacted sectors included retail, with 337 incidents, and legal services, about 334 incidents.
In terms of total ransom payments, financial services again led the pack, with around $365.6 million paid, followed by healthcare at approximately $305.4 million, and manufacturing, accounting for about $284.6 million. The science and tech sectors, alongside retail, also contributed notably to ransom payments over the three years.
Communication Methods and Payment Trends
Regarding how these ransomware groups communicated with their victims, The Onion Router (TOR) was the preferred medium, as indicated in approximately 42% of BSA filings. Among these reports, 67% revealed that TOR was utilized, while email was cited by 28% as a method of communication.
When it comes to payment methods, Bitcoin (BTC) dominated the landscape, representing 97% of all reported ransom payments, with Monero (XMR) appearing in just 2% of BSA reports involving ransomware. Additionally, FinCEN outlined several common money laundering strategies employed by these criminals, highlighting the use of unhosted convertible virtual currency (CVC) wallets and exploitation of CVC exchanges.
Ransomware groups often collaborated with malicious cyber facilitators, such as shared initial access vendors, enhancing their capacity to execute a wide array of cybercrimes.
