Did you know that payments to ransomware operatives and cyber attackers fell by a whooping 35% in 2024? That is a decline from $1.25bn in 2023 to $813.55m. While this is welcoming news for the cybersecurity community, it is important to understand factors surrounding these events. Are ransomware payments likely to rise again or is this decline because of enhanced cybersecurity practices?  Have cyber criminals become sloppy or is there an unknown factor? This will be interesting to know.

The Lucrative cyber-attack called Ransomware

One of the most popular cyberattack in our world today is a ransomware attack. This is similar to taking a person hostage and demanding a ransom for their release. Ransomware attackers launch cyberattacks on victims with the sole purpose of encrypting or “locking” their digital information. A ransom must be paid for a recovery key to decrypt or ‘unlock” the captured information.

In recent years, cyber criminals have made it easy for anyone, yes anyone, to launch a ransomware attack. There are cyber criminals who operate a Ransomware as a Service (RaaS) business on the dark web. That is, they provide access to malicious software to anyone who wants it. In exchange, they receive a percentage of the total ransom victims’ payout. Return on investment is high for the RaaS provider and affiliates who patronize their services.  Hence the widespread ransomware attacks.

For victims of ransomware attacks, things do not always go smoothly. Upon ransom payment, usually in bitcoin, some cyber criminals do not fulfill their end of the bargain. They may either choose to release the recovery key or not, making the whole ordeal quite unnerving. Many victims enlist the help of special entities to assist with payment negotiations and retrieval of the recovery key because they are unfamiliar with the process.  Some high-profile cases have required law enforcement agencies to step in. This ultimately has led to the first major contributing factor in ransomware decline.

Efficient Law Enforcement Efforts

In February 2024, international law enforcement agencies including, the U.S Federal Bureau of Investigation (FBI), the UK National Crime Agency (NCA) and other countries dismantled the operations of Lockbit RaaS group and arrested key personnel behind its operations. Lockbit rose to prominence after the disbandment of Conti RaaS by the FBI in 2022. In the same year, Lockbit’s malware accounted for 42% of global ransomware attacks according to Intel 471 and 35% of the same according to Digital Shadows. Other high profile RaaS like  Akira, Black Basta and Play, operate on the dark web but the void Lockbit created has not been filled.

The Cost Benefit Analysis

The second biggest issue that has contributed to the decline in ransomware payments is the unwillingness of victims to pay out ransoms. Many organizations are no longer willing to pay huge sums of money to recover captured data. They only do so if it is their interest or as a last resort.

For example, in the ransomware attack on the Colonial Pipeline, where the equivalent of $4.4 million was demanded and paid in bit coin, that was the best cause of action. The company made $1.3 billion in revenue the previous year so the ransom demand could not hurt its bottom line. Even worse, it would have lost a lot more money should the attack had continued. Similarly, a law firm in Singapore, Shook Lin & Bok paid $1.4m in bit coin to attackers. Had the ransom not been paid, corporate information and confidential files of clients would have been leaked online and damaged its reputation.

While these are high profile cases, it is noteworthy that ransom payments have fallen to the range of $150, 000 and $250,000 regardless of the initial ransom demanded. In fact, less than half of recorded incidents resulted in victim payments. Many organisations seriously consider the value of what they stand to lose before paying ransoms. Little or no payment is made if they have functional backups, or they can find alternate means to secure a key to “unlock” their captured data (some keys to ransomware are known).

De-normalization

Beyond increased security defenses and awareness, there is a greater resolve to end the vicious cycle ransom demand and payment in the cyber industry. There is the continued conversation of weighing the ethics in paying a ransom and the short-term loss of data. In addition to financial loss, organizations now must weigh the morality of paying a ransom. Does it encourage more attacks? Where does the ransom payment end up? Is it fueling a terrorist attack or a regional conflict?

Luckily, organizations are not alone in this. The UK government has opened consultation on countering ransomware attacks and abolishing ransomware payments for public sector bodies and Critical National Infrastructure. The aim is to reduce the amount of money flowing from the UK to ransomware groups, increase intelligence on ransomware payments and enhance the government’s international collaboration intervention.

The future is looking bright (A little)

Though payments have declined, attackers are relentless, and the threat is real. In the first quarter of 2025, ransomware attacks increased by 135%. Additionally, attackers are resorting to psychological means of extortion to coerce victims to make payments. If a ransom is not paid, they may leak personal information about executives onto the internet.

While attackers may be changing tactics, and some organizations may still be susceptible to ransomware attacks there is a glimmer of hope. With a combination covert operation by international law enforcement agencies, increase resolve within the cybersecurity industry and efforts by governments to abolish ransomware payments, the threat landscape will change accordingly.