Ransomware in 2024: Record-Low Payment Rate Signals Changing Economics of Cybercrime

The fight against ransomware reached new heights in 2024, but for cybercriminals, profits are shrinking. With ransom payment rates hitting an all-time low, many ransomware actors are cashing out less than ever before, as global law enforcement agencies executed high-profile arrests, takedowns, and sanctions targeting major cybercriminal groups. Coveware’s latest Q4 ransomware report highlights how these efforts, combined with evolving enterprise security strategies, are reshaping the cybercrime landscape.

Law Enforcement Strikes Back#

Authorities intensified their fight against ransomware in Q4 2024, leading to major arrests and infrastructure seizures. In October, four members of the LockBit gang were arrested following U.S. sanctions, and Dutch authorities dismantled the Redline and Meta Infostealer platforms. November saw the extradition of Phobos ransomware affiliate Evgenii Ptitsyn, the takedown of the cybercriminal Wazawaka, and the arrest of a Snowflake data breach suspect. December continued the crackdown with the sentencing of a Netwalker ransomware operator to 20 years in prison and the arrest of a Scattered Spider affiliate in the U.S.

These actions are part of a global effort to disrupt cybercrime, which is gaining momentum in making ransomware operations riskier and less lucrative. As ransomware tactics evolve, sustained international cooperation remains critical in countering these threats.

Ransom Payment Trends: Declining Payment Rate and Increased Resistance to Ransomware#

Despite the ongoing ransomware threat, Coveware’s data indicates a fundamental shift in ransom payments. The average ransom payment in Q4 2024 rose to $553,959 (+16% from Q3), but the median payment dropped significantly to $110,890 (-45%). More organizations are refusing to pay ransoms, pushing the overall ransom payment rate to an all-time low of 25%. This trend suggests improved cybersecurity defenses and increased regulatory guidance discouraging payments, weakening the financial incentives for attackers.

Cyber extortion demands skyrocketed in 2023, but recent reports from cybersecurity firms reinforce this decline in ransom payment rates observed in 2024. According to Chainalysis, ransomware payments decreased by 35% year-over-year, totaling approximately $813.55 million in 2024, down from $1.25 billion in 2023. This decline is attributed to intensified law enforcement actions and a growing refusal by victims to pay ransoms.

These findings align with Coveware's data, indicating a broader shift in the ransomware landscape, where enhanced defenses and strategic law enforcement interventions are reducing the effectiveness and profitability of ransomware attacks.

The Most Active Ransomware Variants#

Below is a breakdown of the most active ransomware groups in Q4 2024, showing their market share and ranking changes:

For the sixth consecutive quarter, Akira remained the most common ransomware variant, now tied with Fog, a rapidly emerging strain. These two groups have avoided high-profile attacks on critical infrastructure, allowing them to operate with less scrutiny. Other notable variants in Q4 2024 include RansomHub, Lone Wolf, Medusa, and Black Basta, indicating a shift towards independent actors rather than large Ransomware-as-a-Service (RaaS) groups.

Ransomware Tactics: How They Get In and What They Do#

Cybercriminals continue to refine their attack strategies, leveraging AI, social engineering, and zero-day vulnerabilities. The most common ransomware tactics in Q4 2024 included:

Initial Access Methods:

• Phishing: AI-driven phishing, SEO poisoning, and callback phishing have made attacks harder to detect.
• Remote Access Compromise: VPN vulnerabilities in Ivanti and Fortinet remain key entry points.

Post-Compromise Activities:

• Exfiltration (87% of attacks): Increasingly used as both a precursor and primary extortion method.
• Lateral Movement (74% of attacks): Attackers exploit RDP and SSH to spread within networks.
• Impact (45% of attacks): ESXi encryption remains a major challenge, often forcing complete system reinstalls.

Organizations must remain vigilant, adopting phishing-resistant MFA, robust patching protocols, and enhanced monitoring to counter these tactics.

Who’s Being Targeted?#

Mid-sized companies remain the primary targets of ransomware attacks, likely due to their valuable data and relatively weaker security compared to large enterprises:

• Companies with 101-1,000 employees: 41.53% of attacks
• Companies with 11-100 employees: 29.66% of attacks
• Companies with 1,001-10,000 employees: 16.10% of attacks

These figures emphasize the importance of cybersecurity investments for mid-sized businesses, which often lack the extensive security infrastructure of larger corporations.

Ransomware attacks in Q4 2024 continued to target industries such as healthcare, finance, manufacturing, and education, where data is critical and downtime is costly, making them prime targets for extortion.

Ransomware Faces Mounting Pressure from Law Enforcement and Policy Changes#

Debates around cyber insurance policies covering ransomware payments are also gaining traction. Some policymakers and security experts are calling for bans on insurance claims for ransomware payments, arguing that such policies may incentivize attacks by ensuring cybercriminals still get paid. This shift in thinking could further weaken the profitability of ransomware operations and push businesses toward stronger preventative measures.

The continued pressure from law enforcement, combined with shifting payment trends, is making ransomware a less viable enterprise. The UK’s proposal to ban ransom payments in the public sector, coupled with ongoing multi-jurisdictional crackdowns, signals a strong global stance against cyber extortion.

However, maintaining momentum in the fight against ransomware requires stable funding and experienced personnel within law enforcement agencies. High turnover in critical investigative units like the FBI’s cyber division could slow ongoing efforts, underscoring the need for consistent policy support and resources.

As 2025 unfolds, organizations must remain proactive in strengthening their defenses, while governments and law enforcement continue to disrupt cybercriminal operations. By reducing ransom payments, dismantling cybercrime networks, and imposing real consequences on attackers, the security industry can collectively make ransomware a far less lucrative—and far riskier—criminal enterprise.