⬇️
FinCEN Reports Ransomware Peak in 2023, Sharp Payment Decline After BlackCat and LockBit Disruptions
Key Takeaways
- FinCEN tracked 4,194 ransomware incidents from 2022–2024, with activity peaking in 2023.
- Law enforcement actions against ALPHV/BlackCat and LockBit coincided with a major drop in ransom payments in 2024.
- Financial services, healthcare, and manufacturing saw the highest dollar losses during the review period.
A new analysis from the Financial Crimes Enforcement Network lays out one of the clearest pictures yet of how U.S. organizations are experiencing ransomware, and how law enforcement pressure can reshape the threat landscape almost overnight. The report aggregates thousands of Bank Secrecy Act filings tied to ransomware activity between January 2022 and December 2024, a dataset large enough that it hints at macro‑trends rather than just isolated anomalies.
Across that three‑year span, FinCEN counted 4,194 ransomware incidents and more than $2.1 billion in ransom payments. That nearly matches what was reported over the entire eight-year period from 2013 to 2021. If you look at the longer arc from 2013 through 2024, the agency tracked roughly $4.5 billion flowing to ransomware operators. It is a staggering figure, though perhaps not surprising to security teams who have watched the criminal ecosystem mature and professionalize.
What stands out most is the timing. According to the report, 2023 was the most profitable year on record for ransomware gangs, with victims reporting 1,512 incidents and about $1.1 billion in payments—up 77 percent from 2022. Then the curve bends. In 2024, incidents dipped only slightly to 1,476, yet payments dropped sharply to $734 million. Here is where it gets interesting: the falloff correlates directly with major law enforcement actions targeting ALPHV/BlackCat in late 2023 and LockBit in early 2024.
Both gangs were dominant players at the time of disruption. So, the idea that their takedowns rippled across the broader ecosystem is plausible. FinCEN notes that these groups either struggled to relaunch their operations or splintered into new, less coordinated efforts. It is a small detail, but it underscores an old truth in cybercrime: remove a high‑performing operator and the market doesn’t instantly replace it.
FinCEN’s breakdown of impacts by industry also tells a nuanced story. Manufacturing led the list with 456 incidents, followed by financial services at 432, healthcare at 389, retail at 337, and legal services at 334. Yet the industries that suffered the biggest financial losses do not map exactly to the incident count. Financial services organizations reported the highest dollar losses—about $365.6 million. Healthcare followed at roughly $305.4 million, then manufacturing at about $284.6 million, science and technology at around $186.7 million, and retail at approximately $181.3 million.
The mismatch between incident volume and total payments raises a question for business leaders: are some industries simply paying higher ransoms, or are attackers adjusting demands based on perceived operational pressure? The report avoids speculation, but the pattern suggests that sectors where downtime translates directly into immediate financial damage, regulatory exposure, or risk to human life are paying the most. Healthcare and financial services fall squarely into that category.
While most ransom payments remained below $250,000, the totals ballooned because a handful of high‑earning ransomware families hit dozens or even hundreds of organizations. FinCEN identified 267 distinct families during the review period, but only a small cluster was responsible for the majority of reported attacks. Akira appeared most frequently in filings, with 376 incidents. ALPHV/BlackCat earned the most—about $395 million—followed by LockBit with roughly $252.4 million in payments. Others in the top tier included Black Basta, Royal, BianLian, Hive, Medusa, and Phobos. Collectively, the ten most active operations accounted for $1.5 billion between 2022 and 2024.
A brief aside: it is easy to forget how fluid these “brands” are. Gangs routinely rebrand, merge, fracture, and relaunch under new names. So while FinCEN’s numbers are precise, the organizational boundaries behind them remain blurry, making attribution difficult for victim organizations trying to understand their attacker.
On the payment side, Bitcoin still dominates. FinCEN reports that 97 percent of tracked payments were made via Bitcoin, with a very small volume in Monero, Ether, Litecoin, and Tether. That aligns with other public reporting, including the Treasury’s earlier ransomware risk assessments, which routinely highlight Bitcoin as the currency of choice for extortion operations. Even so, defenders shouldn't assume that mix is static; privacy‑focused coins continue to attract interest within criminal circles.
The report also reinforces the operational utility of mandatory reporting. FinCEN encourages organizations to continue notifying the FBI about attacks and reporting ransom payments—a step some companies still skip during crisis response. The value of these filings is more than bureaucratic; aggregated data supports the same kinds of coordinated takedowns that curtailed ALPHV/BlackCat and LockBit. Law enforcement has become increasingly aggressive in this area, which is evident in actions like the international operation against LockBit documented by Europol.
For B2B leaders, the practical takeaway is that threat volume remains high even when payments fall. Attackers didn’t back off in 2024—they just earned less from their efforts. That distinction matters for budgeting, insurance renewals, and incident readiness planning. It also suggests that pressure on the ransomware ecosystem can work, at least temporarily, when enforcement agencies coordinate and focus on the right targets.
Still, the report’s 267 identified ransomware families underline the scale of the challenge. Disrupt one group and several others wait in the wings. The drop in payments is encouraging, but not a signal that the threat is easing. Rather, it is a reminder that enforcement remains one of the few levers capable of altering attacker behavior, even if only for a time.
Organizations studying the findings will likely see something familiar: a threat landscape that shifts around the edges but hasn’t fundamentally changed. The operations evolve, the pressure points change, the names rotate. Yet the core dynamic remains—ransomware continues to be a highly profitable, highly resilient business for those running it.
