,

Ransomware payments on track to smash $1.1 billion record

Median payments to some strains are now $1.5 million—a 650% increase from early 2023.

Blockchain research company Chainalysis found that ransomware inflows rose by approximately 2% over first half of 2024, from $449.1 million to $459.8 million. If the trend continues, 2024 could become the worst year on record for ransomware payouts, surpassing the $1.1 billion record set in 2023.

It isn’t just a few big ransoms inflating the number, either. Median payments from “very high severity strains” are up 650%—from $200,000 in early 2023 to $1.5 million in mid-June 2024, signaling a consistent increase in payouts across all attacks. Chainalysis defines very high severity strains as strains that “received a maximum payment exceeding $1M in a given year.”

At the same time that median payment amounts are up, however, Chainalysis found the number of total number of people actually making payments is down. In other words, less people are paying overall, but when they do pay, they pay more than what they used to.

Additionally, the fact that payment rates are down 27% YoY—combined with the fact that known ransomware attacks are up 10% YoY—suggests victims are better prepared for attacks than before, rendering it unnecessary to pay for a decryptor.

While it’s hard to tell for sure how the disruptions of ALPHV and Lockbit have effected overall ransomware payments, Chainalysis notes the highest severity ransomware strains have underperformed their 2023 YTD totals by 50.8%.

On the other hand, the company notes that “high severity strains” (received a maximum payment between $100K – $1M in a given year) increased their YTD activity by 104.8%—likely as a result of affiliates migrating from ALPHV and Lockbit for other strains such as PLAY.

The next half of 2024 promises another increase in payouts, since it will include the record-breaking $75 million ransom payment to the Dark Angels ransomware group we wrote about in our August ransomware review.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.