New government cybercrime data offers a window into just how lucrative ransomware has become for threat actors.
The US Treasury's Financial Crimes Enforcement Network (FinCEN) issued a report on Dec. 4 dedicated to ransom payments tracked as part of the Bank Secrecy Act of 1970 (BSA). Although the act was originally established to enforce financial institutions to assist the federal government in detecting and preventing money laundering, ransomware payments are generally laundered after acquisition, making such attacks covered under the law.
The report primarily consists of data gathered from attacks that occurred between Jan. 1, 2022, and Dec. 31, 2024, that were then reported under the BSA. In total, the Treasury received 7,395 BSA reports relating to 4,194 ransomware incidents totaling more than $2.1 billion in payments to cybercriminals
The report is by no means exhaustive — it represents only the attacks that were reported by (primarily financial) institutions covered under the US BSA law, and far more than 4,200 ransomware attacks occurred in a three-year period. However, the data paints a picture of how ransomware attacks have changed over time, and particularly how dramatically they have increased.
Ransomware Attacks Spike
In addition to the $2.1 billion reported between 2022 and 2024, FinCEN also referenced the nine years before it. Between 2013 and the end of 2021, FinCEN received 3,075 BSA reports under half of the more recent dataset) totaling approximately $2.4 billion in ransomware payments. In total, BSA-covered orgs have reported $4.5 billion in ransomware payments they caught wind of (or perhaps participated in) in the past 14 years.
Related:Threat Landscape Grows Increasingly Dangerous for Manufacturers
That means the past three years matched the nine before it, with 2023 marking the height; payments totaled $1.1 billion that year, representing a 77% increase over 2022.
Max Rogers, senior director of security operations center at Huntress, tells Dark Reading that anecdotally, some of the most notorious groups of recent years, such as LockBit, were operating at their highest tempo in 2023. Law enforcement launched a disruptive takedown against LockBit in 2024.
"Since that disruption, we've seen a splintering of the RaaS [ransomware-as-a-service] ecosystem. The groups that remain seem to be taking lessons learned from earlier years to gain further efficiencies, but 2023 likely stands out because the biggest players were active, undistracted, and operating at a scale we hadn't seen in years leading up," Rogers says.
... continue reading