U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN).
The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments.
In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said.
FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.
ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments
Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million.
FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month.
Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change.
Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013.
The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.
Financial Services, Manufacturing and Healthcare Most Targeted Sectors
Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period.
Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents).
Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million).
The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims.
Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware.
FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said.
Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.
