Table of Contents
While ransomware attacks have hit an all-time high, victim payments have dropped significantly.
Last year, the total volume of ransom payments decreased year-over-year (YoY) by approximately 35%, according to a report published in February 2025 by Chainalysis. In addition, less than half of recorded incidents resulted in payments.
The big question is: what’s driving this shift, and what can businesses learn from it?
The Surging Volume of Ransomware Attacks in 2024
Ransomware attacks are at record highs. The fourth quarter of 2024 saw the highest spike in attacks that we have observed on record, according to CyberMaxx’s Q4 2024 Ransomware Research Report.
However, as attack frequency has increased, it appears that victims are becoming less willing to pay.
A Historic Year for Ransomware
There were 4,831 ransomware attacks in 2024, which is the highest number ever recorded in a single year. There were 2,358 attacks in Q4 alone—a 137% increase from Q3.
Cybercriminals are exploiting vulnerabilities such as CVE-2024-0012 (Palo Alto PAN-OS RCE) and CVE-2024-9474 (Privilege Escalation) to launch attacks.
Key Trends Driving the Increase
The mainstream adoption of cloud is a major factor driving this increase: there was a 39% rise in cloud-targeted attacks in 2024 compared to 2023.
Holidays are also prime targets for cybercriminals. With many businesses reducing security staff as employees take vacations, attackers find more opportunities to strike. For example, December 24th experienced a significant spike in cybercrime activity.
The increased accessibility of sophisticated hacking tools has also likely contributed to the rise in the number of threat groups: 66 active ransomware groups were recorded in Q4 ransomware trends 2024, the highest on record.
Why Are Fewer Victims Paying Ransom?
While cybercriminals are launching more attacks, their business model is struggling due to stronger cyber extortion defense and changing industry responses.
In addition, governments across the globe are tightening their regulations and compliance frameworks to address this growing threat and hold organizations accountable. As a part of this, there is mounting pressure on government agencies to enforce these regulations to reduce the financial incentives for ransomware gangs.
Improved Cybersecurity Measures
To improve ransomware attack prevention, many businesses are implementing more robust backup strategies to reduce the leverage of ransomware gangs. This often involves storing data across multiple locations and implementing additional backup servers for added security.
The rise in cyberattacks has also led to insurers tightening their policies. Many insurers now require clients to prove they can recover without paying ransoms.
The widespread use of zero-trust architecture also helps to limit the spread of ransomware between networks.
Law Enforcement and Disruptions to Ransomware Groups
The increased crackdowns on ransomware gangs have also likely contributed to the decline in ransomware payments. In February last year, a coordinated international operation helped to take down LockBit, a leading ransomware gang.
Lockbit was the most active ransomware group in Q1 2024, and it made up 30% of the total volume for the quarter.
Across the globe, governments are increasingly collaborating on sanctions and cybersecurity regulations to cut off ransomware actors’ financial access. Law enforcement has also seized dark web leak sites, which has disrupted cybercriminal operations.
In January, the US Department of Justice announced it had disrupted the infrastructure of the online cybercrime marketplaces known as Cracked and Nulled. These were key marketplaces for selling stolen data and malware. Combined, they have over 10 million users worldwide.
Shifting Attitudes Toward Ransomware Payments
These shifting attitudes by governments and high-profile companies refusing to pay ransoms have set a precedent. They may have encouraged other organizations to prioritize resilience and recovery rather than compliance with cybercriminals.
Public and regulatory pressure has also likely contributed to the decline in ransomware payments by discouraging people from complying with attackers’ demands. For instance, ministers in the UK are currently considering a ban on all UK public bodies making ransomware payments.
Meanwhile, data recovery capabilities have improved, which means businesses can often restore their operations without having to pay attackers.
The Ransomware Paradox: More Attacks, Fewer Payouts
Despite rising attack numbers, cybercriminals are finding it harder to monetize their efforts. This shift creates new challenges for businesses while also opening up potential opportunities.
Cybercriminals Are Adapting
Some ransomware groups are turning to data extortion models, threatening to leak stolen data instead of encrypting files.
Leaked data can lead to severe breaches of privacy, identity theft, and loss of customer trust. It can lead to long-term reputational damage, as well as severe legal and regulatory consequences.
Meanwhile, other groups are targeting critical infrastructure, where the stakes for downtime are often higher.
What Businesses Must Do Next
To protect against ransomware gangs, businesses must double down on ransomware resilience and improve their cyber extortion defense.
This process involves making regular backups, using immutable storage to protect data by preventing any changes to it and carrying out regular tabletop exercises to help groups understand how they would respond to an emergency.
Businesses should also invest in proactive security measures, including endpoint detection and response (EDR), zero-trust networks, and 24/7 security monitoring.
Finally, businesses can improve their ransomware attack prevention strategies by continuously monitoring emerging ransomware tactics. They should focus especially on key areas such as cloud security and identity-based threats.
Businesses Must Remain Vigilant Against Ransomware Groups
The decline in ransomware payments is a positive sign, as it proves that strong security measures, law enforcement efforts, and shifting corporate policies are working.
However, the number of ransomware attacks is still on the rise, and businesses can’t afford complacency.
Proactive security strategies, robust recovery plans, and expert cybersecurity partnerships, like those offered by CyberMaxx, are crucial for staying ahead of evolving threats.