For much of the past year, the trail of destruction and mayhem left behind by ransomware hackers was on full display. Digital extortion gangs paralyzed hundreds of US pharmacies and clinics through their attack on Change Healthcare, exploited security vulnerabilities in the customer accounts of cloud provider Snowflake to breach a string of high-profile targets, and extracted a record $75 million from a single victim.

Yet beneath those headlines, the numbers tell a surprising story: Ransomware payments actually fell overall in 2024—and in the second half of the year dropped more precipitously than in any six-month period on record.

Cryptocurrency tracing firm Chainalysis today released a portion of its annual crime report focused on tracking the ransomware industry, which found that ransomware victims’ extortion payments totaled $814 million in 2024, a drop of 35 percent compared to the record $1.25 billion that hackers extracted from ransomware victims the previous year. Breaking down the payments over the course of 2024 shows an even more positive trend: Hackers collected just $321 million from July through December compared to $492 million the previous half year, the biggest falloff in payments between two six-month periods that Chainalysis has ever seen.

“The drastic reversal of the trends we were seeing in the first half of the year to the second was quite surprising,” says Jackie Burns Koven, who leads cyber threat intelligence at Chainalysis. She suggests that dropoff is likely due to law enforcement takedowns and disruptions, some of which had delayed effects that weren’t immediately apparent in the first half of the year as ransomware victims and the cybersecurity industry grappled with catastrophic attacks.

“Don’t get me wrong: For everyone who’s a defender or an incident responder, it’s been a year,” Burns Koven says. “But it is noteworthy that for the major attacks that occurred last year, those groups don’t exist anymore or have been laying low. There’s been a strong signal from law enforcement that if you cross the line, there’s going to be consequences.”

US and UK law enforcement scored two significant disruptions of major ransomware groups around the beginning of 2024: Six days before Christmas of 2023, the FBI announced that it had found vulnerabilities in the encryption software used by the group known as BlackCat or AlphV, distributed decryption keys to victims to foil the group’s extortion tactics, and taken down the dark-web sites the group had used to issue its threats. Two months later, in February of 2024, the UK’s National Crime Agency carried out an operation against the notorious ransomware group Lockbit, hijacking its infrastructure, seizing its cryptocurrency wallets, taking down its dark-web sites, and even obtaining information about its members and cybercriminal partners.

Initially, however, both groups seemed to bounce back from those busts. AlphV in February announced that it had hacked Change Healthcare, disabling payments at hundreds of US clinics and pharmacies and extracting $22 million from the United Healthcare–owned company in one of the worst health-care-related ransomware incidents in history. Lockbit, too, seemed to shake off the NCA’s blows, immediately launching a new dark-web site where it continued to extort victims old and new.

But in fact, both law enforcement operations may have been more successful than they appeared. AlphV, after receiving its $22 million ransom from Change Healthcare, pulled a so-called “exit scam,” taking the money and disappearing rather than sharing it with the hacker partners who had carried out the Change breach. Lockbit, too, largely fell off the map in the months that followed the NCA’s takedown, due perhaps to the cybercriminal underground’s distrust of the group and its alleged leader, Dmitry Khoroshev, when it became clear the NCA had identified him. In May of 2024, Khoroshev was also sanctioned by the US Treasury, making it far more legally complicated for Lockbit victims to pay a ransom to the group.

While the vacuum left behind by those major players in the ransomware ecosystem was filled by newer groups during the second half of 2024, many of them didn’t have the skills or experience to go after targets as big and as well defended as Lockbit and AlphV had, says Burns Koven. The result, she says, was far smaller ransom payments, often in the tens of thousands of dollars rather than the millions or tens of millions.

“Their talent is not quite as robust as their predecessors,“ Burns Koven says of the newer generation of ransomware gangs. “We’re seeing the hangover of these law enforcement takedowns, not just directly targeting individuals and strains of malware but also the infrastructure and tools and services that had been used to help perpetuate these attacks.”

Last year actually saw more ransomware incidents than the previous year, says Allan Liska, a threat intelligence analyst focused on ransomware at the security firm Recorded Future. The firm counted 4,634 attacks in 2024 versus 4,400 in 2023. But the lower ransom amounts received by those newer ransomware groups suggests they may have been favoring quantity over quality, he says. “What we’re seeing in terms of payments is a reflection of newer threat actors being attracted by the amount of money that they see you can make in ransomware, trying to get into the game and not being very good at it,” Liska says.

In addition to major law enforcement actions at the beginning of 2024, Chainalysis attributes the decline in payments during the second half of the year to heightened global awareness about the threat of ransomware, leading to more mature defenses and response plans within governments and other institutions. And Burns Koven adds that cryptocurrency regulation and law enforcement crackdowns on money laundering infrastructure, including mixers that help criminals anonymize and obfuscate the source of their ill-gotten cryptocurrencies, have also eroded ransomware actors’ abilities to handle payments without specialized knowledge.

While the decline in payments during the second half of 2024 is significant for being the largest ever in Chainalysis’s data, the number of ransomware attacks and volume of payments has fluctuated and declined before. Notably, researchers saw a marked decrease in activity in 2022, a year in which Chainalysis placed total ransomware payments at $655 million compared to $1.07 billion in 2021 and nearly $1 billion in 2020. But while governments and defenders were initially heartened that their deterrence efforts were working, ransomware surged back as an even more dire threat in 2023, totaling, by Chainalysis’s count, $1.25 billion in payments that year.

“I think ebbs and flows are inevitable,” says Brett Callow, a managing director at FTI Consulting and longtime ransomware researcher. “If the baddies had a couple of brilliant quarters, a dip will follow, same as if the goodies had some good quarters. That’s why we really need to analyze trends over a longer period, because increases and decreases over shorter periods don’t really tell us much.”

Additionally, researchers have long warned that it is difficult to get truly reliable numbers about the volume of ransomware attacks and an accurate total of payments each year. This is partly the result of attackers attempting to inflate their records and make themselves seem more effective and menacing by claiming old data breaches as new attacks or simply making up attacks that they haven’t actually carried out. And it is always difficult to get accurate numbers about ransomware (not to mention digital scams more broadly), because stigma and regulatory requirements often keep victims from coming forward. This makes ransomware forecasting more of an art than a science.

“My vibe from the second half of 2024 is that if there was a decrease, there will also be a rebound,” Callow says.

Chainalysis researchers are clear that the 2024 payment decline is not a guarantee of future reductions in ransomware attacks. But Burns Coven emphasizes that for defenders who are in the trenches on incident response, the data point is useful for making the case that sustained investment in ransomware defense is worthwhile.

“We’re still standing in the rubble, right? We can’t go tell everyone, everything’s great, we solved ransomware—they’re continuing to go after schools, after hospitals and critical infrastructure,” says Burns Koven. But, she adds, “I don’t think anybody’s necessarily celebrating. I think it’s a signal of what work needs to be continued.”