Ransomware Payments Pass $4.5 Billion: What FinCEN’s Numbers Really Show
Ransomware payments reported to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) have now exceeded $4.5 billion, with 2023 standing out as the most expensive year on record at $1.1 billion in payouts across more than 1,500 incidents. Between 2022 and 2024 alone, organizations paid over $2.1 billion to ransomware groups, with Akira driving the highest number of reported incidents while ALPHV/BlackCat collected the largest overall haul, approaching $400 million in payments. Financial services, manufacturing, and healthcare remain the hardest-hit sectors, and most individual ransom payments stayed below $250,000, underscoring how a high volume of “mid-sized” attacks can cumulatively create massive systemic financial risk.
Ransomware has officially crossed another grim milestone. FinCEN’s latest Financial Trend Analysis shows that reported ransomware payments have surpassed $4.5 billion since 2013, with an unprecedented $1.1 billion paid in 2023 alone. Over just the 2022–2024 window, organizations sent more than $2.1 billion to ransomware operators, confirming that the ecosystem is not only persistent but still highly profitable.
Record-breaking 2023
FinCEN’s data highlights 2023 as the peak year for both ransomware volume and value. Organizations reported roughly 1,512 incidents and about $1.1 billion in payments, representing a jump of around 70–80% in total payouts compared to 2022. While incidents dipped slightly in 2024 and total payments fell to around $730 million, the three-year trend still reflects sustained, industrial-scale ransomware activity rather than a short-lived spike.
Who is getting hit
Three sectors stand out as the primary victims: financial services, manufacturing, and healthcare. Between 2022 and 2024, manufacturing logged the highest number of incidents (over 450), while financial services suffered the largest total payouts (about $366 million) and healthcare losses approached $305 million. This aligns with broader industry telemetry showing ransomware operators targeting organizations where downtime directly translates to financial loss or patient safety risk.
Akira vs. ALPHV/BlackCat
FinCEN’s analysis identified more than 200 distinct ransomware variants in recent years, but a small group dominates. Akira generated the highest number of reported incidents (around 376 between 2022 and 2024), while ALPHV/BlackCat extracted the most money, with total payments nearing $395–400 million. Other prominent families include LockBit, Phobos, and Black Basta, which together account for a significant share of the remaining $1.5 billion linked to the top ten variants.
Payment sizes and tactics
Most ransom payments remained under $250,000, but the median amount still climbed from around $124,000 in 2022 to roughly $175,000 in 2023 before easing to about $155,000 in 2024. Nearly all payments—close to 97%—were made in Bitcoin, and threat actors primarily relied on Tor-based portals and email to communicate with victims. On the laundering side, funds flowed through unhosted wallets and virtual asset service providers, complicating attribution and recovery efforts for law enforcement.
What defenders should do next
The FinCEN numbers reinforce that ransomware is now a long-term operational risk rather than an exceptional event. Organizations in exposed sectors should double down on basics: hardened backups, MFA everywhere, continuous patching of public-facing services, and regular tabletop exercises tied to legal, regulatory, and treasury reporting obligations. Resources such as CISA’s StopRansomware portal centralize current alerts, playbooks, and training material that can be directly folded into enterprise defense strategies.
