What changes have been made in hacker ransomware in 2024? What are some cases worth paying attention to

Source: Chainalysis; Translated by: Deng Tong, Golden Finance

In 2024, the ransomware landscape has undergone significant changes, and cryptocurrencies continue to play a central role in ransomware. However, the total ransom amount fell by about 35% year-on-year due to increased enforcement actions, improved international cooperation and an increasing number of victims’ refusal to pay.

In response, many attackers have changed their strategies, with new ransomware strains emerging from renamed, leaked or purchased code, reflecting a more adaptable and agile threat environment. Ransomware operations also get faster, and negotiations usually begin within hours of data breaches. Attackers include nation-state actors, ransomware as a service (RaaS) operations, individual operators, and data theft ransomware groups, such as those who ransom and steal data from cloud service provider Snowflake.

In this chapter, we will explore these developments and their implications, including a variety of case studies—LockBit, Iranian ransomware strains, Akira/Fog and INC/Lynx—to reflect the trend this year.

Ransomware activity changes mid-year

In 2024, ransomware attackers received about $813.55 million in payments from victims, down 35% from a record $1.25 billion in 2023, the first time since 2022.

As we noted in the mid-year crime update, ransomware attackers ransomware attackers have reached $459.8 million between January and June 2024, about 2.38% higher than the amount of ransomware in the same period in 2023. There were also several unusually large payments in the first half of 2024, such as a record $75 million payment to Dark Angels.

Although the total in 2024 saw a slight half-increase (HoH), we expect to exceed the total in 2023 by the end of the year. Fortunately, payment activity slowed by about 34.9% after July 2024. This slowdown is similar to the decline in half of ransom payments since 2021 and the overall decline in certain types of crypto-related crimes such as stolen funds in the second half of 2024. It is worth noting that the decline this year is more obvious than in the past three years.

A closer look at the top 10 ransomware strains in the first half of the year will give you an in-depth look at the groups driving these HoH trends. As shown in the figure below, since March 2023, Akira has launched attacks on more than 250 entities, making it the only one among the top 10 ransomware strains in the first half of the year to increase their efforts in the second half of 2024. LockBit was destroyed by the National Crime Agency (NCA) and the FBI in early 2024, and its payments fell by about 79% in the second half of the year, demonstrating the effectiveness of international law enforcement cooperation. ALPHV/BlackCat, once one of the highest-paid strains in 2023, withdrew in January 2024, leaving a gap in the second half of the year.

Lizzie Cookson, senior director of incident response at ransomware incident response company Coveware, told us: “After LockBit and BlackCat/ALPHV collapse, the market has never returned to its former state. We have seen an increase in solo actors, but we have not seen it. Any group quickly absorbs their market share, as we have seen after the previous high-profile demolition and closure. The current ransomware ecosystem is filled with many newcomers who tend to focus their energy on small and medium-sized markets , and these markets are in turn related to more moderate ransom requirements.”

To further understand the reasons for the reduction in ransomware payment activity in the second half of the year, we first looked at the data breach websites that may be representative of ransomware incidents. In the figure below, we can see that the number of ransomware incidents increased in the second half of the year, but the on-chain payments decreased, which indicates that the number of victims increased, but the amount paid decreased.

The data breach website released more victims than in any previous year in 2024. Not only are there more so-called victims, but according to Recorded Future threat intelligence analyst Allan Liska, there are 56 new data breaches sites in 2024 — more than double the number of Recorded Future discovered in 2023. However, there are some considerations to consider for data breaching website information and its implications for the ransomware ecosystem.

eCrime Threat Researcher Corsin Camichel shared more about the legality of leaks. "We observed leaked website posts claiming that the organization exists, but failed in a deeper analysis. For example, we saw statements from multinational organizations, but in reality, only one smaller subsidiary was affected. In 2024, More than 100 organizations are listed on two or more data breach sites. 'MEOW' leaked sites play an important role in it, appearing to destroy the site and list the data obtained from the web server or database. "The above ransomware Another reason for the inverse relationship between software payments and data breach website victims may be that threat actors are found to exaggerate or falsely report the victim or repost the claims of the old victim. “LockBit operators play tricks after an enforcement action called ‘Operation Cronos’, pretending to remain relevant and active as they republish many of the previously listed claims, or add attacks that took place long ago, some even It happened a year ago,” Camichel added.

Liska also shared information with us about illegal victims posted to the data breach website and said: “This is especially true for LockBit, which has been excluded by many underground communities after the enforcement action, and in order to remain relevant, the company has been in its data breach. Up to 68% of victims of duplication or direct fabrication were posted on the website.”

Another interesting phenomenon after the LockBit interruption and BlackCat exit scam was the rise of RansomHub RaaS, which absorbed a large number of displaced operators from LockBit and BlackCat. RansomHub has the largest number of victims in 2024, and although it only appeared in February 2024, it ranked among the top 10 crime types in 2024, according to on-chain data.

Incident response data shows that the gap between the amount claimed and the amount paid continues to widen; in the second half of 2024, the difference between the two factors was 53%. The incident response company reports that most customers choose not to pay at all, meaning the actual gap is larger than the figures below show.

We interviewed Dan Saunders, EMEA Incident Response Director, Kivu Consulting, a cybersecurity incident response company, to learn more about this type of victim resilience. “According to our data, about 30% of negotiations end in payment or victim decision to pay the ransom. Typically, these decisions are based on the perceived value of the data being leaked,” he said. Similarly, Cookson notes that victims are increasingly able to resist demands and explore multiple options for recovery from attacks due to improved cyber hygiene and overall resilience. “They may end up thinking that decryption tools are their best choice and negotiate to reduce final payments, but more commonly, they find that recovery from recent backups is a faster and more cost-effective way,” she added . Regardless of the initial requirement, the final payment amount is usually between $150,000 and $250,000.

From the figure below we can see the evolution of ransomware payment distribution in 2024. In 2020, ransomware payments had a long tail but only a peak, but in 2024, ransomware participants were divided into three categories. Some ransomware players, such as Phobos, pay an average of less than $500 to $1,000. Another cluster is around $10,000, and the third cluster pays over $100,000, some of which reach $1 million. We also see more events at the top of the distribution, which means more than $1 million attacks are larger.

This breakdown reflects the change in the ransomware participant landscape observed by Cookson, where smaller groups dominate low- and medium-value payments, while anomalies of 7-8-digit ransoms push the distribution to the right towards the third category Pay.

In the figure below, we can see which pressures are the worst in terms of total ransomware value (bubble size), median payment scale (X-axis), and ransomware event index (Y-axis).

Ransomware outflow: Where did the funds go?

Understanding ransomware money laundering methods can provide important insights into the behavior of post-vulnerability threat actors, allowing law enforcement to respond more effectively and in some cases predict future actions based on established patterns.

In the figure below, we see that ransom funds are mainly through centralized exchanges (CEXs) (for capital outflows), personal wallets (for holding funds) and bridges (trying to cover up capital flows). We have noticed that the use of coin mixers will drop significantly in 2024. Historically, currency mixing services typically account for 10% to 15% of ransomware’s quarterly money laundering traffic. Over the years, the reduction in hybrid services among ransomware participants has been very interesting and demonstrated the destructive impact of sanctions and enforcement actions, such as those targeting Chipmixer, Tornado Cash and Sinbad. We note that ransomware participants are increasingly relying on cross-chain bridges to replace currency mixers to facilitate their outflow of funds. By contrast, CEX remains a mainstay of ransomware money laundering strategies, with reliance on such services slightly above average in 2024 (39%, compared to 37% in the 2020-2024 period).

It is worth mentioning that a large amount of funds are stored in a personal wallet. Strangely, ransomware operators are a largely economically driven group that are less willing to cash out than ever before. We believe this is mainly due to unpredictable and decisive actions taken by law enforcement against individuals and services involved in or assisting ransomware money laundering, resulting in threat actors feeling unsafe about the safe place for funds to be stored.

While there may be multiple factors behind any of the trends in the chart above, the decline in KYC-free exchange usage since October 2024 may be attributed to the designation of the Russian exchange Cryptex and the German Federal Criminal Police Agency (BKA) ) Seizure of 47 Russian-language KYC cryptocurrency exchanges – both actions occurred in September 2024. The time of these enforcement actions, coupled with the period when ransomware flows into KYC-free exchanges, is evident.

Ransomware case study

Panev's arrest and its impact on LockBit operations

Rostislav Panev, a dual nationality of Israel and Russia, allegedly played a key role in supporting LockBit. He was accused of developing several tools for the group, one of which enables an attacker to print ransom orders from any printer connected to an infected system, and he reportedly received about $230,000 in Bitcoin (BTC) for this. . While Russian nationals, including LockBit administrator Dimitry Yuryevich Khoroshev, have been previously sanctioned for participating in these attacks, it is important to recognize that ransomware is indeed a global threat involving participants from all over the world. Panev, who is currently awaiting extradition to the United States in Israel, is wanted for conspiracy to commit fraud, cybercrime, telecom fraud and other crimes.

In the Reactor chart, we can see that according to the indictment, about $5,000 of BTC is transferred from Khoroshev every two weeks starting in 2022. Then, from July 2023 to early 2024, about $10,000 of BTC per month was transferred to Khoroshev.

Panev's arrest could have a major blow to LockBit's restructuring capabilities, stressing that even years after the crime, the transparency and immutability of blockchain still enables law enforcement to track illegal activities and combat transnational cybercrime groups. LockBit’s outlaw and Panev’s arrest were major victories in 2024 and triggered a shift to a more fragmented and less coordinated ecosystem.

Participation in Iranian ransomware

In addition to Russian-speaking cybercriminals, Iranian nationals have been sanctioned by the U.S. Treasury Office of Foreign Assets Control (OFAC) for their participation in assisting and carrying out ransomware attacks over the past few years. We have also noticed on-chain evidence that LockBit affiliates work with Iranian ransomware strains and deposit funds on Iran’s exchanges.

Fortunately, through our on-chain analysis, we can identify Iranian players as they are rebranding or moving to a different RaaS. As we see in the Chainalysis Reactor chart below, we associate four different ransomware strains with the same Iranian threat actor, who most likely deployed a popular RaaS strain as well. We also see deposit addresses being reused on multiple global exchanges, linking these seemingly different strains – not only connecting with each other, but also confirming the operator’s relationship with Iran.

Major ransomware renames and branches

Since Akira's advent, it has proven to be able to successfully exploit vulnerabilities (especially in enterprise environments) and has gained attention through a series of compelling attacks. As we mentioned above, Akira is the only top 10 ransomware to step up its efforts in the second half of 2024.

In September 2024, a new ransomware Fog entered the scene and has since shown a very similar ability to target critical vulnerabilities as Akira. The two organizations focus primarily on exploiting VPN vulnerabilities, which enables them to access the network without authorization and thus deploy ransomware.

Both Akira and Fog use the same money laundering method, which is different from other ransomware, further supporting their connection. For example, the following Chainalysis Reactor chart shows that several wallets operated by Akira and Fog have transferred funds to the same KYC-free exchange.

In addition to Akira's relationship with Fog, we also discovered the link between INC and Lynx ransomware variants by examining similar on-chain behavior. Cybersecurity researchers also noticed that the two variants share source code.

These overlapping relationships illustrate a broader trend in the ransomware ecosystem: cybercrime strategies are evolving in response to increased scrutiny by law enforcement.

Respond to changing threat situations

Ransomware in 2024 reflects changes driven by law enforcement actions, increased victim resilience, and emerging attack trends. Crackdown operations and collaboration with incident response companies and blockchain experts help dismantle many ransomware groups and reduce their profitability. The victims also showed greater resistance to ransom demands, thus widening the gap between ransom demands and payments.

Under the pressure of law enforcement, financial strategies continue to adapt, although malicious actors face increasing difficulties in money laundering. Continuing cooperation and innovative defensive measures remain critical to consolidating progress made in 2024.