The Financial Crimes Enforcement Network (FinCEN) reported 4,194 ransomware-related Bank Secrecy Act filings between January 2022 and December 2024, showing victims paid more than $2.1 billion in ransom payments during that period and about $4.5 billion in total from 2013 through 2024.
FinCEN said ransomware activity peaked in 2023, when victims reported 1,512 incidents and roughly $1.1 billion in payments, a 77 percent increase from 2022. Reported incidents edged down in 2024 to 1,476, while reported payments dropped to $734 million.
FinCEN attributed the decline in payments in part to law enforcement operations that disrupted major ransomware groups, noting that some threat actors moved to new operations or struggled to relaunch. The agency also reported that most ransom payments were below $250,000.
By industry, FinCEN identified manufacturing, financial services, healthcare, retail and legal services as the most commonly targeted sectors by number of incidents, and found financial services, healthcare and manufacturing bore the largest total ransom payments; the agency provides these figures in its analysis.
FinCEN counted 267 distinct ransomware families in the filings. Akira appeared in the most incident reports, while ALPHV/BlackCat and LockBit were among the highest in total payments, with the top 10 ransomware operations accounting for about $1.5 billion in payments from 2022 through 2024. The report said most payments were made in Bitcoin (about 97 percent), with a small number in Monero, Ether, Litecoin and Tether.
The agency encouraged organizations to report ransomware incidents to the FBI and report ransom payments to FinCEN.