The ransomware landscape experienced significant changes in 2024, with cryptocurrency continuing to play a central role in extortion. However, the total volume of ransom payments decreased year-over-year (YoY) by approximately 35%, driven by increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay.

In response, many attackers shifted tactics, with new ransomware strains emerging from rebranded, leaked, or purchased code, reflecting a more adaptive and agile threat environment. Ransomware operations have also become faster, with negotiations often beginning within hours of data exfiltration. Attackers range from nation-state actors to ransomware-as-a-service (RaaS) operations, lone operators, and data theft extortion groups, such as those who extorted and stole data from Snowflake, a cloud service provider.

In this chapter, we’ll explore these developments and their implications, including a variety of case studies — LockBit, Iranian ransomware strains, Akira/Fog, and INC/Lynx — that exemplify this year’s trends.

...read more at chainalysis.com