Has Ransomware Peaked? FinCEN Data Shows Slight Downward Trend In Incidents.

The U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN) released its latest Financial Trend Analysis (FTA) this month, reporting data from banks and other financial institutions showing that, following a recent surge, the number of reported ransomware incidents and payment amounts dipped slightly in 2024. High-profile ransomware attacks frequently appear in the news and the impact can be severe: in just the last month, news broke that an e-tailer company was knocked offline for 45 days following one attack, and cities and towns across the U.S. lost access to their emergency alert systems after another.

Data indicates reality matches the perception—ransomware attacks surged to their highest levels in 2023, with a total of 1,512 reported incidents and $1.1 billion in reported ransom payments, a staggering 77 percent increase in total payments from the prior year. This continued a trend of increased malicious activity that first appeared in 2021, in which FinCEN received reports of approximately 1,400 incidents and nearly $1 billion in payments, more than double the previous year. Indeed, the three-year review period for the FTA (January 2022–December 2024) saw a total of 7,395 ransomware-related reports, totaling more than $2.1 billion in payments, while during the entire previous nine-year period (2013 through 2021), FinCEN received only 3,075 reports totaling approximately $2.4 billion in ransomware payments.

One year does not make a trend but the latest data show signs for cautious optimism. In 2024, companies reported a total of 1,476 ransomware incidents, and approximately $734 million in ransomware payments. The median ransomware payment also decreased, from $175,000 in 2023 to $155,257 in 2024. FinCEN attributes this decrease in part to U.S. and U.K. law enforcement disrupting high-profile ransomware groups in December 2023 and February 2024.

No industry is immune from the threat of attack, but the FTA identified that financial services, manufacturing, and healthcare industries reported both the greatest number of incidents and highest amount of aggregate payments sent to ransomware actors during the review period. Retail and legal services reported the next highest amount of overall incidents; meanwhile, science and technology and retail rounded out the highest reported total payments.

Other key findings reported in the FTA include:

• The data revealed 267 distinct ransomware variants used in attacks during 2022 – 2024, the most prevalent being Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.
• Ransomware actors most often used The Onion Router ("Tor") to communicate with their victims, reported in 67 percent of ransomware incidents during the reporting period. TOR uses encryption and layered network infrastructure to allow users to browse the internet anonymously and conceal their identity and point of origin.
• Bitcoin (BTC) remains the prominent payment method of choice for ransomware actors, accounting for 97 percent of the reported ransomware transactions.

The financial threat to companies posed by ransomware is no secret. Data reported to FinCEN indicates that, although the vast majority of payments demanded by ransomware actors are below $250,000, individual demands can exceed $5 million. But the risk doesn't end with the actual ransom payment—companies face increasing legal liability as well. According to one report from 2023, nearly one in five ransomware attacks resulted in a lawsuit against the victim company. Class actions against companies for failure to prevent or disclose ransomware breaches abounded in 2025, after several litigations arising from earlier breaches led to costly settlements.

Therefore, it is as important as ever for companies to take steps to prevent, detect, and respond effectively to ransomware attacks. As FinCEN summarizes, "ransomware is a complex cybersecurity problem requiring a variety of preventive, protective, and preparatory best practices." The FTA references several resources, including the Cybersecurity and Infrastructure Security Agency's (CISA) website StopRansomware.gov, the National Security Agency's (NSA) Ransomware Guide, and the National Institute of Standards and Technology's (NIST) Data Integrity Project.

FinCEN publishes FTAs pursuant to section 6206 of the Anti-Money Laundering Act of 2020, 31 U.S.C. § 5318(g)(6)(B), which requires periodic reporting of threat pattern and trend information derived from data reported to FinCEN under the Bank Secrecy Act. The AML Blog has posted on previously-issued FTAs here and here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.