FinCEN Highlights Three-Year Surge in Ransomware Payments

The Financial Crimes Enforcement Network (FinCEN) has released a new Financial Trend Analysis examining ransomware activity captured in Bank Secrecy Act reporting between 2022 and 2024. The analysis identifies more than 2.1 billion dollars in ransomware payments over the three-year period and confirms that 2023 marked an unprecedented peak in both reported incidents and associated financial losses.

According to FinCEN Director Andrea Gacki, timely suspicious activity reporting remains a central defence against the rising frequency and sophistication of ransomware attacks. Enhanced visibility into incident-level data provides law enforcement with strategically important insights into evolving cyber threat patterns, enabling a more targeted national security response.

Record incident volumes & payments

FinCEN’s shift to analysing ransomware events by their incident date has produced a clearer picture of threat escalation. The data indicates:

• 2023 was the most damaging year on record, with 1,512 reported incidents and $1.1 billion in associated payments.

• This represented a 77 per cent increase in total payments compared with 2022.

• Following significant law enforcement disruption operations against two major ransomware groups, incident volumes fell marginally in 2024 to 1,476 cases, involving $734 million in reported payments.

• Median payment values rose sharply from $124,097 in 2022 to $175,000 in 2023, before moderating slightly to $155,257 in 2024. Most payments remained below $250,000.

The analysis also highlights the sustained scale of the threat. Between January 2022 and December 2024, FinCEN received 7,395 BSA reports connected to 4,194 ransomware incidents. This matches in just three years nearly the entire value of payments reported over the preceding nine-year period.

Manufacturing, financial services & healthcare remain high-risk sectors

The report reinforces that ransomware attacks continue to concentrate on sectors where operational disruption can quickly generate leverage for extortion. FinCEN cites:

• Manufacturing with 456 incidents and $284.6 million in reported payments.

• Financial services with 432 incidents and $365.6 million in payments.

• Healthcare with 389 incidents and $305.4 million in payments.

These figures underline the cross-sectoral risk posed by ransomware and the dependence of critical industries on effective cyber resilience and robust reporting frameworks.

Preferred communication channels & dominant ransomware variants

FinCEN notes that threat actors overwhelmingly rely on The Onion Router when communicating with victims, accounting for 67 per cent of cases where a method was disclosed. Email and encrypted messaging applications were the next most common channels.

More than 200 ransomware variants were identified. The most frequently reported were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. The ten variants responsible for the highest cumulative payment values accounted for approximately $1.5 billion, underscoring the concentration of financial harm among a relatively small group of highly organised cybercriminal operations.

Growing need for coordinated preventive action

FinCEN emphasises that ransomware remains a multifaceted cybersecurity threat requiring comprehensive mitigation approaches. The agency continues to publish guidance and resources to support financial institutions in strengthening detection, prevention, and reporting controls.

FinCEN’s Financial Trend Analysis, Ransomware Trends in Bank Secrecy Act Data, is now available online. Organisations seeking further clarity on the release are encouraged to contact the FinCEN Regulatory Support Section via the enquiry portal on its website.

This insight offers a high-level overview for industry stakeholders monitoring ransomware trends and planning strategic responses to cyber-enabled financial crime.

Read the press release here.