2025 Crypto Crime Report: See the key trends that shaped the illicit crypto market over the past year. Read the report

Solutions
Learn
Company
Request a demo
en
Search
Search
Insights
March 14, 2025

Category deep-dive: Ransomware demands reached an all-time high in 2024

TRM InsightsInsights
Category deep-dive: Ransomware demands reached an all-time high in 2024

Editor’s note: The following post is an excerpt from our 2025 Crypto Crime Report, which we are breaking down by threat category over the coming weeks. In previous posts, we took a look at overall crypto transaction volumes, how sanctioned entities drove illicit crypto volume in 2024, and trends in the use of crypto in terrorism financing over the past year. 

To read the 2025 Crypto Crime Report in full and download your copy, click here.

{{horizontal-line}}

Ransomware remained a prolific and growing threat in 2024, with 5,635 publicly reported attacks (analysis is based on ransomware leak site data available as of January 6, 2025; excludes underreported incidents) — surpassing 5,223 in 2023. 

The financial demands of ransomware actors have also reached unprecedented levels, exemplified by a record USD 75 million payment made to the Dark Angels ransomware group in March 2024. These escalating ransom demands highlight the increasing boldness and sophistication of threat actors, who are leveraging advanced tools and techniques to maximize their extortion efforts.

Image: Dark Angel’s record-breaking ransom payment

The landscape of ransomware and crypto-related crime is highly fluid, where today's standards are subject to rapid evolution. A notable trend identified by TRM’s threat intelligence team in 2024 was the decline in the use of cryptocurrency mixers for laundering ransomware proceeds. Instead, threat actors are increasingly leveraging cross-chain bridges to obfuscate transactions and enable seamless cryptocurrency conversions before cashing out.

Though bitcoin remains the primary currency for ransomware payments, a substantial portion of these funds is converted to other cryptocurrencies downstream. The use of bridges provide a quicker and more efficient means of converting illicit funds, while creating an illusion of greater anonymity for cybercriminals.

New ransomware groups entered the field, while other existing groups rebranded

2024 saw the emergence of several new ransomware groups, including Brain Cipher, dAn0n, DragonForce, Fog, Funksec, RansomHub, Sarcoma, and Trinity. These groups have quickly gained notoriety for their sophisticated tactics and successful attacks across various industries. For example, Trinity has been associated with targeting critical infrastructure such as healthcare and government organizations — including two healthcare providers based in the United Kingdom and United States.

In addition to new entrants, several prominent ransomware groups rebranded or shifted operations under new names to evade law enforcement scrutiny. Notable examples include the resurgence of groups like Lynx (aka INC), DennistheHitman (aka GlobeImposter), and Qilin (aka Agenda), which have adopted innovative extortion methods to enhance their effectiveness. 

The Ransomware-as-a-Service (RaaS) model continues to dominate the ecosystem, empowering less-skilled actors to carry out high-impact attacks. Affiliates have become increasingly adaptable, often switching between platforms and groups, as evidenced by on-chain activity. 

Image: Ransomware affiliate consolidation address receiving payments from multiple variants

While the ransomware landscape has traditionally been strongly associated with Russian-speaking actors, especially at the administrator level, it has diversified over the years. Groups are now incorporating affiliates from geographies around the world with a wide spectrum of language skills. For instance, DragonForce ransomware demonstrates this shift, with ties to Northern or Central Asia, as suggested by audio recordings of its associated actors on their TOR site.

Despite this change, Russian-speaking ransomware groups remain very active — with some of the most sophisticated actors in the cybercriminal landscape. Many of these groups are linked to high-profile attacks, leveraging advanced encryption techniques, innovative extortion tactics, and RaaS models to scale operations.

Notable attacks in 2024 primarily targeted the technology, retail, and financial services sectors

Data leak sites have proliferated, serving as platforms for public shaming and extortion. These sites are increasingly used in multi-layered extortion strategies, adding pressure on victims to pay ransoms by posting victim names and company details.

Ransomware attacks in 2024 continued to target critical sectors, causing widespread disruption — with the top three sectors being technology, manufacturing, and professional services (analysis is based on ransomware leak site data available as of January 6, 2025; excludes underreported incidents). Trends leading into 2025 suggest ransomware groups will continue to target healthcare and critical infrastructure, supply chain vulnerabilities, and cloud service providers to maximize their efficiency and impact.

  • Healthcare and critical infrastructure: Healthcare systems remain a prime target, with attacks causing significant disruptions to patient care and operations. Attacks against organizations like Change Healthcare and PIH Health underscore the vulnerability of critical services to cyber threats.
  • Supply chain compromises: Attackers have increasingly focused on vendors and service providers like CDK Global and Blue Yonder to maximize downstream impacts. This tactic has been particularly disruptive in the technology and manufacturing sectors, where dependencies are high.
  • Cloud service providers: High-profile attacks have targeted cloud service providers, resulting in the exposure of sensitive data and global service disruptions. In June 2024, data theft attacks targeted customers of the cloud data platform Snowflake, leading to breaches at companies like AT&T, Ticketmaster, and Santander Bank. Attackers obtained login credentials through infostealer malware, compromising sensitive customer data.

International collaboration is critical in disrupting ransomware actors

In 2024, global efforts to combat ransomware included major international collaborations like Operation Cronos, which disrupted LockBit's infrastructure, and Operation Endgame, targeting ransomware networks across Europe. The Counter Ransomware Initiative (CRI) gathered 68 nations to enhance strategies against ransomware, while sanctions targeted key figures in groups like Evil Corp. Increased collaboration between public and private entities has been instrumental in these successes. Real-time intelligence-sharing and joint operations have expanded resources and allowed for the timely disruption of ongoing attacks, highlighting the importance of strong partnerships in combating ransomware.

{{horizontal-line}}

Next up in this series: We take a closer look at crypto losses from hacks and exploits in 2024 — and detail key attacks carried out by North Korea last year.

Ready to dive into the full 2025 Crypto Crime Report? Get your copy here.

This is some text inside of a div block.
Subscribe and stay up to date with our insights
arrow right
March 6, 2025

Category deep-dive: Use of crypto in terrorist financing expanded in 2024

arrow right
February 26, 2025

Category deep-dive: Sanctioned entities continued to drive illicit crypto volume in 2024

arrow right
February 18, 2025

Category deep-dive: Overall 2024 figures and declining illicit crypto volume on TRON

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Select
Transaction Monitoring/Wallet Screening
Training Services
Training Services
 
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No items found.
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
2025 Crypto Crime Report: Explore how the crypto crime landscape evolved over the past year
DIG IN NOW →
Bright blue fiber optic cables on a dark blue background, with flashes of white sparks interspersed throughout.
REPORT
As AI technology becomes more sophisticated, so will the ways in which criminals use it. See what TRM is doing to counter AI-enabled crime.
FIGHT AI WITH AI →
Illustration of cryptocurrency crime on a dark blue background featuring bright blue and white blockchain symbols (including Bitcoin and TRON), financial graphs, and a hacker icon.
REPORT
The crypto crime landscape saw significant shifts in 2024, including decreases in illicit volumes. Dig into the data here.
PREVIEW THE CRYPTO CRIME REPORT →
Cork board with mugshots of Heather "Razzlekhan" Morgan and Ilya Lichtenstein, with their names written in handwritten script below their photos, and push pins on the board connected by red string.
DOCUMENTARY
Stream “Biggest Heist Ever” and get a behind-the-scenes peek from the TRM team
CHECK IT OUT →
A light blue two dimensional circle (representing a stablecoin) floating against dark blue and white curved lines (representing waves), with thin dotted blue and white lines overhead to represent wind.
REPORT
Explore the macro trends and jurisdictional developments that shaped the global crypto policy landscape in 2024
READ THE REPORT →
Illustration on a dark blue background showing a bug and exclamation mark (representing illicit activity), a globe with pin points, a coin, and a bar chart.
REPORT
See the countries with the highest rates of crypto adoption — and the highest rates of exposure to illicit activity
READ THE REPORT NOW →
A blue rectangle with geometric shapes in the background and dots connected by thin lines in the foreground, representing connections on the bockchain.
WHITE PAPER
Explore four ways TRM improves compliance in the modern sanctions enforcement era
Download the white paper →
Illustration of a pig butchering chart featuring various cryptocurrency logos in each section, with a bright blue sheriff's badge on top, symbolizing law enforcement's role in combating fraud.
CASE STUDY
See how Deputy District Attorney Erin West and the REACT Task Force are fighting back against pig butchering
WATCH THE VIDEO →
Illustration of an eye, skull and crossbones, and a pie chart on a light blue background, symbolizing the dangers of crypto scams and financial fraud.
REPORT
Explore the key trends that shaped that the illicit crypto economy in 2023
GET THE REPORT →
Close-up photograph of the United States Capitol building with snow falling
BLOG
Learn why cryptocurrency has become a central issue in the 2024 US election
READ THE POST
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Take a deep-dive into the Russian-speaking illicit crypto ecosystem
READ THE FULL REPORT
Outline of pig with law enforcement shield overlaid
Case Study
Learn more about how the REACT Task Force is tackling pig butchering
Read the case study
Illustration of a Russian doll toy containing a ransomware attack inside the smallest one
REPORT
Explore recent ransomware trends in the Russian-speaking crypto ecosystem—including the role of ransomware groups in cybercrime around the world
GET THE REPORT
Person typing on a laptop keyboard with dark blue filtered overlay
BLOG POST
Learn about summer 2024’s spate of ransomware attacks, and the proliferation of RaaS around the world
READ THE POST
REPORT
Learn about cryptocurrency’s role in the international synthetic drug precursor market
GET THE REPORT