New analysis from the U.S. Financial Crimes Enforcement Network (FinCEN) shows that ransomware activity reached record levels in 2023 before easing slightly in 2024. The findings, based on Bank Secrecy Act (BSA) reporting, underline the continued impact of ransomware across financial services and other sectors.
The review covers 7,395 BSA reports linked to 4,194 ransomware incidents between 2022 and 2024. Together, these reports account for more than USD $2.1bn in identified ransom payments over the three-year period.
Why This Data Matters
FinCEN published the analysis as part of its statutory obligation to report on financial crime trends and emerging threats. This report shifts the focus from when a filing was made to when the underlying ransomware incident occurred, providing a clearer view of threat activity over time.
The scale is striking. From 2013 to 2021, FinCEN recorded $2.4bn in reported ransomware payments. The 2022–24 period alone accounts for almost the same value, highlighting how ransomware operations have expanded in both scale and sophistication. FinCEN also stressed that BSA data reflects only identified suspicious activity, meaning the true impact is likely higher.
Key Findings at a Glance
- 2023 marked a peak: Reported ransomware payments reached around $1.1bn in 2023, a 77 per cent increase from 2022. Incidents also rose to a record 1,512.
- Slight decline in 2024: Payments fell to approximately $734m, while incidents dipped marginally to 1,476.
- Most affected sectors: Financial services, manufacturing and healthcare consistently reported the highest number of incidents and total payments. Financial services alone accounted for roughly $365.6m.
- A crowded ransomware landscape: FinCEN identified 267 ransomware variants. ALPHV/BlackCat generated the highest total payments, while Akira recorded the most incidents. LockBit featured heavily across both volume and value.
- Bitcoin dominates payments: Bitcoin appeared in 97 per cent of reported ransom payments.
- Consistent laundering methods: Threat actors continued to rely on unhosted wallets, virtual asset exchanges and shared initial access vendors.
What FinCEN Expects Next
FinCEN reiterated the role of financial institutions in detecting and reporting ransomware-related activity. Expectations include timely engagement with law enforcement, use of cyber indicators in suspicious activity reports, and referencing “CYBER-FIN-2021-A004” where relevant.
The agency also encourages firms to use federal resources such as CISA’s StopRansomware.gov and NIST guidance, and to maintain strong monitoring and intrusion detection controls.
FinCEN’s findings reinforce that ransomware remains a sustained threat affecting multiple sectors. The analysis underlines the need for vigilant monitoring, rapid escalation and continued investment in cyber resilience across the financial system.
Strengthening Ransomware Detection and Reporting Capabilities
If you’re reviewing how your organisation identifies, escalates and reports ransomware-related activity, talk to our team. Our automated solutions can help you stay ahead of the changing compliance, risk and control landscape.