Breaking the bank

Ransomware isn’t slowing down. In fact, it’s accelerating.

According to a new Financial Trend Analysis from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), ransomware payments reported under the Bank Secrecy Act (BSA) totaled more than $2.1 billion between 2022 and 2024, with 2023 marking a record-breaking year at $1.1 billion.

The report highlights the growing sophistication of ransomware actors, the industries most at risk, and the urgent need for financial institutions and security leaders to strengthen defenses and reporting practices. FinCEN’s analysis shows ransomware activity peaked in 2023, with 1,512 incidents totaling $1.1 billion in payments - a staggering 77% increase from 2022. While law enforcement disruptions of major ransomware groups led to a slight decline in 2024 (1,476 incidents, $734 million), the overall trend remains alarming.

Between January 2022 and December 2024, FinCEN received 7,395 BSA reports tied to 4,194 ransomware incidents, amounting to more than $2.1 billion in payments. To put that in perspective, the previous nine-year period (2013 through the end of 2021) saw $2.4 billion in ransomware payments – which means that nearly the same amount was paid in just three years.

The report identifies manufacturing, financial services, and healthcare as the most impacted sectors due to their operational dependencies and sensitive data.

Manufacturing accounted for 456 incidents totaling $284.6 million, financial services for 432 incidents totaling $365.6 million, and healthcare for 389 incidents totaling $305.4 million.

FinCEN found that 67% of ransomware actors used The Onion Router (TOR) – an anonymous online network - for communication, while others relied on email or encrypted messaging platforms, which underscores the anonymity and resilience of these networks. More than 200 variants were reported, with ALPHV/BlackCat, LockBit, Akira, Phobos, and Black Basta leading the pack. The top 10 variants alone accounted for $1.5 billion in payments, signaling the dominance of a few highly organized groups.

FinCEN Director Andrea Gacki stressed the importance of timely reporting when it comes to ransomware and other cyberattacks.

“Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats,” she said. “By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”

Preventing ransomware requires a proactive, layered approach that combines technology, process, and people - whether it’s enforcing strong access controls with multi-factor authentication, patching and updating systems regularly to close vulnerabilities, or continuous monitoring and threat intelligence to help detect and report suspicious activity in compliance with regulatory requirements. In addition, regular employee training on phishing and cybersecurity awareness is essential, as human error remains the most common entry point for attackers.

Ransomware is not just a technical problem - it’s a business risk and a national security concern. By combining robust cybersecurity practices with timely reporting and industry collaboration, security professionals can help stem the tide of ransomware and protect critical infrastructure - rather than organizations having to pay the price.