A new analysis from the U.S. Department of the Treasury’s FinCEN has revealed the scale of ransomware activity reported by financial institutions, showing more than $2.1bn in payments traced between 2022 and 2024.
The data was taken from Bank Secrecy Act (BSA) reports and marks one of the clearest pictures yet of how cyber criminal groups are exploiting the financial system.
FinCEN Director Andrea Gacki stressed the importance of fast reporting by regulated firms. FinCEN Director Andrea Gacki said, “Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats. By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”
Unlike previous studies that focused on when incidents were reported, the latest analysis looks at ransomware events based on the incident date, giving a clearer timeline of criminal behaviour. The shift has revealed that ransomware attacks reached record levels in 2023, when 1,512 incidents were reported and total payments hit $1.1bn. This represented a 77% jump in the overall value of ransomware-related payments compared with 2022.
Activity slowed in 2024, following law enforcement action targeting two prominent ransomware groups. That year, 1,476 incidents were reported, accounting for $734m in payments. Median ransomware payments fluctuated over the three-year period, rising from $124,097 in 2022 to $175,000 in 2023 before falling back to $155,257 in 2024. Across all three years reviewed, most ransom demands were below $250,000.
FinCEN also examined the sectors most frequently targeted. Manufacturing reported 456 ransomware events worth around $284.6m, financial services disclosed 432 incidents totalling approximately $365.6m, and the healthcare sector submitted 389 reports linked to about $305.4m in payments. Cybercriminals also relied heavily on concealed communication channels, with 67% of ransomware victims reporting interactions routed through The Onion Router (TOR) network. Other attackers used email and encrypted messaging services.
More than 200 ransomware variants were identified in BSA data. ALPHV/BlackCat was the most prevalent between 2022 and 2024, alongside variants including Akira, LockBit, Phobos and Black Basta. The 10 variants responsible for the largest cumulative payments collectively accounted for approximately $1.5bn.
Keep up with all the latest RegTech news here
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
