Bank Security Act (BSA) Report for 2024 Finds Drop in Value of Ransomware Payments
February 23, 2026
Any evidence that law enforcement has had success in fighting off cybercriminals is good news. Late last year, the Financial Crimes Enforcement Network (FinCEN) released a report finding a drop in ransomware payments from 2023 to 2024. FinCEN consolidates and analyzes incidents where malware has made files, software, and systems unusable that are reported in BSA data.
FinCEN's three-year report of ransomware trends documented a spike in ransomware incidents and costs in 2023. Reported incidents increased 25 percent from 2022 to 2023, and the cost of ransomware payments was up 77 percent to $1.1 billion. That's some not-so-good news. These data are culled from BSA data, so only reported criminal activity was included; presumably, they understate the full scope.
Then, however, FinCEN reports turnaround in 2024, when the value of ransomware payments dropped from 2023, potentially due to US and UK law enforcement action against two ransomware groups. Incidents were flat in 2024 (down just two percent), but the total value of payments dropped by one-third to $734 million.
FinCEN reports that manufacturing, financial services, and healthcare are the most targeted industry during the three-year period (chart).
Ransomware incidents between 2022 and 2024
| Industry | Number | Value of ransom paid (millions) |
|---|---|---|
| FInancial Services | 432 | $365.6 |
| Healthcare | 389 | $305.4 |
| Manufacturing | 456 | $284.6 |
The criminal industry engaging in ransomware attacks is heterogeneous. FinCEN identified almost 300 ransomware variants in the BSA data, many of which are executed as ransomware-as-a service. In about 60 percent of incidents, the ransom payment was $250,000 or less. The report finds that most ransomware-related payments reported to FinCEN were in Bitcoin.
While the 2024 results are encouraging, it's clear that the long-running, cat-and-mouse game between law enforcement and cybercriminals requires frequent updates to software, offline backups, and constant education updating network users about phishing and malware. Here are some resources that can help:
- Stop ransomware guide (National Coordinator for Critical Infrastructure Security and Resilience, CISA.gov)
- Preparing for a cybersecurity incident (US Secret Service)
This report reminds us that ransomware can no longer live only with cybersecurity. It requires coordination between fraud, anti-money laundering, compliance, payments operations, and risk.