In the first half of 2024, an unnamed company wired $75 million to a ransomware group called Dark Angels — the largest single ransom payment in recorded history. The victim's name remains undisclosed. The operator collected, then moved on. No arrests. No recovery. The transaction closed the same way a legitimate commercial settlement might: with a key delivered upon receipt of funds.
The headline number for the year tells a different story. Ransomware actors received $813.55 million in cryptocurrency payments across 2024 — a 35% decline from 2023's record $1.25 billion, the first annual contraction since 2022. A surface reading suggests the problem is easing. It is not. The contraction reflects two forces working simultaneously: law enforcement disruptions that fractured the largest operations, and a strategic shift among surviving groups toward fewer, higher-value targets. The volume of attacks held; the selectivity increased.
The data underneath the aggregate figure reveals the adjustment. The gap between amounts demanded and amounts paid reached 53% in the second half of 2024 — attackers were asking for more than they received more often. Meanwhile, the share of victims choosing to pay dropped to a record low of 28% in 2025, down from 62.8% the year before. Better defences, improved backups, and the reputational cost of confirmed payment have all contributed. What the payment figures do not capture is that the operators have recalibrated accordingly: median ransom payments jumped 368% year-over-year, from $12,738 to $59,556, as groups concentrated pressure on the victims most likely to settle quickly and quietly.
This is not opportunistic crime. It is yield management.
The Affiliate Architecture
The operational model that produced these figures is Ransomware-as-a-Service — a franchise structure in which core developers lease their encryption tools, infrastructure, and negotiation platforms to independent operators called affiliates, who conduct intrusions and split the proceeds. The economics are standardised. LockBit, ALPHV, and Play historically offered affiliates 70–80% of each ransom. RansomHub, which launched in February 2024 and rapidly absorbed talent displaced by law enforcement actions against LockBit and ALPHV, offers 90%, retaining only 10% for the core operation.
That single percentage point shift carries significant implications. A 90/10 split is not just a competitive inducement — it represents a business model optimised for scale and affiliate loyalty, analogous to a high-commission sales structure in a legitimate enterprise. The platform takes less and does more volume. By the end of Q3 2024, RansomHub's claimed victim count had surged 800% from Q1, reaching 593 victims by year-end and displacing LockBit as the most active Ransomware-as-a-Service operation globally. ESET confirmed it as the dominant group in H2 2024.
The transition was partly engineered. ALPHV/BlackCat exit-scammed its own affiliates in March 2024, appropriating the $22 million UnitedHealth ransom payment and disbanding — driving experienced operators directly to RansomHub. LockBit, disrupted by the NCA and FBI's Operation Cronos in February 2024, saw its H2 payments drop approximately 79% as infrastructure was seized and decryption keys were recovered. The talent that remained professional found a new employer within weeks.
What $75 Million Bought
The Dark Angels payment warrants separate examination. At $75 million it exceeds the previous record by a substantial margin, and it illustrates the upper boundary of what targeted ransomware can now extract. Dark Angels operated with unusual discipline: a low public profile, limited affiliate activity, and a practice of targeting single large victims rather than deploying broadly. The approach generates fewer incidents and fewer law enforcement triggers while concentrating revenue. It is the private equity logic applied to extortion — less noise, higher margin.
The UnitedHealth case — in which the Change Healthcare breach attributed to an ALPHV affiliate generated an estimated $872 million in direct costs for UnitedHealth in Q1 2024 alone, with the full-year impact exceeding $1.6 billion — illustrates what sits beneath the ransom figure. The $22 million payment was the smallest line item in UnitedHealth's breach-related expenditure. Incident response, regulatory notifications, system rebuilds, delayed claims processing, and reputational consequences dwarfed the direct extortion cost. This arithmetic is understood by sophisticated operators. They are pricing discovery, not destruction.
The ransom is not the cost of the attack. It is the opening offer in a negotiation that has already been structured to favour one side.
New Data-Leak Infrastructure
Parallel to the payment data runs a secondary market that has expanded significantly. In 2024, 56 new ransomware data-leak sites were created — more than twice the count tracked in 2023. These sites serve multiple functions: they provide proof of access to support ransom demands, they create reputational pressure on victims who decline to pay, and they facilitate secondary markets where stolen data is sold to other threat actors.
The proliferation of leak sites is partly a consequence of affiliate market competition. New RaaS platforms require differentiation; a professionally operated leak site with a documented track record of publishing data demonstrates operational credibility to both affiliates and victims. Cl0p's MOVEit campaign, which generated over $100 million in ransoms and accounted for 44.8% of all ransomware value received in June 2023, established the template for data-theft-without-encryption as a viable alternative to traditional locked-screen extortion. That approach has been replicated and refined.
The Coveware Q4 2024 data provides the clearest picture of the settled-payment landscape: average ransom payment of $553,959, median of $110,890. The spread between mean and median is significant — a small number of very large payments, most likely in sectors with high sensitivity to downtime and high operational complexity, skew the average upward. Healthcare, manufacturing, and legal services appear disproportionately in the high-value tier.
The Structural Resilience Problem
Law enforcement has demonstrated genuine capability against ransomware infrastructure. Operation Cronos seized 34 LockBit servers, approximately $120 million in cryptocurrency wallets, and over 1,000 decryption keys. The FBI's recovery asset team intervened in thousands of BEC and ransomware payment transactions. These are material outcomes. They are not decisive ones.
The RaaS model is structurally resilient precisely because it separates capability from identity. Core developers are few, well-insulated, and rarely operational. Affiliates are interchangeable. When an operation is disrupted, the developers rebuild or move quietly into another group's infrastructure; the affiliates find a new platform within days. The economics remain compelling. A successful affiliate earning 90% of a $110,000 median payment — after perhaps two to three weeks of access work — faces a risk-to-reward calculation that law enforcement cannot easily invert.
Field note — Security teams should monitor for the operational fingerprints of RansomHub affiliates: ALPHV and LockBit tooling adapted for new infrastructure, Living-off-the-Land techniques leveraging legitimate remote management tools, and an accelerated dwell-to-encryption timeline. RansomHub affiliates have been observed moving from initial access to encryption in under 24 hours in high-priority engagements. Prioritise credential-based detection over perimeter controls; the majority of intrusions begin with valid account access. Clients concerned about the data-leak secondary market should assume any compromise may result in regulated data appearing on third-party sites regardless of ransom outcome.
The 2024 data describes an industry that absorbed disruption, redistributed talent, and closed the year more concentrated and more efficient than it began. The operators who survived Operation Cronos and the ALPHV collapse did not exit. They improved their terms, narrowed their targets, and continued. The through-line from 2022 to the present is not escalation — it is professionalisation. Each year, the gap between the sophistication of the attack and the preparedness of the target widens by a measurable increment. The firms that treat ransomware preparedness as a periodic audit item, rather than an operational discipline, are the ones pricing Dark Angels' next engagement.
Sources & further reading
- Chainalysis — Crypto Ransomware 2025 (2024 data): https://www.chainalysis.com/blog/crypto-ransomware-victim-extortion-2025/
- Chainalysis — Crypto Ransomware 2026 (2025 data): https://www.chainalysis.com/blog/crypto-ransomware-2026/
- Chainalysis — Ransomware Hit $1 Billion in 2023: https://www.chainalysis.com/blog/ransomware-2024/
- Coveware — Q4 2024 Ransomware Report: http://coveware.com/2025/02/q4-report/
- ReliaQuest — Q3 2024 Ransomware: https://reliaquest.com/blog/q3-2024-ransomware/
- Blackpoint Cyber — RansomHub Threat Profile: https://blackpointcyber.com/threat-profile/ransomhub-ransomware/
- DarkOwl — Ransomware Round-Up 2024: https://www.darkowl.com/blog-content/ransomware-round-up-2024/
- ESET/TechTarget — RansomHub Most Active H2 2024: https://www.techtarget.com/searchsecurity/news/366617096/ESET-RansomHub-most-active-ransomware-group-in-H2-2024