Ransomware continues to pose a major national security concern, according to new research from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN).
The agency has released a Financial Trend Analysis outlining ransomware patterns detected in Bank Secrecy Act (BSA) reporting between 2022 and 2024, revealing more than $2.1bn in associated payments over the period.
“Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats,” FinCEN director Andrea Gacki said, adding, “By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”
Unlike previous FinCEN analyses, which examined reports based on the filing date, this report instead focuses on the dates when the ransomware activity itself occurred. FinCEN suggests this approach provides more clarity on timing trends and attacker behaviour.
The report highlights that ransomware incidents peaked in 2023, reaching 1,512 reported attacks and $1.1bn in payments — marking a 77% increase in total payments compared with 2022. The figures underline how aggressively ransomware groups escalated operations across sectors throughout the year. However, incidents fell slightly in 2024 to 1,476 reports, valued at $734m, following law enforcement disruptions targeting two major ransomware networks.
FinCEN’s analysis shows that the median payment size also rose in 2023, reaching $175,000 before dropping to $155,257 in 2024. Across the three-year period, most payments were below $250,000.
In total, 7,395 BSA reports covering 4,194 incidents were submitted between January 2022 and December 2024 amounting to more than $2.1bn in ransomware payments. This compares to $2.4bn tracked across a much longer nine-year period from 2013 to 2021, showing how attack volumes and costs have escalated dramatically.
The most targeted industries were manufacturing, financial services and healthcare. Manufacturers reported 456 incidents with $284.6m in losses, financial services organisations logged 432 incidents totalling $365.6m, while healthcare saw 389 attacks resulting in $305.4m paid.
The dataset also examined how attackers engage with victims. Communications routed via The Onion Router (TOR) accounted for 67% of incidents where a method was reported. Email and encrypted messaging apps were used less frequently but still represented widely-adopted channels.
FinCEN identified more than 200 ransomware variants across incident reports, with ALPHV/BlackCat, Akira, LockBit, Phobos and Black Basta listed as particularly widespread. The top 10 variants alone were responsible for roughly $1.5bn in total payments, underlining the concentration of harm caused by a relatively small number of cybercriminal groups.
The findings reinforce FinCEN’s call for vigilance among financial institutions, highlighting the need for fast reporting to enable law enforcement action and sector-wide threat mitigation.
Keep up with all the latest FinTech news here
Copyright © 2025 FinTech Global
