WASHINGTON—Ransomware remains a persistent and costly threat to U.S. financial institutions, with attack activity hitting record levels in 2023 and remaining elevated in 2024, according to a new Financial Trend Analysis from FinCEN.
The report, covering incidents from 2022 through 2024, details both the scale of attacks and the tactics most frequently used by ransomware actors.
FinCEN found that institutions filed 7,395 ransomware-related Bank Secrecy Act reports tied to more than 4,000 incidents and over $2.1 billion in payments during the three-year period. Activity peaked in 2023, when payments surged to $1.1 billion, a 77% jump from the prior year. Although 2024 saw a decline to about $734 million, FinCEN attributed part of the drop to federal disruptions of major groups such as ALPHV/BlackCat and LockBit. Even so, financial services ranked among the three most targeted sectors, both by number of attacks and total ransom paid.
The report underscores that attackers increasingly rely on well-known variants—including ALPHV/BlackCat, LockBit, Akira, and Phobos—and demand payments largely in Bitcoin, which accounted for 97% of reported transactions. Communication between attackers and victims most often occurred through TOR-based channels, with email representing a secondary method. Median ransom payments fluctuated, reaching $175,000 in 2023 before easing to $155,257 in 2024, with most payments falling below $250,000.
For financial institutions, FinCEN emphasized that strong detection and rapid reporting remain critical. The agency urges firms to integrate indicators of compromise into monitoring systems, contact law enforcement immediately when ransomware activity is suspected, and include detailed cyber indicators—such as IP addresses, file hashes, and virtual currency wallet information—in Suspicious Activity Reports. FinCEN also asks institutions to use the tag “CYBER-FIN-2021-A004” when reporting ransomware-related incidents.
The report concluded that ransomware will remain a significant operational and financial risk, and that evolving threat groups continue to rely on unhosted crypto wallets and established laundering typologies. FinCEN directs institutions to federal resources such as CISA’s StopRansomware.gov and NIST’s ransomware guidance, stressing that mitigation demands coordinated cybersecurity, risk management, and regulatory compliance efforts across the financial sector.