CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ransomware extortion totals $2.1B from 2022 to 2024, FinCEN reports

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. Recently, the U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks.

Timeline

  1. 12.03.2026 13:31 1 articles · 23h ago

    U.S. charges ransomware negotiator linked to BlackCat attacks

    The U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks. At least five U.S. organizations were targeted, including a Tampa-based medical device manufacturer that paid a $1.27 million ransom.

    Show sources
    Open in new tab
  2. 08.12.2025 23:07 2 articles · 3mo ago

    FinCEN reports $2.1B in ransomware extortion from 2022 to 2024

    FinCEN's report documents 4,194 ransomware incidents and over $2.1 billion in ransom payments from 2022 to 2024. The peak occurred in 2023, with 1,512 incidents and $1.1 billion in payments, followed by a decline in 2024 due to law enforcement actions against major ransomware gangs. The most targeted industries were manufacturing, financial services, and healthcare, with Akira, ALPHV/BlackCat, and LockBit being the most active ransomware families.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ransomware Payment Rate Declines Amid Rising Attacks

The percentage of ransomware victims paying threat actors dropped to 28% in 2025, the lowest recorded, despite a 50% increase in attacks. Total on-chain payments reached $820 million, with projections exceeding $900 million. Factors like improved incident response, regulatory scrutiny, and law enforcement actions contributed to the decline. The median ransom payment surged by 368%, indicating larger payouts from fewer victims. The number of active extortion groups rose to 85, with notable attacks on Jaguar Land Rover, Marks & Spencer, and DaVita Inc. The U.S. remained the most targeted country. The ransomware payment rate has been declining for four consecutive years, and the average price for network access declined from $1,427 in Q1 2023 to $439 in Q1 2026. Ransomware actors are extorting bigger payments from a smaller number of victims, and the median payment increased 368%, from $12,738 in 2024 to $59,556 in 2025. The US was the most heavily targeted country, followed by Canada, Germany, the UK, and other parts of Europe. Manufacturing and finance/professional services were the most heavily hit in most of these countries, although Canada and Germany had a high compromise rate in supply chains, logistics, and critical infrastructure.

Open in new tab

Phobos Ransomware Suspect Arrested in Poland

Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand. A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Ptitsyn was extradited from South Korea in November 2024 and is facing up to 20 years in prison. The Phobos ransomware gang has collected over $39 million from more than 1,000 victims worldwide.

Open in new tab

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

Conti Ransomware Member Extradited from Ireland to US

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States and appeared in a Tennessee court on charges related to the Conti ransomware operation. He is accused of conspiring to deploy Conti ransomware, extorting over $500,000 in cryptocurrency from victims in the Middle District of Tennessee, and publishing stolen information. The Conti ransomware operation has been linked to over 1,000 victims worldwide, with ransom payments exceeding $150 million as of January 2022. Lytvynenko faces charges that could lead to 25 years in prison, including 20 years for wire fraud conspiracy and 5 years for computer fraud conspiracy. He was arrested in July 2023 by Irish authorities and detained until his extradition. The Conti group, initially a ransomware operation, evolved into a larger cybercrime syndicate, controlling multiple malware operations. After shutting down, its members have infiltrated other cybercrime groups. The FBI estimates Conti's malware was used in more critical infrastructure attacks than any other ransomware variant.

Open in new tab

Volodymyr Tymoshchuk Charged for LockerGoga, MegaCortex, Nefilim Ransomware Operations

Ukrainian national Volodymyr Viktorovich Tymoshchuk has been charged for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is accused of orchestrating attacks on hundreds of companies, leading to millions of dollars in damages. He is also linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Tymoshchuk faces multiple charges related to computer fraud, unauthorized access, and threatening to disclose confidential information. The U.S. Department of State is offering a reward of up to $11 million for information leading to his arrest. Additionally, Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met. Stryzhak asked a co-conspirator whether he should choose a different username to avoid detection by authorities. Nefilim ransomware has been rebranded as Fusion, Milihpen, Gangbang, Nemty, and Karma.

Open in new tab