CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ransomware extortion totals $2.1B from 2022 to 2024, FinCEN reports

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. A former ransomware negotiator, Angelo Martino, has pleaded guilty to conspiring with BlackCat (ALPHV) operators to extort U.S. companies in 2023. Martino, along with accomplices Kevin Tyler Martin and Ryan Goldberg, deployed BlackCat ransomware, shared confidential victim information to maximize ransom demands, and laundered illicit proceeds. Authorities seized $10 million in assets from Martino, and his co-defendants pleaded guilty in December 2025.

Timeline

  1. 12.03.2026 13:31 2 articles · 1mo ago

    U.S. charges ransomware negotiator linked to BlackCat attacks

    Angelo Martino pleaded guilty to conspiracy to obstruct, delay, or affect commerce by extortion for aiding BlackCat ransomware attacks in 2023. As a former DigitalMint negotiator, Martino shared confidential victim information with BlackCat operators to maximize ransom demands and collaborated with Kevin Tyler Martin and Ryan Goldberg to deploy ransomware against U.S. companies. Authorities seized $10 million in assets from Martino, including digital currency, vehicles, and luxury items. Martino faces up to 20 years in prison, with sentencing scheduled for July 9, 2026. His co-defendants, Martin and Goldberg, pleaded guilty in December 2025.

    Show sources
    Open in new tab
  2. 08.12.2025 23:07 2 articles · 4mo ago

    FinCEN reports $2.1B in ransomware extortion from 2022 to 2024

    FinCEN's report documents 4,194 ransomware incidents and over $2.1 billion in ransom payments from 2022 to 2024. The peak occurred in 2023, with 1,512 incidents and $1.1 billion in payments, followed by a decline in 2024 due to law enforcement actions against major ransomware gangs. The most targeted industries were manufacturing, financial services, and healthcare, with Akira, ALPHV/BlackCat, and LockBit being the most active ransomware families.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ransomware Payment Rate Declines Amid Rising Attacks

The percentage of ransomware victims paying threat actors dropped to 28% in 2025, the lowest recorded, despite a 50% increase in attacks. Total on-chain payments reached $820 million, with projections exceeding $900 million. Factors like improved incident response, regulatory scrutiny, and law enforcement actions contributed to the decline. The median ransom payment surged by 368%, indicating larger payouts from fewer victims. The number of active extortion groups rose to 85, with notable attacks on Jaguar Land Rover, Marks & Spencer, and DaVita Inc. The U.S. remained the most targeted country. The ransomware payment rate has been declining for four consecutive years, and the average price for network access declined from $1,427 in Q1 2023 to $439 in Q1 2026. Ransomware actors are extorting bigger payments from a smaller number of victims, and the median payment increased 368%, from $12,738 in 2024 to $59,556 in 2025. The US was the most heavily targeted country, followed by Canada, Germany, the UK, and other parts of Europe. Manufacturing and finance/professional services were the most heavily hit in most of these countries, although Canada and Germany had a high compromise rate in supply chains, logistics, and critical infrastructure.

Open in new tab

Phobos Ransomware Suspect Arrested in Poland

Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand. A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Ptitsyn was extradited from South Korea in November 2024 and is facing up to 20 years in prison. The Phobos ransomware gang has collected over $39 million from more than 1,000 victims worldwide.

Open in new tab

Jordanian Cybercriminal Admits Selling Access to 50 Enterprise Networks

Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian national residing in Georgia, pleaded guilty in a US court to selling unauthorized access to at least 50 compromised enterprise networks. The access was sold to an undercover agent on an underground cybercriminal forum. Albashiti, known online as 'r1z,' received payment in cryptocurrency. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. The Justice Department's Office of International Affairs secured Albashiti's extradition from Georgia in July 2024. Initial access brokers like Albashiti are critical middlemen in the cybercrime ecosystem, providing other threat actors with the credentials needed to breach victims' networks and drop malicious tools to steal data, deploy ransomware, or conduct espionage.

Open in new tab

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

Yanluowang Ransomware Initial Access Broker Pleads Guilty

Aleksey Olegovich Volkov, a 26-year-old Russian national from St. Petersburg, was sentenced to 81 months in prison for his role as an initial access broker (IAB) facilitating ransomware attacks. Volkov pleaded guilty to multiple charges, including conspiracy to commit computer fraud and money laundering, and must pay at least $9.2 million in restitution to victims. Between July 2021 and November 2022, Volkov breached corporate networks and sold access to ransomware groups, including Yanluowang, resulting in extortion attempts totaling $24 million. He was arrested in Rome in 2024, extradited to the U.S. in 2025, and admitted to working with several major cybercrime groups. Yanluowang, a Russian ransomware operation unmasked in 2022, employed 'triple extortion' tactics and claimed victims such as Cisco and Walmart. Volkov’s activities as an IAB were part of a broader cybercrime supply chain, enabling multiple ransomware-as-a-service (RaaS) groups to accelerate attacks by purchasing network access. Investigators linked Volkov’s identity through digital evidence, including Apple iCloud data and cryptocurrency records, while chat logs and stolen data provided further confirmation of his involvement. His case highlights the interconnected nature of cybercriminal ecosystems, where access brokers, RaaS operators, and affiliates collaborate to maximize financial gain and operational efficiency.

Open in new tab