Cybersecurity

Reported ransomware payments reached $1.1 billion in 2024 — a record — even as the share of victims paying continues to decline. Data breaches exposed an estimated 4.2 billion records last year. Phishing remains the entry point for two-thirds of incidents.

$1.1B
Reported ransomware payments (2024)
4.2B
Records exposed in 2024 breaches
$4.9M
Average cost of a data breach
66%
Incidents that begin with phishing

Key insights

💰

Ransomware payments rising in value, falling in frequency

Chainalysis data shows total tracked ransomware payments doubled from $0.5B (2022) to $1.1B (2024) as attackers targeted larger organisations for bigger ransoms. The share of victims paying has fallen below 30% under improved backup hygiene and law-enforcement pressure. Average payment among those who pay rose to $2.0M.

🏥

Healthcare and public sector hit hardest

Healthcare led incident counts in 2024 with 23% of breaches affecting the sector — the Change Healthcare and Ascension breaches alone exposed 100M+ records. Government accounted for 11%, financial services 10%, manufacturing 9%. Healthcare also faces the highest average breach cost ($10.9M).

🎯

Identity is the new perimeter

Stolen credentials are now the most common initial access vector (38% of breaches per Verizon DBIR 2025), exceeding phishing (32%) and vulnerability exploitation (16%). MFA bypass attacks — SIM swapping, push-bombing, adversary-in-the-middle phishing kits — have risen sharply. FIDO2/passkey adoption is the leading mitigation but remains under 15% of enterprise logins.

Tracked ransomware payments 2019–2024

USD millions, on-chain analysis

Key Finding: Total tracked payments doubled in two years even as fewer victims pay — attackers are moving up-market.

Source: Chainalysis Crypto Crime Report 2025

Initial attack vector — breach incidents (2024)

% of confirmed breaches, Verizon DBIR

Key Finding: Credential theft has overtaken phishing as the leading initial access. Vulnerability exploitation gained share with the rise of edge-device CVEs.

Source: Verizon DBIR 2025

Methodology & caveats

What counts as a 'breach'

Definitions vary. Verizon's DBIR distinguishes incidents (any security event) from breaches (confirmed data disclosure). Many trackers use SEC, GDPR or state-AG disclosures, which captures large US/EU events but misses many incidents elsewhere. Counts are therefore lower bounds.

Ransomware measurement

Chainalysis tracks payments by following crypto wallet flows on-chain. The methodology captures crypto-denominated ransoms (the vast majority) but misses fiat-denominated cases and double-counts when attackers move funds through mixers. Year-prior figures are revised upward as more attribution emerges.

Cost-per-record vs total cost

IBM's annual Cost of a Data Breach report quotes both. Total cost reflects investigation, notification, regulatory fines and lost business; cost-per-record is total divided by records exposed. Mega-breaches (100M+ records) drag the per-record figure down without reducing total impact.