Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
According to the annual report from the FBI’s Internet Crime Complaint Center (IC3), ransomware was the biggest threat to critical infrastructure last year, with complaints up 9%.
More widely, the IC3 report revealed losses across the country from online crime climbed 33% on year to $16 billion in 2024. The top three crimes by number of complaints were phishing/spoofing, extortion, and personal data breaches.
However, investment fraud — specifically related to cryptocurrency — caused the most financial losses, at more than $6.5bn.
"These rising losses are even more concerning because last year, the FBI took significant actions to make it harder, and more costly, for malicious actors to succeed," wrote B. Chad Yarbrough, operations director for criminal and cyber at the FBI, in the report.
"We dealt a serious blow to LockBit, one of the world’s most active ransomware groups. Since 2022, we have offered up thousands of decryption keys to victims of ransomware, avoiding over $800 million in payments."
The IC3 figures are based on reports from victims, but when it comes to ransomware companies may not admit they've fallen victim in order to quietly pay criminals to avoid negative publicity — or to avoid having to build ransomware resilience ahead of time to avoid paying out.
"Reporting is one of the first and most important steps in fighting crime so law enforcement can use this information to combat a variety of frauds and scams," said FBI Director Kash Patel.
"The IC3… is only as successful as the reports it receives; that’s why it’s imperative that the public immediately report suspected cyber-enabled criminal activity to the FBI."
Check Point reports record ransomware attacks
The FBI report comes as Check Point Research released data that showed global ransomware attacks were up 126% year on year, with the most attacks by the Cl0p ransomware gang, largely because of its mass disclosure of more than 300 victims related to its exploit of the Cleo file transfer software.
"The adjusted monthly average exceeds 650 victims, compared to ~450 per month throughout 2024," Check Point said in a blog post. "With Cl0p included, the average for Q1 rises to 760 per month — setting a new benchmark for ransomware activity."
The company admitted that it was difficult to pin down the number of victims, again due to the fact that some pay up rather than admit an attack. Similarly, the security firm noted that cyber criminals often overplay their successes.
"This sharp rise may partially reflect a growing trend among threat actors to exaggerate their impact, including the fabrication of victim data to project greater reach and intimidate targets," the company said.
"At the same time, it is worth noting that organizations which pay ransoms swiftly are typically excluded from public disclosure on leak sites, suggesting that historically, published figures may have significantly underrepresented the true scale of ransomware incidents."
Reporting will remain an issue
Because of such payouts, Dr Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at BCS, said that the report's figures were just the "tip of the formidable iceberg".
"A growing number of US companies prefer to silently 'settle' with cybercriminals, especially with those groups that have a good reputation and history of keeping their intrusions confidential after being paid," he noted.
There are rules against such payments, in some cases.
"Sometimes, such payments may be perfectly legal, for example, when no personal data, classified or confidential data of third party is stolen," Kolochenko said.
"Rules may be harsher for governmental entities, as in some states they are flatly prohibited from paying ransoms, or for publicly traded companies given that such incidents may be required to be reported to the SEC and publicly disclosed," he added.
"Possible violation of sanctions – when buying cryptocurrencies from decentralized exchanges and when actually paying the threat actor – are also non-negligible."
Kolochenko predicts more and more companies will choose to pay rather than face negative headlines about ransomware attacks.
"With the overall deregulation spirit of the President Trump administration, we will probably see a steadily growing number of organizations that will prefer to silently pay a ransom and forget about the incident."
MORE FROM ITPRO
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
Ransomware gangs are using employee monitoring software as a springboard for cyber attacks
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoing
Google issues warning over ShinyHunters-branded vishing campaigns
The FBI has seized the RAMP hacking forum, but will the takedown stick? History tells us otherwise
Everything we know so far about the Nike data breach
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radar
Hacker offering US engineering firm data online after alleged breach
