Executive Summary

On December 4, 2025, the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) published a Financial Trend Analysis detailing the severe economic impact of ransomware. Based on an analysis of Bank Secrecy Act (BSA) filings, FinCEN found that over $2.1 billion in ransomware-related payments were reported across 4,194 incidents from the beginning of 2022 through 2024. This figure highlights the unabated profitability of the ransomware ecosystem. The report indicates a significant peak in 2023, which saw $1.1 billion in payments alone. The analysis identifies top ransomware variants, including ALPHV/BlackCat, LockBit, and Akira, and points to the manufacturing and financial services industries as the most heavily targeted. The report serves as a stark reminder of the scale of the ransomware threat and reinforces the importance of public-private information sharing to combat it.

Regulatory Details

The FinCEN report is not a new regulation but an analysis of data collected under the existing Bank Secrecy Act. The BSA requires U.S. financial institutions to assist government agencies in detecting and preventing money laundering. This includes filing Suspicious Activity Reports (SARs) for transactions that may be related to criminal activity. In the context of ransomware, financial institutions, including convertible virtual currency (CVC) exchangers and administrators, are obligated to report payments they suspect are linked to ransomware demands. This data provides FinCEN with unique visibility into the financial flows of the ransomware economy.

Key Findings and Trends

• Total Payments: Over $2.1 billion in ransomware payments were reported via 4,194 BSA filings between Jan 2022 and Dec 2024.
• Peak Year: 2023 was the worst year on record, with 1,512 incidents totaling approximately $1.1 billion in payments, a 77% increase over 2022.
• Payment Amounts: The median payment per incident rose to $175,000 in 2023 before slightly decreasing to $155,257 in 2024. The majority of payments remain under $250,000.
• Top Variants: The most frequently reported ransomware variants were ALPHV/BlackCat, LockBit, Akira, Phobos, and Black Basta. The top 10 variants were responsible for $1.5 billion of the total payments.
• Payment Method: Attackers overwhelmingly demand payment in convertible virtual currencies (CVC), such as Bitcoin or Monero, sent to unhosted wallets.

Affected Organizations

The report highlights that ransomware is a sector-agnostic threat, but some industries are disproportionately affected. The most targeted sectors based on BSA reporting were:

1. Manufacturing
2. Financial Services
3. Healthcare

The analysis also notes the critical role of Initial Access Brokers (IABs) in the ransomware ecosystem, who provide ransomware gangs with access to already-compromised corporate networks.

Impact Assessment

The $2.1 billion figure represents only the reported payments and is likely a fraction of the true total cost of ransomware. The overall business impact extends far beyond the ransom payment itself and includes:

• Recovery Costs: Expenses for rebuilding systems, restoring data from backups, and hiring incident response consultants.
• Operational Downtime: Significant revenue loss due to business interruption, which can last for days or weeks.
• Reputational Damage: Loss of customer trust and potential long-term impact on brand value.
• Regulatory Fines: Penalties for data breaches, especially in regulated industries like healthcare (HIPAA) and finance.

FinCEN's analysis demonstrates that ransomware remains a highly lucrative and persistent criminal enterprise, posing a significant threat to economic stability and national security.

Compliance Guidance

While the report does not introduce new rules, it reinforces existing obligations for financial institutions:

• Robust SAR Filing: Institutions must continue to diligently file detailed SARs for any transaction suspected to be related to ransomware. This includes providing all available information, such as wallet addresses, transaction hashes, and any identified ransomware variant.
• Information Sharing: The report encourages participation in information-sharing programs like the Financial Sector Information Sharing and Analysis Center (FS-ISAC) to gain better insights into current threats.
• Internal Controls: All organizations, not just financial institutions, should view this report as a call to action to strengthen their own cybersecurity posture. Key controls include regular patching, network segmentation, multi-factor authentication, and maintaining offline, immutable backups.

FinCEN Director Andrea Gacki's statement underscores the value of this reporting, as it provides law enforcement with the 'critical information to help detect cybersecurity trends that can damage our economy.'