Nearly 40% of 2024 ransomware payouts may have gone to Russia, China, North Korea

MANDEL NGAN // AFP via Getty Images

Ransomware victims paid an estimated $813 million in 2024. Nearly 40% of that may have gone to actors in Russia, China and North Korea, according to new analysis from cybersecurity firm Heimdal.

Heimdal used recent telemetry, infrastructure tracing and ownership mapping to assess how ransomware revenue is likely distributed.

The $813 million figure comes from Chainalysis and remains the most current full-year total available.

These findings offer new visibility into where ransomware profits go and raise questions about what governments, infrastructure providers and regulators can do to disrupt their flow.

Tracing the money

Heimdal’s analysis, based on internal telemetry, attack-source tracing and ownership mapping, shows how ransomware revenue moves through opaque networks and front entities.

If the 2024 $813 million ransomware payments were distributed proportionally, about $211 million would likely go to entities in Russia. Russia, China and North Korea together could account for roughly 38% of total payouts.

Shell companies are often used to obscure operations. One example is a German-addressed firm called Razi Network, which appears in European IP registry data but not in German business records, a sign of regulatory blind spots. Similarly, North Korea’s APT38 group has been linked to operations from Panama-based IP ranges, showing how attackers exploit jurisdictions with weak oversight. These entities often operate through a combination of national and transnational front companies.

Shell corporations and flexible address registries are frequently used to avoid attribution and delay enforcement efforts. These findings highlight a core issue. Ransomware thrives on cheap, accessible infrastructure and the ability to hide within global compliance loopholes.

How infrastructure enables it

The ransomware economy persists because several systemic gaps remain unresolved:

• Inadequate know-your-customer (KYC) controls at domain registrars, IP allocators and national registries allow untraceable entities to operate.
• Fragmented jurisdictions make coordinated takedowns slow and inconsistent.
• There is no central authority or agreed-upon process for verifying IP allocations or legal entity ownership.
• Profit-driven attackers automate, anonymize and scale operations at minimal cost.

How to raise the cost of attack

Reducing ransomware’s profitability means making attacks harder, riskier and more expensive to conduct. Key actions include:

• Strengthening verification at registries and infrastructure touchpoints
• Increasing data-sharing between infrastructure providers
• Enforcing transparency around payments and breach disclosures
• Promoting intelligence collaboration between public and private sectors

Inside organizations, defensive strategies such as network segmentation, least-privilege access and immutable backups can reduce attackers’ returns by limiting damage and denying ransom leverage.

Why this matters

When attacking is cheap and defending is costly, criminals have the advantage.

To change the calculus, governments, industry and enterprises must target the economic foundations of ransomware: ease of set-up, monetization and concealment.

Ransomware is not just a malware problem. It is a business-model problem. Addressing it requires raising operational costs until the payoff no longer outweighs the risk.

This story was produced by Heimdal and reviewed and distributed by Stacker.