Network Security
Vulnerability Management
Privileged Access Management 
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Ransomware victims paid an estimated $813 million in 2024. Nearly 40 percent of that may have gone to actors in Russia, China and North Korea, according to new analysis from cybersecurity firm Heimdal.
Heimdal used recent telemetry, infrastructure tracing and ownership mapping to assess how ransomware revenue is likely distributed.
The $813 million figure comes from Chainalysis and remains the most current full-year total available.
These findings offer new visibility into where ransomware profits go and raise questions about what governments, infrastructure providers and regulators can do to disrupt their flow.
Tracing the money
Heimdal’s analysis, based on internal telemetry, attack-source tracing and ownership mapping, shows how ransomware revenue moves through opaque networks and front entities.
If the 2024 $813 million ransomware payments were distributed proportionally, about $211 million would likely go to entities in Russia.
Russia, China and North Korea together could account for roughly 38 percent of total payouts.
Shell companies are often used to obscure operations.
One example is a German-addressed firm called Razi Network, which appears in European IP registry data but not in German business records, a sign of regulatory blind spots.
Similarly, North Korea’s APT38 group has been linked to operations from Panama-based IP ranges, showing how attackers exploit jurisdictions with weak oversight.
These entities often operate through a combination of national and transnational front companies.
Shell corporations and flexible address registries are frequently used to avoid attribution and delay enforcement efforts.
These findings highlight a core issue.
Ransomware thrives on cheap, accessible infrastructure and the ability to hide within global compliance loopholes.
How infrastructure enables it
The ransomware economy persists because several systemic gaps remain unresolved:
- Inadequate know-your-customer (KYC) controls at domain registrars, IP allocators and national registries allow untraceable entities to operate.
- Fragmented jurisdictions make coordinated takedowns slow and inconsistent.
- There is no central authority or agreed-upon process for verifying IP allocations or legal entity ownership.
- Profit-driven attackers automate, anonymize and scale operations at minimal cost.
How to raise the cost of attack
Reducing ransomware’s profitability means making attacks harder, riskier and more expensive to conduct.
Key actions include:
- Strengthening verification at registries and infrastructure touchpoints
- Increasing data-sharing between infrastructure providers
- Enforcing transparency around payments and breach disclosures
- Promoting intelligence collaboration between public and private sectors
Inside organizations, defensive strategies such as network segmentation, least-privilege access and immutable backups can reduce attackers’ returns by limiting damage and denying ransom leverage.
Why this matters
When attacking is cheap and defending is costly, criminals have the advantage.
To change the calculus, governments, industry and enterprises must target the economic foundations of ransomware: ease of set-up, monetization and concealment.
Ransomware is not just a malware problem. It is a business-model problem. Addressing it requires raising operational costs until the payoff no longer outweighs the risk.
Morten Kjaersgaard is the Founder and Chairman of Heimdal®, a global leader in AI-powered cybersecurity. Under his leadership, Heimdal has grown from a startup in Copenhagen to a trusted security partner for over 16,000 organizations and more than 2,000 MSPs worldwide, defending against 260+ million cyber threats annually. With a sharp focus on unifying cybersecurity operations, Morten is recognized for his ability to align technical innovation with strategic business outcomes. His insights have shaped how organizations and partners alike approach risk reduction, compliance, and security maturity in an increasingly complex digital world. A respected voice in the industry, Morten frequently shares his expertise at international events and through media commentary—championing a more proactive, collaborative, and scalable model for cybersecurity success.
