惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
The Last Watchdog
The Last Watchdog
TaoSecurity Blog
TaoSecurity Blog
Schneier on Security
Schneier on Security
SecWiki News
SecWiki News
V
Vulnerabilities – Threatpost
Project Zero
Project Zero
O
OpenAI News
W
WeLiveSecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
H
Hacker News: Front Page
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
Help Net Security
Help Net Security
P
Privacy & Cybersecurity Law Blog
K
Kaspersky official blog
S
Security @ Cisco Blogs
Latest news
Latest news
AWS News Blog
AWS News Blog
U
Unit 42
Martin Fowler
Martin Fowler
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Know Your Adversary
Know Your Adversary
Scott Helme
Scott Helme
博客园 - 司徒正美
B
Blog RSS Feed
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
D
Docker
Google Online Security Blog
Google Online Security Blog
Jina AI
Jina AI
aimingoo的专栏
aimingoo的专栏
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Last Week in AI
Last Week in AI
月光博客
月光博客
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
SegmentFault 最新的问题
NISL@THU
NISL@THU
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
小众软件
小众软件

Heimdal Security Blog

Top 6 Managed Detection and Response Providers Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors How to scale your patches without scaling your team (the patch wave) AI didn't break patching. It showed us patching was already broken. Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes How Dynamic Defense shuts an attacker out without shutting down the business Static security has run out of road. The case for Dynamic Defense Breaking the MSP Echo Chamber: The Power of Community How attackers built a RAT on a Windows machine using its own .NET compiler Attacker enables RDP, creates admin, erases evidence in ten seconds Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It Your Next Insider Threat May Be an AI Coworker The OSI Model and Its Two Missing Layers Heimdal® Marks Six Years of Consecutive ISAE 3000 SOC 2 Type II Certification The State of AI Risk Management in 2026 AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift Top 10 Cybersecurity Companies in Europe Heimdal Expands AI Strategy with AI Wingman and Third-Party AI Containment You Only Know What You’ve Got When Its Gone Nordic MSPs Can Now Access Heimdal’s Unified Security and Compliance Platform Through Elovade OpenClaw Incidents Show Why AI Adoption Pressure Puts Companies at Risk Heimdal Claims Industry First With a Cyber Essentials Control Mapping for PEDM to Help Organisations Prove Least Privilege Five Predictions for Cyber Security Trends in 2026 Heimdal Achieves OPSWAT Gold Certification for Anti-Malware How to Avoid Holiday Shopping Scams (From a Former Cyber Detective) ITDR Best Practices: How to Detect, Prevent, and Contain Critical Identity Threats When Buyers Discount MSPs With One Big Customer You’re Not Technical? That Excuse Just Expired! Tool Sprawl Taxes Your Business More Than You Think Heimdal 5.1.0 RC Dashboard: Smarter Automation, Stronger Compliance, and Smoother Control Can Generative AI Be Weaponized for Cyberattacks? Digital Warfare and the New Geopolitical Frontline
Nearly 40% of 2024 Ransomware Payouts May Have Gone to Russia, China & North Korea
Morten Kjaersgaard · 2025-11-05 · via Heimdal Security Blog

Ransomware victims paid an estimated $813 million in 2024. Nearly 40 percent of that may have gone to actors in Russia, China and North Korea, according to new analysis from cybersecurity firm Heimdal.

Heimdal used recent telemetry, infrastructure tracing and ownership mapping to assess how ransomware revenue is likely distributed.

The $813 million figure comes from Chainalysis and remains the most current full-year total available.

These findings offer new visibility into where ransomware profits go and raise questions about what governments, infrastructure providers and regulators can do to disrupt their flow.

Tracing the money

Heimdal’s analysis, based on internal telemetry, attack-source tracing and ownership mapping, shows how ransomware revenue moves through opaque networks and front entities.

If the 2024 $813 million ransomware payments were distributed proportionally, about $211 million would likely go to entities in Russia.

Russia, China and North Korea together could account for roughly 38 percent of total payouts.

Shell companies are often used to obscure operations.

One example is a German-addressed firm called Razi Network, which appears in European IP registry data but not in German business records, a sign of regulatory blind spots.

Similarly, North Korea’s APT38 group has been linked to operations from Panama-based IP ranges, showing how attackers exploit jurisdictions with weak oversight.

These entities often operate through a combination of national and transnational front companies.

Shell corporations and flexible address registries are frequently used to avoid attribution and delay enforcement efforts.

These findings highlight a core issue.

Ransomware thrives on cheap, accessible infrastructure and the ability to hide within global compliance loopholes.

How infrastructure enables it

The ransomware economy persists because several systemic gaps remain unresolved:

  • Inadequate know-your-customer (KYC) controls at domain registrars, IP allocators and national registries allow untraceable entities to operate.
  • Fragmented jurisdictions make coordinated takedowns slow and inconsistent.
  • There is no central authority or agreed-upon process for verifying IP allocations or legal entity ownership.
  • Profit-driven attackers automate, anonymize and scale operations at minimal cost.

How to raise the cost of attack

Reducing ransomware’s profitability means making attacks harder, riskier and more expensive to conduct.

Key actions include:

  • Strengthening verification at registries and infrastructure touchpoints
  • Increasing data-sharing between infrastructure providers
  • Enforcing transparency around payments and breach disclosures
  • Promoting intelligence collaboration between public and private sectors

Inside organizations, defensive strategies such as network segmentation, least-privilege access and immutable backups can reduce attackers’ returns by limiting damage and denying ransom leverage.

Why this matters

When attacking is cheap and defending is costly, criminals have the advantage.

To change the calculus, governments, industry and enterprises must target the economic foundations of ransomware: ease of set-up, monetization and concealment.

Ransomware is not just a malware problem. It is a business-model problem. Addressing it requires raising operational costs until the payoff no longer outweighs the risk.

Author Profile

linkedin icon

Morten Kjaersgaard is the Founder and Chairman of Heimdal®, a global leader in AI-powered cybersecurity. Under his leadership, Heimdal has grown from a startup in Copenhagen to a trusted security partner for over 16,000 organizations and more than 2,000 MSPs worldwide, defending against 260+ million cyber threats annually. With a sharp focus on unifying cybersecurity operations, Morten is recognized for his ability to align technical innovation with strategic business outcomes. His insights have shaped how organizations and partners alike approach risk reduction, compliance, and security maturity in an increasingly complex digital world. A respected voice in the industry, Morten frequently shares his expertise at international events and through media commentary—championing a more proactive, collaborative, and scalable model for cybersecurity success.