惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Proofpoint News Feed
Attack and Defense Labs
Attack and Defense Labs
Security Archives - TechRepublic
Security Archives - TechRepublic
Engineering at Meta
Engineering at Meta
WordPress大学
WordPress大学
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
F
Full Disclosure
云风的 BLOG
云风的 BLOG
爱范儿
爱范儿
V2EX - 技术
V2EX - 技术
B
Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
M
MIT News - Artificial intelligence
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
W
WeLiveSecurity
Stack Overflow Blog
Stack Overflow Blog
TaoSecurity Blog
TaoSecurity Blog
T
Threatpost
小众软件
小众软件
T
The Blog of Author Tim Ferriss
Google Online Security Blog
Google Online Security Blog
MongoDB | Blog
MongoDB | Blog
T
Tenable Blog
P
Privacy International News Feed
S
Security @ Cisco Blogs
H
Heimdal Security Blog
大猫的无限游戏
大猫的无限游戏
B
Blog RSS Feed
H
Help Net Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Proofpoint News Feed
D
Darknet – Hacking Tools, Hacker News & Cyber Security
有赞技术团队
有赞技术团队
Application and Cybersecurity Blog
Application and Cybersecurity Blog
O
OpenAI News
Security Latest
Security Latest
S
Securelist
Cyberwarzone
Cyberwarzone
D
Docker
S
Schneier on Security
V
Vulnerabilities – Threatpost
The GitHub Blog
The GitHub Blog
P
Privacy & Cybersecurity Law Blog
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research

News Archives - Heimdal Security Blog

Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift Heimdal Achieves OPSWAT Gold Certification for Anti-Malware Digital Warfare and the New Geopolitical Frontline Is Your Tech Stack Killing Profitability? The Silent Bug Crippling MSP Growth Where Ransomware Profits Go and How to Cut Them Off Heimdal 5.0.0 RC: RDP Protection, Ransomware Detection, and OS Deployment Digital doppelgängers: How sophisticated impersonation scams target content creators and audiences Heimdal Joins the Tidal Cyber Registry with Its Extended Detection & Response (XDR) Solution Heimdal Investigation: European Organizations Hit by PDF Editor Malware Campaign Colt Technology Services Breached – Warlock Gang Claims Attack Fortinet VPNs Under Coordinated Attack Attack Surface Management: Why MSPs Don’t Need Another Tool Should MSPs Stop Chasing Leads and Start Solving Problems? Agent Fatigue Crisis Hits 89% of MSPs as Security Tools Backfire Your Protection Guide For Cybersecurity in Manufacturing
Nearly 40% of 2024 Ransomware Payouts May Have Gone to Russia, China & North Korea
Morten Kjaersgaard · 2025-11-05 · via News Archives - Heimdal Security Blog

Ransomware victims paid an estimated $813 million in 2024. Nearly 40 percent of that may have gone to actors in Russia, China and North Korea, according to new analysis from cybersecurity firm Heimdal.

Heimdal used recent telemetry, infrastructure tracing and ownership mapping to assess how ransomware revenue is likely distributed.

The $813 million figure comes from Chainalysis and remains the most current full-year total available.

These findings offer new visibility into where ransomware profits go and raise questions about what governments, infrastructure providers and regulators can do to disrupt their flow.

Tracing the money

Heimdal’s analysis, based on internal telemetry, attack-source tracing and ownership mapping, shows how ransomware revenue moves through opaque networks and front entities.

If the 2024 $813 million ransomware payments were distributed proportionally, about $211 million would likely go to entities in Russia.

Russia, China and North Korea together could account for roughly 38 percent of total payouts.

Shell companies are often used to obscure operations.

One example is a German-addressed firm called Razi Network, which appears in European IP registry data but not in German business records, a sign of regulatory blind spots.

Similarly, North Korea’s APT38 group has been linked to operations from Panama-based IP ranges, showing how attackers exploit jurisdictions with weak oversight.

These entities often operate through a combination of national and transnational front companies.

Shell corporations and flexible address registries are frequently used to avoid attribution and delay enforcement efforts.

These findings highlight a core issue.

Ransomware thrives on cheap, accessible infrastructure and the ability to hide within global compliance loopholes.

How infrastructure enables it

The ransomware economy persists because several systemic gaps remain unresolved:

  • Inadequate know-your-customer (KYC) controls at domain registrars, IP allocators and national registries allow untraceable entities to operate.
  • Fragmented jurisdictions make coordinated takedowns slow and inconsistent.
  • There is no central authority or agreed-upon process for verifying IP allocations or legal entity ownership.
  • Profit-driven attackers automate, anonymize and scale operations at minimal cost.

How to raise the cost of attack

Reducing ransomware’s profitability means making attacks harder, riskier and more expensive to conduct.

Key actions include:

  • Strengthening verification at registries and infrastructure touchpoints
  • Increasing data-sharing between infrastructure providers
  • Enforcing transparency around payments and breach disclosures
  • Promoting intelligence collaboration between public and private sectors

Inside organizations, defensive strategies such as network segmentation, least-privilege access and immutable backups can reduce attackers’ returns by limiting damage and denying ransom leverage.

Why this matters

When attacking is cheap and defending is costly, criminals have the advantage.

To change the calculus, governments, industry and enterprises must target the economic foundations of ransomware: ease of set-up, monetization and concealment.

Ransomware is not just a malware problem. It is a business-model problem. Addressing it requires raising operational costs until the payoff no longer outweighs the risk.

Author Profile

linkedin icon

Morten Kjaersgaard is the Founder and Chairman of Heimdal®, a global leader in AI-powered cybersecurity. Under his leadership, Heimdal has grown from a startup in Copenhagen to a trusted security partner for over 16,000 organizations and more than 2,000 MSPs worldwide, defending against 260+ million cyber threats annually. With a sharp focus on unifying cybersecurity operations, Morten is recognized for his ability to align technical innovation with strategic business outcomes. His insights have shaped how organizations and partners alike approach risk reduction, compliance, and security maturity in an increasingly complex digital world. A respected voice in the industry, Morten frequently shares his expertise at international events and through media commentary—championing a more proactive, collaborative, and scalable model for cybersecurity success.