The cybersecurity landscape saw notable developments in early 2024, with two major reports highlighting evolving threats to cryptocurrency users. A Feb. 5 report from Chainalysis revealed a 35% decline in ransomware payments compared to the previous year, signaling progress in law enforcement efforts and a growing reluctance among victims to pay. Meanwhile, a Feb. 4 report from Kaspersky Labs detailed the emergence of SparkCat malware, which targets mobile users by scanning images for crypto wallet recovery phrases.
Ransomware Payments Drop 35% in 2024 as Law Enforcement and Victim Refusal Strengthen Defenses
The total amount extorted through ransomware attacks saw a sharp decline of approximately 35% in 2024 compared to the previous year, according to a report published on Feb. 5 by blockchain analytics firm Chainalysis. The report noted a significant shift in the ransomware landscape, as attackers faced increased resistance from victims and greater scrutiny from law enforcement agencies.
In 2024, ransomware attackers managed to extract nearly $815 million from victims, a substantial drop from the record $1.25 billion extorted in 2023. This marks the first annual decline in ransomware-related revenue since 2022, showing the growing impact of countermeasures and policy shifts in the fight against cybercrime.
The decrease in ransomware revenues is attributed to multiple factors, including:
Heightened law enforcement actions: Governments worldwide have been cracking down on ransomware groups through arrests, asset seizures, and disruption of illicit networks.
International collaboration: Countries and agencies have enhanced their cooperative efforts, leading to a more effective global response.
Growing refusal to pay: More organizations and victims are refusing to meet ransom demands, a trend that has been encouraged by cybersecurity experts and authorities.
Cryptocurrency remains the primary medium of exchange in ransomware attacks, but the increasing regulatory scrutiny around crypto transactions has made it harder for cybercriminals to launder funds undetected.
With traditional ransomware strategies proving less effective, attackers have begun modifying their approaches to maintain profitability. Chainalysis noted key shifts in tactics, including:
Utilizing fresh code repositories to evade security measures.
Accelerating ransom negotiations, sometimes initiating extortion attempts within hours of an attack.
Diversifying attacker profiles, with threats originating from nation-state actors, ransomware-as-a-service (RaaS) operations, lone hackers, and smaller data theft groups.
These adaptations indicate that while total ransomware payments are falling, the overall volume of attacks is not decreasing. Instead, cybercriminals are testing new ways to pressure victims into paying.
Chainalysis' data suggests that the most significant decline in ransomware payments occurred in the second half of 2024. Payments dropped by roughly 79% compared to the first half of the year, signaling the growing effectiveness of law enforcement and cybersecurity measures.
Despite the drop in payments, the number of attempted ransomware attacks actually increased in H2 2024. This suggests that while more victims were targeted, fewer chose to comply with ransom demands, reinforcing the growing trend of non-payment.
This pattern highlights a shift in the cost-benefit dynamics of ransomware operations. Attackers are expending more effort on launching attacks but receiving diminishing returns, which may eventually lead to a decline in the number of cybercriminals engaging in ransomware activities.
The decline in ransomware payments is consistent with a broader downtrend in cryptocurrency-related exploits, hacks, and scams throughout 2024. December saw the lowest losses of the year, with total stolen funds amounting to $28.6 million, according to blockchain security firm CertiK.
The last quarter of the year experienced a significant decrease in major crypto heists:
October: $115.8 million in crypto-related losses.
November: $63.8 million in losses.
December: $28.6 million in losses.
CertiK attributes this decline to the absence of major hacks exceeding $100 million in damages, which were more frequent in previous months.
A Shift in Cybercrime Strategies for 2025?
The evolving landscape of ransomware and crypto-related cybercrime suggests that attackers will continue adapting to overcome increasing obstacles. The drop in payments does not necessarily indicate that ransomware itself is disappearing; instead, it reflects the growing difficulty in successfully extorting victims.
As law enforcement improves its capabilities and companies become more resistant to paying ransoms, cybercriminals may resort to alternative methods such as:
Targeting smaller organizations with lower security defenses.
Using social engineering and deepfake technology to manipulate victims.
Exploring alternative payment methods beyond crypto, such as untraceable gift cards or traditional financial fraud.
The 35% decline in ransomware payments in 2024 marks a pivotal moment in the fight against cybercrime. With law enforcement crackdowns, global cooperation, and victims' growing reluctance to pay, ransomware groups are finding it harder to profit.
However, the battle is far from over. As attackers adjust their methods, cybersecurity defenses must continue evolving to stay ahead. Looking forward, 2025 will likely bring new threats and attack strategies, making proactive security measures more crucial than ever.
New Malware SparkCat Targets Crypto Wallets Through Photo Scanning on Mobile Apps
In related news, cybersecurity firm Kaspersky Labs has identified a new strain of malware, SparkCat, embedded within malicious software development kits (SDKs) used to build apps on Google Play Store and Apple App Store. This malware exploits users' mobile devices by scanning pictures and screenshots for cryptocurrency wallet recovery phrases, which are then used to drain funds without requiring passwords.
The discovery, detailed in a Feb. 4 report by Kaspersky analysts Sergey Puzan and Dmitry Kalinin, reveals a sophisticated attack vector that relies on optical character recognition (OCR) to extract sensitive text from users' photo galleries.
Once an app infected with SparkCat is downloaded onto a device, the malware:
Activates an OCR stealer to scan images stored in the device gallery.
Searches for keywords related to cryptocurrency wallet seed phrases, passwords, and other sensitive information.
Extracts and transmits data to the attackers, allowing them to restore and empty crypto wallets remotely.
“The intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds,” Puzan and Kalinin wrote.
The malware's adaptability allows it to steal other personal data, including passwords, private messages, and sensitive documents, if they are captured in screenshots.
Kaspersky estimates that SparkCat has been downloaded over 242,000 times since its activity was first detected in March 2023. The primary victims appear to be Android and iOS users in Europe and Asia, though the full extent of the infection remains unknown.
Unlike traditional malware that typically targets a single app or platform, SparkCat is embedded in multiple apps, both real and fake, across the Google Play Store and Apple App Store.
The malware-laced apps come in various forms:
Legitimate-looking apps, such as food delivery services and utilities.
Fraudulent apps, designed specifically to lure victims, such as AI-powered messaging platforms.
Hidden in Plain Sight
The malware’s stealth capabilities make it difficult to detect:
It is built using the Rust programming language, which is uncommon for mobile apps, helping it evade security scans.
It is cross-platform, allowing it to target both Android and iOS users.
It uses obfuscation techniques to conceal its presence from malware detection systems.
Puzan and Kalinin noted that, on Android, the malware disguises itself as an analytics module called Spark, which interacts with an encrypted configuration file hosted on GitLab. The module receives commands and updates remotely, making it highly adaptable.
One of the biggest concerns raised by Kaspersky's report is how the malware ended up in so many apps. The researchers are uncertain whether the developers of the affected apps intentionally embedded SparkCat or if it spread through a supply chain attack—a method where hackers infiltrate third-party SDKs used by developers.
“Some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims — for example, we have seen several similar ‘messaging apps’ with AI features from the same developer,” the report states.
While the origin of SparkCat remains unclear, Kaspersky’s researchers found comments and error descriptions written in Chinese within the malware's code. This provides “reason to believe that the developer of the malicious module is fluent in Chinese,” though attribution remains speculative.
The malware's behavior also closely resembles an attack campaign discovered in March 2023 by ESET researchers, suggesting that it could be the work of a previously known cybercriminal organization.
How to Protect Yourself
Kaspersky’s analysts strongly advise users to take proactive measures to avoid falling victim to SparkCat:
Avoid storing sensitive information in images – Crypto recovery phrases and passwords should never be stored as screenshots or saved in a phone’s gallery.
Use a secure password manager – Instead of relying on screenshots, users should store private information in an encrypted vault.
Remove suspicious apps – If an app is behaving oddly, such as requesting unnecessary permissions, uninstall it immediately.
Check app permissions – Be wary of apps requesting access to the photo gallery without a valid reason.
Stick to verified crypto wallets – Download cryptocurrency wallets only from official websites or trusted sources.
The emergence of SparkCat sheds light on the evolving strategies cybercriminals are using to target cryptocurrency users. With the increasing popularity of mobile trading and decentralized wallets, hackers are shifting their focus to mobile devices as a new attack vector.
Google and Apple will likely face pressure to enhance security protocols in their app stores, especially when it comes to vetting third-party SDKs.
For now, crypto users must remain vigilant, as malware continues to evolve, seeking new ways to exploit human error and security loopholes.
