Ransomware Payments Hit $4.5B: How AI Helps

$4.5 billion. That’s how much ransomware payments US Treasury tracking shows flowing to extortion crews since 2013—based on Bank Secrecy Act reporting from covered institutions. Even if you assume it’s an undercount (it is), the number tells a blunt story: ransomware isn’t a “security problem” anymore. It’s a financial system problem, and every organization that touches money, identity, or operations is in the blast radius.

The more interesting detail isn’t just the cumulative total—it’s the acceleration. FinCEN’s data indicates over $2.1B in ransomware payments tied to 4,194 incidents reported from 2022–2024, roughly matching the prior nine years (2013–2021) in far fewer calendar pages. And 2023 stands out as a peak year, with reported payments around $1.1B, a 77% jump over 2022.

This post is part of our AI in Cybersecurity series, and I’m going to be direct: most companies are still fighting ransomware like it’s 2018—ticket queues, manual triage, and brittle detections. Meanwhile attackers industrialized. AI doesn’t “solve” ransomware by itself, but it does change the economics by shrinking dwell time, spotting weak signals earlier, and automating containment before encryption and exfiltration.

What the Treasury numbers really say about ransomware economics

The headline number ($4.5B since 2013) matters because it quantifies a market. If you’re trying to reduce ransomware risk, you’re not just hardening systems—you’re trying to starve an ecosystem.

FinCEN’s reporting window also shows how the business model evolved:

• RaaS scaled the operation. Ransomware-as-a-service lowered the bar for affiliates and increased the volume of attacks.
• Double extortion pushed payment pressure up. Encryption is painful; data exposure is existential.
• Victim selection widened. Attackers increasingly pursue mid-market and smaller orgs because they’re easier to access and often slower to detect.

There’s also a nuance that security teams sometimes miss: the report reflects what BSA-covered entities saw and reported, not all attacks. So the “true” total is almost certainly higher. But undercounting doesn’t weaken the conclusion—it strengthens it.

If your controls only work when an analyst has time to look closely, you don’t have controls. You have good intentions.

Why 2023 spiked—and why “lower ransoms” isn’t comfort

2023’s spike aligns with what many incident responders observed: major groups operating at high tempo, an efficient initial-access marketplace, and a victim pool full of exposed edge devices and inconsistent MFA.

The source data and industry commentary point to another reality: ransomware crews are optimizing for throughput.

Smaller demands can mean higher attack volume

Some reporting indicates average and median payments dropped sharply in 2025, alongside a lower percentage of victims paying. That’s good news. But it’s not the same as “problem solved.” Lower payment size often pairs with:

• Higher frequency attacks against easier targets
• Faster intrusions with less “hands-on-keyboard” time
• More emphasis on exfiltration-first playbooks

A $75K demand hitting 40 companies is still a very good week for criminals.

Bitcoin dominance is a detection opportunity, not a footnote

FinCEN’s data shows the vast majority of reported payments were in Bitcoin, with far fewer in privacy coins like Monero. That matters operationally because it means:

• Payments often touch regulated entities (exchanges, payment rails)
• There are more places where anomaly detection and fraud analytics can work
• There’s more potential for real-time interdiction via compliance monitoring

This is one of the cleanest bridges between government tracking and enterprise defense: financial telemetry is security telemetry.

Where AI actually helps against ransomware (and where it doesn’t)

AI in cybersecurity is most useful when it reduces two things: time-to-detect and time-to-contain. Ransomware outcomes hinge on minutes and hours, not days.

Here are the highest ROI areas where AI-driven security tends to outperform purely rule-based approaches.

1) Early intrusion detection before ransomware is deployed

Ransomware attacks rarely start with encryption. They start with the boring stuff: credential abuse, remote access, persistence, reconnaissance.

AI helps by connecting weak signals across systems:

• Impossible travel and unusual login sequences
• Abnormal OAuth consent grants or token refresh patterns
• New admin privileges assigned outside change windows
• Lateral movement behaviors that don’t match baseline

A practical stance: use AI to prioritize, not to “decide.” The win is getting the right 5 alerts to the top, fast.

2) Detecting data exfiltration when attackers move faster

As responders have noted, many crews now spend less time inside networks. That means old-school “we’ll catch them during staging” assumptions fail.

AI-backed network analytics can spot:

• Large outbound transfers to rare destinations
• New compression/encryption processes at odd times
• Sudden spikes in access to file shares, email archives, or patient records

If you want one quotable rule for 2026 planning: treat abnormal data movement as seriously as malware.

3) Automating containment without waiting for a human

Ransomware response playbooks often die in the handoff: security sees something, IT has to approve isolation, someone worries about downtime, and then encryption lands.

AI-assisted automation (with guardrails) can:

• Isolate endpoints exhibiting encryption-like file I/O patterns
• Disable suspicious accounts and revoke active sessions
• Quarantine hosts showing lateral movement tools
• Trigger “safe mode” controls for critical servers

You’re not aiming for full autonomy. You’re aiming for fast, reversible actions.

4) Reducing false positives so teams don’t ignore the real thing

Security teams drown in noise. Attackers know it.

AI can reduce alert fatigue by clustering related events into one incident, enriching with context (asset criticality, identity risk, exposure), and recommending the next best action. This is how you get from “SIEM as a log lake” to SOC automation that actually changes outcomes.

Where AI doesn’t help much: if you don’t have basic coverage (endpoint telemetry, identity logging, email security, asset inventory), AI becomes an expensive way to be confused faster.

A ransomware-prevention blueprint that pairs well with AI

If you’re trying to drive ransomware risk down in 2026 budgets, don’t start with tools. Start with failure points. Here’s what works in the field, especially for mid-market orgs that can’t staff a 24/7 SOC.

Harden the entry points attackers keep using

Prioritize the controls that break the most common intrusion paths:

1. Phishing-resistant MFA for remote access, admin actions, and email
2. Tightening exposed services (VPNs, RDP, edge devices) and patch SLAs
3. Blocking credential replay with conditional access and device trust

AI value-add: identity risk scoring that adapts as behavior changes.

Make backups a ransomware control, not a storage project

“Backups exist” isn’t a plan. Backups only matter if you can restore fast and confidently.

• Keep offline/immutable copies
• Test restores quarterly (not annually)
• Separate backup admin identities from normal admin roles

AI value-add: anomaly detection on backup jobs (sudden deletion attempts, unusual access, or encryption activity).

Build an exfiltration-first incident response plan

Because attackers increasingly steal first, your IR plan needs to answer:

• How do we validate what was accessed and exported?
• What logs prove it (identity, endpoint, proxy, DNS, cloud audit)?
• Who decides notification, legal steps, and customer comms?

AI value-add: faster scoping—summarizing affected identities, systems, and data paths into a timeline.

Put “payment pressure” into executive tabletop exercises

Ransomware becomes a crisis when leaders aren’t aligned on decisions.

A good tabletop includes:

• A double-extortion scenario (leak threat + encryption)
• A supplier outage and holiday/weekend timing twist
• A realistic constraint: partial logging, incomplete asset inventory

AI value-add: simulation support—generating plausible attacker progressions and testing whether detections fire.

The compliance angle: payment tracking is a preview of where reporting is headed

FinCEN’s visibility comes from financial reporting requirements. That’s a hint about the direction of travel: more structured reporting, more expectations around timely detection, and more scrutiny of “reasonable security controls.”

From a leadership perspective, AI-driven cybersecurity should be framed as operational resilience:

• Fewer material incidents
• Faster containment
• Better evidence for auditors, insurers, and regulators

If you’re trying to justify spend, tie AI to measurable metrics: mean time to detect, mean time to contain, percent of automated containment actions reversed (a proxy for quality), and backup restore time.

What to do next if you want AI to reduce ransomware risk

Start small and focus on workflows where speed matters.

Here’s a practical sequence I’ve found works:

1. Instrument identity and endpoints first. If you can’t see it, AI can’t help.
2. Pick two ransomware “choke points.” Common picks: credential abuse and abnormal data movement.
3. Automate one containment action with approvals. For example: disable a user + revoke sessions when high-confidence impossible travel hits an admin account.
4. Run quarterly purple-team tests. Validate detections and tune automation thresholds.

Ransomware payments reaching $4.5B is a loud signal that attackers have a stable business model. The fastest way to disrupt that model is to prevent successful intrusions and block the paths to exfiltration and encryption.

Our AI in Cybersecurity series keeps coming back to the same idea: AI is most valuable when it compresses time—time attackers need to move, and time defenders need to respond. If your organization had to withstand a ransomware attempt next week, would you bet on human speed alone, or would you want automation on your side?