Anyone surprised about $4.5 Billion Ransom Payments since 2013?

DarkReading.com reported that “The US Treasury's Financial Crimes Enforcement Network (FinCEN) issued a report on Dec. 4 dedicated to ransom payments tracked as part of the Bank Secrecy Act of 1970 (BSA).”  The December 8, 2025 article entitled “US Treasury Tracks $4.5B in Ransom Payments since 2013” (https://www.darkreading.com/cyberattacks-data-breaches/us-treasury-45b-ransom-payments-2013) included these comments:

The report primarily consists of data gathered from attacks that occurred between Jan. 1, 2022, and Dec. 31, 2024, that were then reported under the BSA. In total, the Treasury received 7,395 BSA reports relating to 4,194 ransomware incidents totaling more than $2.1 billion in payments to cybercriminals

The report is by no means exhaustive — it represents only the attacks that were reported by (primarily financial) institutions covered under the US BSA law, and far more than 4,200 ransomware attacks occurred in a three-year period. However, the data paints a picture of how ransomware attacks have changed over time, and particularly how dramatically they have increased. 

In addition to the $2.1 billion reported between 2022 and 2024, FinCEN also referenced the nine years before it. Between 2013 and the end of 2021, FinCEN received 3,075 BSA reports under half of the more recent dataset) totaling approximately $2.4 billion in ransomware payments. In total, BSA-covered orgs have reported $4.5 billion in ransomware payments they caught wind of (or perhaps participated in) in the past 14 years.

What do you think?