Ransomware Payments Are Getting Bigger as Hackers Shift Focus to Larger Targets: Chainalysis

New research from blockchain surveillance firm Chainalysis shows that ransomware gangs are getting more sophisticated.

AccessTimeIconFeb 10, 2022 at 3:05 p.m. UTC
Updated May 11, 2023 at 7:18 p.m. UTC

The average size of ransomware payments hit an all-time high in 2021, according to a new report by blockchain research firm Chainalysis.

Chainalysis’ data shows the average ransomware payment size last year reached $118,000 in cryptocurrency, up from $88,000 in 2020, according to a report published Thursday. In 2019, the average ransomware payment was only $25,000. Kim Grauer, Chainalysis’ head of research, attributes this jump to the growing sophistication of ransomware groups.

  • FBI Launches New Crypto Crimes Unit
    FBI Launches New Crypto Crimes Unit
  • Russian Authorities Say They’ve Dismantled REvil Ransomware Group at US Request
    Russian Authorities Say They’ve Dismantled REvil Ransomware Group at US Request
  • Key Takeaways From Senate Banking Committee’s Crypto Hearing
    Key Takeaways From Senate Banking Committee’s Crypto Hearing
  • What to Expect From Tuesday’s Crypto Hearings in DC
    What to Expect From Tuesday’s Crypto Hearings in DC
  • Over the last two years, ransomware attacks have skyrocketed. Chainalysis has identified $692 million worth of payments to wallet addresses affiliated with ransomware groups in 2020 and, at the time of publication, $602 million in 2021. However, Grauer stressed that the real number is likely to be much higher – setting a new record for ransomware payments in 2021 – as Chainalysis continues to identify ransomware-associated wallets.

    As ransomware gangs continue to profit and gain experience, they are learning how to adapt to avoid detection and go after bigger targets. Grauer told CoinDesk that data shows many ransomware gangs are reinvesting a larger percentage of stolen funds back into their operations. In 2021,16% of all funds sent from wallets associated with ransomware operators were spent on tools and services, like penetration testing or more secure web hosting, to make their attacks more effective.

    “They're investing in their business,” Grauer said. “You know, you have to spend money to make money.”

    The jump, up from 4% in 2020, is largely driven by the rise of ransomware as a service (RaaS), which enables ransomware gangs to purchase already-developed strains of ransomware, like Conti or DarkSide, from ransomware creators, usually in exchange for a portion of the proceeds.

    However, Grauer also pointed out that, while RaaS might be growing, blockchain data shows that at least 140 ransomware developers received payments from victims last year – a new all-time high. The growth signals that ransomware strains are becoming dormant faster, which Grauer said is a tactic used to avoid law enforcement detection, but is also a sign of the rise of home-brewed ransomware tools.

    “We’re actually starting to see some places where there’s a move away from RaaS and back to self-produced ransomware,” Grauer said. “We’re seeing that in Iran, where Iranian bad actors are just building their own ransomware from scratch.”

    Grauer told CoinDesk that, by creating their own ransomware, ransomware gangs can create a more tailored attack for specific or high-security targets.

    “One thing we did see in Iran was some geopolitical attacks against targets in Israel,” Grauer said.

    The geopolitical implications of ransomware are growing. After a Russia-based ransomware group carried out the Colonial Pipeline attack last summer, the Biden administration has made cracking down on ransomware a priority.

    President Biden has called out Chinese state actors for ransomware and cryptojacking attacks, and pushed Russia to arrest known members of ransomware gangs. The administration also began adding crypto exchanges to its sanctions blacklist last year.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Cheyenne Ligon

    Cheyenne Ligon is a CoinDesk news reporter with a focus on crypto regulation and policy. She has no significant crypto holdings.