Ransomware Attacks Growing More Profitable: Chainalysis

Ransomware-linked addresses had at least $81 million in crypto flow in this year, the blockchain analytics firm said in a new report.

AccessTimeIconMay 14, 2021 at 4:00 p.m. UTC
Updated Sep 14, 2021 at 12:56 p.m. UTC

Ransomware attackers are growing more dangerous, more sophisticated and sharply more profitable in extracting crypto from their victims, according to on-chain data reviewed by Chainalysis.

In a new report, the blockchain analytics firm said ransomware-linked addresses have banked at least $81 million in crypto this year after amassing a record $406 million in 2020. Chainalysis suspects the true toll is far higher. New addresses frequently pop up, and victim corporations often keep their ransomware run-ins under wraps.

Just last week Colonial Pipeline suffered a debilitating ransomware attack that forced it to freeze a critical oil and gas artery for the U.S. eastern seaboard. Colonial ultimately paid the group, which was using DarkSide ransomware, $5 million in crypto to unlock its network, according to reports.

Chainalysis said the prevalence of ransomware-as-a-service (RaaS) is contributing to the blistering spread of corporate cyber attacks. Under RaaS, ransomware developers essentially license out their software strains and share in their affiliates’ profits. DarkSide generated the vast majority of RaaS revenue through Q1, the report said. 

Ransomware payouts are also steadily growing. Victims paid an average of $54,000 in Q1, compared to $46,000 in Q4 2020 and just $12,000 average in Q4 2019. There tends to be at least one $10 million ransom paid a quarter, but groups have demanded as much as $50 million.

Cryptocurrencies, especially bitcoin, the top ransomware payout, is inherently traceable because of its public blockchain, allowing Chainalysis to follow the money. It said ransomware addresses spread over 9% of victim funds across fraud shops, hacking tool service providers and even professional negotiator services last quarter to support their extortion efforts. Just 3% of the crypto flowed that way in Q1 2020.

But the vast majority of last quarter’s ransomware payouts, over 75%, ended up on crypto exchanges, Chainalysis said. 

Likewise, the vast majority of ransomware strains appear to emanate from Russia’s sphere of influence. Russian-affiliated cybercriminals “have been among the most prolific in the world,” Chainalysis said, especially in crypto crime. They account for a “larger share” of ransomware activity in 2021.

The most profitable ransomware strains of 2021 are hard coded to avoid Russian-speaking victims, Chainalysis said. It estimated Russia-linked strains have taken in 92% of this year’s ransomware proceeds, compared to 86% last year. 

Law enforcement entities may be targeting ransomware proprietors. On Friday, BleepingComputer reported that federal officials had seized the servers belonging to DarkSide, and the group's crypto appears to have been sent to another wallet.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.

Read more about