Ransomware Attacks Growing More Profitable: Chainalysis

Ransomware-linked addresses had at least $81 million in crypto flow in this year, the blockchain analytics firm said in a new report.

AccessTimeIconMay 14, 2021 at 4:00 p.m. UTC
Updated Sep 14, 2021 at 12:56 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

Ransomware attackers are growing more dangerous, more sophisticated and sharply more profitable in extracting crypto from their victims, according to on-chain data reviewed by Chainalysis.

In a new report, the blockchain analytics firm said ransomware-linked addresses have banked at least $81 million in crypto this year after amassing a record $406 million in 2020. Chainalysis suspects the true toll is far higher. New addresses frequently pop up, and victim corporations often keep their ransomware run-ins under wraps.

Just last week Colonial Pipeline suffered a debilitating ransomware attack that forced it to freeze a critical oil and gas artery for the U.S. eastern seaboard. Colonial ultimately paid the group, which was using DarkSide ransomware, $5 million in crypto to unlock its network, according to reports.

Chainalysis said the prevalence of ransomware-as-a-service (RaaS) is contributing to the blistering spread of corporate cyber attacks. Under RaaS, ransomware developers essentially license out their software strains and share in their affiliates’ profits. DarkSide generated the vast majority of RaaS revenue through Q1, the report said. 

Ransomware payouts are also steadily growing. Victims paid an average of $54,000 in Q1, compared to $46,000 in Q4 2020 and just $12,000 average in Q4 2019. There tends to be at least one $10 million ransom paid a quarter, but groups have demanded as much as $50 million.

Cryptocurrencies, especially bitcoin, the top ransomware payout, is inherently traceable because of its public blockchain, allowing Chainalysis to follow the money. It said ransomware addresses spread over 9% of victim funds across fraud shops, hacking tool service providers and even professional negotiator services last quarter to support their extortion efforts. Just 3% of the crypto flowed that way in Q1 2020.

But the vast majority of last quarter’s ransomware payouts, over 75%, ended up on crypto exchanges, Chainalysis said. 

Likewise, the vast majority of ransomware strains appear to emanate from Russia’s sphere of influence. Russian-affiliated cybercriminals “have been among the most prolific in the world,” Chainalysis said, especially in crypto crime. They account for a “larger share” of ransomware activity in 2021.

The most profitable ransomware strains of 2021 are hard coded to avoid Russian-speaking victims, Chainalysis said. It estimated Russia-linked strains have taken in 92% of this year’s ransomware proceeds, compared to 86% last year. 

Law enforcement entities may be targeting ransomware proprietors. On Friday, BleepingComputer reported that federal officials had seized the servers belonging to DarkSide, and the group's crypto appears to have been sent to another wallet.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.

Read more about