Ransomware Payoffs Surge by 311% to Nearly $350 Million

Payments to ransomware gangs using cryptocurrency more than quadrupled in 2020, with less than 200 cryptocurrency wallets receiving 80% of funds.

4 Min Read

Ransomware payments using cryptocurrency surged 311% in 2020, nearing a total volume of $350 million, as cybercriminals gravitated to crypto-locking as the easiest way to turn compromised systems into cash, blockchain analysis company Chainalysis stated in an analysis this week.

While ransomware payments through cryptocurrencies are skyrocketing, cybercrime overall is accounting for less volume of digital currency transactions, the company stated. Cybercrime transactions using cryptocoins dropped by more than half to $10 billion, but because overall cryptocurrency transaction volume increased, the share of cybercrime dropped even more precipitously to account for only 0.34% of all cryptocurrency transactions in 2020, down from more than 2% in 2019.

The data demonstrates that, while ransomware has become a greater problem, cryptocurrency continues to expand its markets, says Kim Grauer, head of research at Chainalysis.

"Cryptocurrency has a reputation as being driven by cybercrime, speculation and tax-avoidance strategies," she says. "But it's increasingly being used as a store of value both in developed markets where asset managers are entering the space and in emerging markets."

The use of a cryptocurrency money-laundering scheme known as mixing has declined since a spike in the third quarter of 2019, according to Chainalysis data. In the final quarter of 2020, more than 90% of funds leaving ransomware wallets were destined for a cryptocurrency exchange, about half of which were designated "high risk" by Chainalysis. Often, different ransomware groups and strains use the same 

"We can find connections between ransomware strains by examining common deposit addresses to which wallets associated with different strains send funds," Chainalysis stated in its analysis. "We believe that most of the cases of deposit address overlap represent usage of common money laundering services by different ransomware strains."

While public reports have focused on the Maze Team — which appears to have shut down in November 2020 — and Egregor, which appears to have replaced Maze, Chainalysis found that the well-known Ryuk malware appears to be the most prolific ransomware threat to companies, both in the number of ransoms paid and the total profit. Three strains of ransomware — Ryuk, Maze, and Doppelpaymer — accounted for more than half of all the known ransom payments.

However, the company cautioned against drawing too many conclusions, as many strains of ransomware are used to enable ransomware-as-a-service (RaaS) offerings. In other words, different cybercriminals groups may be using the same, or a collection, of ransomware.

"Many RaaS affiliates migrate between strains, suggesting that the ransomware ecosystem is smaller than one might think at first glance," the company stated in the report. "In addition, many cybersecurity researchers believe that some of the biggest strains may even have the same creators and administrators, who publicly shutter operations before simply releasing a different, very similar strain under a new name."

A key component of the ransomware ecosystem is the ability to launder the money paid by victims to foil law enforcement efforts to track funds. While ransomware demands often use one-time wallets for payments, most funds track back to a limited number of accounts. In fact, 199 deposit addresses account for 80% of the monetary value of ransomware, Chainalysis stated. These are deposit addresses are hosted on exchanges, and often amount to an over-the-counter brokerage or other nested service, says Grauer.

"Mixers are still being used by criminals, but right now we are seeing large, organized criminal groups using laundering infrastructure that is based out of a few exchanges, such as OTC brokers who often specialize in laundering illicit funds," says Grauer.

Law enforcement could target the relatively low number of deposit addresses as a way to disrupt ransomware schemes. Chainalysis found that 25 deposit addresses accounted for 46% of all funds, and nine of those addresses were primarily used for ransomware payments.

"These services are incentivized to maintain their deposit addresses in the same way a brick-and-mortar business might not want to move locations. They'd have to tell their customers they are moving," Grauer says. "We don’t know for sure how many total groups are out there, but the fewer deposit addresses that need to be shut down to impact the current money laundering infrastructure, the better for investigation and compliance purposes."

Cryptocurrency markets are rife with speculation, but cryptocurrencies known as stablecoin, which are backed by assets—most often, US dollars, are growing in popularity in an attempt to shake off the volatility in the pure cryptocurrency markets. Stablecoins can be a hedge for international investors, but also have increased value for money laundering and tax avoidance. In December, US financial regulators warned that stablecoins posed significant financial and regulatory risks.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights