Ransomware payments in crypto shoot up as new trends emerge

The global shift to remote and hybrid working, combined with the increasing brazenness of cybercriminals are creating new ransomware threats for businesses everywhere.

The rapid growth in funds across crypto markets is creating more opportunities for attacks on businesses, and an increasing amount of ransomware victims are paying up in order to limit disruption and damage. In our previous Crypto Crime Report, we deemed 2020 the “Year of Ransomware” due to the huge growth in crypto extorted in ransomware attacks.

When we first released that report last year, we announced that we had tracked roughly $350 million worth of payments from victims to ransomware operators.

However, we explained at the time that this figure was likely an underestimate we would raise in the future due to both underreporting by ransomware victims and our continuing identification of ransomware addresses that have received previous victim payments.

Sure enough, we’ve now identified just over $692 million in 2020 ransomware payments — nearly double the amount we initially identified at the time of writing last year’s report.

Our 2022 Crypto Crime Report shows that as of January this year, we’ve identified just over $602 million worth of ransomware payments in 2021. However, just like last year, we know that this too is an underestimate, and that the true total for 2021 is likely to be much higher.

What are the global ransomware trends and motives?

In fact, despite these numbers, anecdotal evidence, plus the fact that ransomware revenue in the first half of 2021 exceeded that of the first half of 2020, suggests to us that 2021 will eventually be revealed to have been an even bigger year for ransomware.

Key ransomware trends and players

Overall, 2021 also saw more active individual ransomware strains than any other year. At least 140 ransomware strains received payments from victims at any point in 2021, compared to 119 in 2020, and 79 in 2019. Those numbers are emblematic of the intense growth of ransomware we’ve seen over the last two years. Most ransomware strains come and go in waves, staying active for a short amount of time before becoming dormant.

Ransomware payment sizes also continued to grow in 2021, a trend we’ve observed every year since 2018. The average ransomware payment size was over $118,000 in 2021, up from $88,000 in 2020 and $25,000 in 2019. Large payments such as the record $40 million received by Phoenix Cryptolocker spurred this all-time high in average payment size.

One reason for the increase in ransom sizes is ransomware attackers’ focus on carrying out attacks against large firms. This “big game hunting” strategy is enabled in part by attackers’ usage of tools provided by third-party providers to make their attacks more effective.

Conti was the biggest ransomware strain by revenue in 2021, extorting at least $180m from victims. Believed to be based in Russia, Conti operates using the ransomware-as-a-service (RaaS) model, meaning Conti allows affiliates to launch attacks using its program for a fee.

DarkSide is also notable, both for ranking second in 2021 in funds extorted from victims and also for its role in the attack on oil pipeline Colonial Pipeline, one of the year’s most notable ransomware attacks. The attack caused fuel shortages in some areas of the U.S., which were exacerbated by subsequent panic buying as word of the attack’s impact spread.

This serves as a reminder of why ransomware attacks are so dangerous: They frequently target critical infrastructure we need to keep the country running — not just energy providers, but food providers, schools, hospitals and financial services companies as well.

Below, we’ll look more at how ransomware operators laundered their funds, which ransomware strains were most prolific in 2021, and the rising weaponisation of ransomware.

Money laundering makes its mark

Most strains have laundered their funds by sending them to centralised exchanges. Some are in the high-risk category, meaning that they tend to have relaxed compliance procedures, but to mainstream exchanges with more established compliance programs. We see substantial funds sent to both mixers and addresses associated with other forms of illicit activity.

The money laundering trends get even more interesting if we drill down to the individual services receiving funds from ransomware. Amazingly, 56% of funds sent from ransomware addresses since 2020 have wound up at one of six cryptocurrency businesses:

  • Three large, international exchanges
  • One high-risk exchange cased in Russia
  • Two mixing services

These money laundering trends show how small the ransomware ecosystem is. That means the strategy for fighting ransomware is likely simpler than it appears at first glance.

By cracking down on the services that facilitate this money laundering activity, law enforcement can greatly reduce attackers’ options for cashing out, reducing the financial incentive to carry out attacks and hampering ransomware organisations’ ability to operate.

The rise of rebranding

Two years ago, the average ransomware strain remained active for exactly one year. In 2021, the average strain is active for no more than two months. Why is the average ransomware lifespan dropping so quickly? One big reason for that is rebranding.

More than ever in 2021, cybersecurity researchers have noted instances of ransomware attackers publicly claiming to cease operations, only to relaunch later under a new name.

The rebranded strain’s financial footprint on the blockchain aligns with that of the original, which can tip investigators off as to who’s behind the new strain. While at least 140 strains were active in 2021, many of those strains were run by the same cybercriminal groups.

These strains attempt to create the illusion that they belong to different cybercriminal groups by setting up separate victim payment sites and other infrastructure, but share similarities in their code. Evil Corp, a Russia-based cybercriminal gang behind several ransomware attacks in recent years, has launched several rebranded strains throughout its history, including:

  • Doppelpaymer
  • Bitpaymer
  • WastedLocker
  • Hades

The uptick in ransomware rebranding is a reminder that the ransomware ecosystem is smaller than it appears. While new strains pop up all the time, many of them are ultimately run by the same groups and individuals, all of whom are likely feeling the pressure from law enforcement’s efforts to curb attacks, seize funds, and arrest the individuals responsible.

Rebranding is one way of evading those efforts, and suggests that investigators and cybersecurity professionals may be best served by studying ransomware attackers at the organisational level, and focusing less on the unique strains to be prepare for the rebrand.

Ransomware as a geopolitical weapon

Most ransomware attacks appear to be financially motivated. However, others appear to be motivated by geopolitical goals, and seem more geared toward deception, espionage, reputational damage and disruption of the enemy government’s operations.

In cases where a ransomware strain contains no mechanism to collect payment or allow victims to recover their files, we can be more certain that money isn’t the attackers’ primary motivation. And that’s exactly what we saw in a recent ransomware attack on Ukrainian government agencies by hackers believed to be associated with the Russian government.

Ransomware is a useful cover for strategic deception against enemy states because attacks can be carried out cheaply, and it gives the attacking nation some measure of plausible deniability, as they can always claim the attack was carried out by mere cybercriminals.

But even ransomware attacks carried out for non-financial reasons can leave a trail on the blockchain. It’s crucial that agencies focused on national security understand how to trace funds using blockchain analysis, as this is the key to identifying the individuals involved in the attacks, the tools they use, and how they launder any funds obtained from victims.

Ransomware is one of the most dynamic, constantly changing forms of cryptocurrency-based crime. Between constant rebrands, shifting money laundering strategies, and the influence of geopolitics, it’s hard to know what’s coming next. There’s only one thing that’s certain in ransomware: Law enforcement will continue to investigate the cybercriminals responsible, and organisations like Chainalysis will be there to help every step of the way.


Kimberly Grauer is the Director of Research, Chainalysis, where she examines trends in cryptocurrency economics and crime. She was trained in economics at the London School of Economics and in politics at Oxford University. Previously, she explored technological advancements in developing countries as an academic research associate at the London School of Economics, and was an economics researcher at the New York City Economic Development Corporation.