Nearly $700 million spent on ransomware payments in 2020 alone: report

The Chainalysis report says the Conti ransomware group alone brought in $180 million in 2021 from ransoms.
Written by Jonathan Greig, Contributor

Victims of ransomware spent nearly $700 million paying off their attackers in 2020, according to a new report from blockchain analysis firm Chainalysis. 

In the company's last report, they pegged the figure at around $350 million, but increased the figure "due to both underreporting by ransomware victims and our continuing identification of ransomware addresses that have received previous victim payments."

Right now, the latest figures show more than $692 million was spent on ransomware payments in 2020. For 2021, they have already tracked over $602 million worth of ransomware payments but noted that like 2020, it is an underestimate.

"In fact, despite these numbers, anecdotal evidence, plus the fact that ransomware revenue in the first half of 2021 exceeded that of the first half of 2020, suggests to us that 2021 will eventually be revealed to have been an even bigger year for ransomware," Chainalysis said. 

The report also listed the most prolific ransomware groups by total payments received, finding that Conti led the way with at least $180 million made from ransoms. 


The report notes that conversely, law enforcement agencies have made some headway in getting ransoms back, giving organizations even more incentive to report attacks. 

Unfortunately, 2021 also saw more active individual ransomware strains than any other year on record, according to the blockchain research organization. Their data shows that at least 140 ransomware strains received payments from victims at some point in 2021. The number was 119 in 2020 and 79 in 2019. 

The researchers added that more than ever, groups were also shutting down and restarting under new names, providing one explanation for the increase in ransomware strains. The average number of days a ransomware strain stayed active in 2021 was 60, far lower than the 168 days in 2020 and 378 in 2019. 

Chainalysis claimed one criminal group -- Evil Corp -- had some amount of ties to the Doppelpaymer, Bitpaymer, WastedLocker, Hades, Phoenix Cryptolocker, Grief, Macaw, and PayloadBIN ransomware strains. The researchers were able to tie some of the ransomware groups based on their cryptocurrency transaction histories.

The company estimates that Evil Corp made at least $85 million from its various ransomware strains. 

Now that more ransomware groups are targeting larger, more profitable organizations, the average ransomware payment size increased to over $118,000 in 2021, up from $88,000 in 2020 and $25,000 in 2019, according to the company's data. 

Most ransomware groups appear to send their ransoms to centralized exchanges or mixers as a way to launder their stolen funds. Chainalysis said more than half of the funds sent from ransomware addresses since 2020 have wound up at one of six cryptocurrency businesses: three large international exchanges, one high-risk exchange based in Russia, and two mixing services.

Chainalysis also included a rundown of their involvement in the investigation of the ransomware attack on Colonial Pipeline last May. 

The company helped the FBI track the 75 bitcoin Colonial Pipeline paid to DarkSide, and eventually the Justice Department was able to claw back about $2.3 million of the ransom. 

The address that initially received the ransom transferred it to accounts controlled by DarkSide's administrators, who then sent 63.7 bitcoin to the affiliate who led the attack. The affiliate had previously received payments from addresses associated with NetWalker, another ransomware strain disrupted by law enforcement in January 2021.

That affiliate received 595.3 bitcoin in four different chunks from the NetWalker administrator in late May and early June of 2020.

"After tracking the funds to the affiliate's address, FBI investigators were able to seize the funds on May 28, 2021," the researchers said. "The seizure represents a huge step forward in the fight against ransomware, and especially ransomware strains that attack our critical infrastructure."

Editorial standards