Ransomware Payments Are Getting Bigger as Hackers Shift Focus to Larger Targets: Chainalysis

The average size of ransomware payments hit an all-time high in 2021, according to a new report by blockchain research firm Chainalysis.

Chainalysis’ data shows the average ransomware payment size last year reached $118,000 in cryptocurrency, up from $88,000 in 2020, according to a report published Thursday. In 2019, the average ransomware payment was only $25,000. Kim Grauer, Chainalysis’ head of research, attributes this jump to the growing sophistication of ransomware groups.

Over the last two years, ransomware attacks have skyrocketed. Chainalysis has identified $692 million worth of payments to wallet addresses affiliated with ransomware groups in 2020 and, at the time of publication, $602 million in 2021. However, Grauer stressed that the real number is likely to be much higher – setting a new record for ransomware payments in 2021 – as Chainalysis continues to identify ransomware-associated wallets.

As ransomware gangs continue to profit and gain experience, they are learning how to adapt to avoid detection and go after bigger targets. Grauer told CoinDesk that data shows many ransomware gangs are reinvesting a larger percentage of stolen funds back into their operations. In 2021,16% of all funds sent from wallets associated with ransomware operators were spent on tools and services, like penetration testing or more secure web hosting, to make their attacks more effective.

“They're investing in their business,” Grauer said. “You know, you have to spend money to make money.”

The jump, up from 4% in 2020, is largely driven by the rise of ransomware as a service (RaaS), which enables ransomware gangs to purchase already-developed strains of ransomware, like Conti or DarkSide, from ransomware creators, usually in exchange for a portion of the proceeds.

However, Grauer also pointed out that, while RaaS might be growing, blockchain data shows that at least 140 ransomware developers received payments from victims last year – a new all-time high. The growth signals that ransomware strains are becoming dormant faster, which Grauer said is a tactic used to avoid law enforcement detection, but is also a sign of the rise of home-brewed ransomware tools.

“We’re actually starting to see some places where there’s a move away from RaaS and back to self-produced ransomware,” Grauer said. “We’re seeing that in Iran, where Iranian bad actors are just building their own ransomware from scratch.”

Grauer told CoinDesk that, by creating their own ransomware, ransomware gangs can create a more tailored attack for specific or high-security targets.

“One thing we did see in Iran was some geopolitical attacks against targets in Israel,” Grauer said.

The geopolitical implications of ransomware are growing. After a Russia-based ransomware group carried out the Colonial Pipeline attack last summer, the Biden administration has made cracking down on ransomware a priority.

President Biden has called out Chinese state actors for ransomware and cryptojacking attacks, and pushed Russia to arrest known members of ransomware gangs. The administration also began adding crypto exchanges to its sanctions blacklist last year.