Organizations paid at least $602 million to ransomware gangs in 2021

Pierluigi Paganini February 13, 2022

Organizations have paid more than $600 million in cryptocurrency during 2021, nearly one-third to the Conti ransomware gang.

Last week, cybersecurity agencies from the U.K., the U.S. and Australia have published a joint advisory warning of an increased globalised threat of ransomware worldwide in 2021.

According to a report published by the blockchain analysis firm Chainalysis, organizations have paid $602 million in cryptocurrency during 2021. These figures represent a slight decrease compared to last year when organizations paid $692 million in cryptocurrency, but Chainalysis experts warn that other payments could be identified in the next weeks.

“Sure enough, we updated our ransomware numbers a few times throughout 2021, reflecting new payments we hadn’t identified previously.” reads the report published by Chainalysis. “As of January 2022, we’ve now identified just over $692 million in 2020 ransomware payments — nearly double the amount we initially identified at the time of writing last year’s report.”

“There is a slight time lag in ransomware data, so we expect when these numbers get updated in a few months, 2021 will have higher numbers than 2020.” added the company.

ransomware payments -totals-1024x668

However, experts added that the true total for both 2020 and 2021 is likely to be much higher. 

Going deeper into the analysis, we can notice that the Conti operations accounted for the biggest revenue in 2021, extorting at least $180 million from victims.

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The Conti operators offer their services to their affiliates and maintain 20-30% of each ransom payment.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. 

Darkside was the group with the second-highest revenue in 2021, experts estimated that the earnings of the group reached around $85 million. Darkside made the headlines in May 2021 with the attack on the Colonial Pipeline facility in Pelham, Alabama.

In the aftermath of the attack, Darkside gang shut down its operations, fearing the response of law enforcement. The group also claimed that the feds seized part of its infrastructure and some wallets it was using for its operations.

In July the group rebranded its operation with the name BlackMatter.


In the top 10 ransomware strains by revenue, 2021 we also find Phoenix Cryptolocker and REvil operations.

The report also shows an increase in ransomware payment sizes in 2021, a worrisome trend that began in 2018. The average ransomware payment size in 2021 was over $118,000 in 2021, up from $88,000 in 2020 and $25,000 in 2019. 

“Large payments such as the record $40 million received by Phoenix Cryptolocker spurred this all-time high in average payment size. One reason for the increase in ransom sizes is ransomware attackers’ focus on carrying out highly-targeted attacks against large organizations.” continues the report. “This “big game hunting” strategy is enabled in part by ransomware attackers’ usage of tools provided by third-party providers to make their attacks more effective.”

Ransomware attacks are profitable cybercrime activities, for this reason, experts observed that the number of ransomware operations increased in 2021. Chainalysis reported that at least 140 ransomware strains received payments from victims in 2021, compared to 119 in 2020, and 79 in 2019.  — at least 140 ransomware strains received payments from victims during the year, compared to 119 in 2020 and 79 in 2019, according to the report. “Conti was the one strain that remained consistently active for all of 2021, and in fact saw its share of all ransomware revenue grow throughout the year,” the report said.

The researchers noticed that the majority of ransomware operations are active in waves of short time windows before becoming dormant, with some exceptions, such as the Conti strain that remained consistently active for all of 2021.

“More and more in 2021, we’ve seen the operators of strains publicly “shut down” before re-launching under a new name, presenting themselves as a separate cybercriminal group. Often, the rebranded strain’s financial footprint on the blockchain aligns with that of the original, which can tip investigators off as to who’s really behind the new strain.” continues the report.

In 2021 ransomware operations were regularly rebranded to avoid law enforcement and sanctions.

The factor that most of all contributed to the success of ransomware operations is the usage of the ransomware-as-a-service model that spiked to its highest-ever levels in 2021.

“16% of all funds sent by ransomware operators were spent on tools and services used to enable more effective attacks, compared to 6% in 2020. While it’s possible some of that activity constitutes money laundering rather than the purchase of illicit services, we believe that increasing use of those services is one reason ransomware attackers became more effective in 2021, as evidenced by rising average victim payment sizes.” states the report.

The report also highlights that while most ransomware attacks appear to be financially motivated, nation-state actors are using this practice for multiple purposes, including deception, espionage, reputational damage and fundraising. Many operations are suspected to be linked to nation-state actors linked to Iran, Russia, China and North Korea.

Experts expect that the above trends will continue to increase in 2022.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, extortion)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment