Ransomware victims paid more than $600 million to cybercriminals in 2021

More than $600 million in cryptocurrency could be tied to ransomware payments in 2021, with the Conti ransomware gang accounting for nearly one-third of those payments, blockchain analysis firm Chainalysis said in a report today.

Although the total number is lower than the $692 million that the firm tied to ransomware payments in 2020, Chainalysis said it expects 2021 to ultimately be a banner year for ransomware groups as payments continue to be identified.

“This $600 million, while extremely large, is still the absolute floor in ransomware payments made, with the real number likely being much higher,” said Kim Grauer, Head of Research at Chainalysis. “There is a slight time lag in ransomware data, so we expect when these numbers get updated in a few months, 2021 will have higher numbers than 2020.”

Conti, a ransomware-as-a-service operation that the US Federal Bureau of Investigation has tied to more than 400 attacks, managed to extort at least $180 million from its victims, according to the Chainalysis report. The group has gained a reputation for targeting a wide range of vulnerable organizations, including 9-1-1 dispatch centers, municipalities, and emergency medical services.

Darkside—which was blamed for the Colonial Pipeline attack and disbanded soon after—was the group with the second highest revenue in 2021, with earnings of around $85 million. It was followed by Phoenix Cryptolocker and REvil, which was recently dismantled by Russia’s Federal Security Service.

The number of ransomware groups overall also increased in 2021 — at least 140 ransomware strains received payments from victims during the year, compared to 119 in 2020 and 79 in 2019, according to the report. “Conti was the one strain that remained consistently active for all of 2021, and in fact saw its share of all ransomware revenue grow throughout the year,” the report said.

But Conti’s staying power was unusual. In 2021, the average strain was only active for about two months, according to the report, down sharply compared to previous years. One explanation is that groups regularly cease operations and relaunch under new names to avoid law enforcement and sanctions.

Another trend the report identified was an increase in the average size of ransomware payments — about $118,000 in 2021, up from $88,000 in 2020 and $25,000 in 2019, according to the report. And analysts say these trends will likely continue in the year to come.

“We expect these numbers to continue to increase [in 2022],” Grauer said. “Additionally, we have seen the acceleration of malware-as-a-service this year and therefore expect malware attacks more broadly to continue to grow in 2022. The malware attacks such as cryptojacking today resemble the place that ransomware was a few years ago.”