Security Experts:

Connect with us

Hi, what are you looking for?



Understanding the Cryptocurrency-Ransomware Connection

Unfortunately for the law-abiding of the world, ransomware is an idea that caught on immediately and never lost steam. In fact, it’s grown to the point that it now contributes to a thriving cybercrime business, often targeting large sectors, including education, finance, healthcare, the legal sector, and manufacturing. According to Fortinet research, by the end of 2020, there were as many as 17,200 devices reporting ransomware each day. 

Unfortunately for the law-abiding of the world, ransomware is an idea that caught on immediately and never lost steam. In fact, it’s grown to the point that it now contributes to a thriving cybercrime business, often targeting large sectors, including education, finance, healthcare, the legal sector, and manufacturing. According to Fortinet research, by the end of 2020, there were as many as 17,200 devices reporting ransomware each day. 

Ransomware was widespread long before cryptocurrency came along, but in recent years, both have skyrocketed in tandem. Because cryptocurrency is difficult to trace, cybercriminals have rapidly switched to it as their preferred method for ransom payments. In fact, DarkSide, the group behind the high-profile attack on Colonial Pipeline, purportedly raked in $90 million in Bitcoin ransom payments before shutting down in May.

So, why is this happening? And what do you need to know? Read on. 

The appeal of cryptocurrency

For bad actors extorting money from victim organizations via ransomware, they typically had to rely in the past on wire transfer services or other forms of payment using regular currency. While these got the job done, they also came with a paper trail – a very traceable paper trail, in most cases. And that made it easy for the FBI to track the bad actors down.

Meanwhile, cryptocurrency has surged in value in the past couple of years, and new currencies continue to be launched – though Bitcoin and Dogecoin continue to lead the pack. Bitcoin, in particular, soared to new highs during the pandemic, breaking through to an all-time high of more than $64,000 in the second quarter of 2021.

This popularity extends to cybercriminals. These days, almost all ransomware attackers demand payments via some form of cryptocurrency, which makes it a lot harder to identify who the actual person behind the keyboard is and it doesn’t leave the same kind of paper trail. It’s also faster – payments can be made almost instantly. For bad actors, this kind of convenience is a no-brainer. 

Cryptocurrency also makes it easier to diversify across payment platforms and demand payments in several smaller amounts paid out to different digital wallets, which again all goes back to making it hard for law enforcement to trace. They can also diversify in terms of the coins and platforms they’re using. The case of the Colonial Pipeline ransomware attack, in which the federal government was able to retrieve $5 million of the payment the company made to their attackers, is a definite exception to the rule – this was a highly unusual and rare incident.

Bad actors are also undoubtedly able to leverage fear, uncertainty and doubt when it comes to cryptocurrency, too. It’s such a comparatively new technology that many people still don’t fully understand it. 

More options, more bad actors

Another big trend within this parallel rise is the growth in variety. Back when bad actors relied on wire transfers and left lengthy paper trails behind, there weren’t as many of them. There were just a handful of ransomware operators and just a few “flavors” of ransomware. These days, there are more varieties of ransomware and far more criminal operators, especially when it comes to affiliate programs. Even novice attackers can be successful today by buying Ransomware-as-a-Service (RaaS) and other kit-like tools, which have lowered the bar to entry. At the same time, there’s been a shift toward “VIP” programs or the use of hand-selected partners to commit these major, seven-figure attacks. While it used to be there were hundreds or thousands of affiliates to partner with, now bad actors are being a little pickier for their large targets and ransom demands.

Concurrently, there are new cryptocurrencies being added to the marketplace regularly. While Bitcoin, Dogecoin and Ethereum are probably the three we hear of most often, they’re far from the only options in an increasingly crowded space. As of May 2021, there were more than 10,000 different cryptocurrencies available. That’s a whole lot of options for bad actors looking to fly under the radar when collecting ransom payments.

Putting the brakes on crypto-tied ransomware plots 

The cryptocurrency market has certainly seen its ups and downs in the past year, but it doesn’t show any sign of slowing down completely. And the rise of NFTs (non-fungible tokens) goes along with this. Likewise, ransomware shows no signs of stopping. Whether it’s Kaseya, JBS, Colonial Pipeline or the hundreds of incidents that don’t make international headlines each year, ransomware is huge business – and it’s increasingly organized.

How can organizations fight ransomware? The best solution is always prevention. Here are three tactics toward that goal:

Cyber hygiene must be part of board-level conversations, as should training and risk management.  Attackers often target high-value assets at organizations, as they have greater access to the network. Those in leadership must be trained to spot malicious tactics and ensure all other employees are trained, too.

Ransomware mitigation strategies must be put in place. These include zero-trust access (ZTA), regular data back-ups to an offsite location, data encryption and immediate patching of vulnerabilities.

Collaboration must be prioritized. More data ensures more effective responses, so share with all internal and external stakeholders, including law enforcement. Sharing intelligence with law enforcement and other global security organizations is the only way to effectively take down cybercrime groups.

Get involved

Ransomware is everywhere, it seems, in parallel with the growth of cryptocurrency. This isn’t a complete coincidence; bad actors have quickly figured out that cryptocurrency is an ideal vehicle for quickly receiving almost-untraceable ransoms. As usual, they are weaponizing technology that was meant to make things more convenient for people. Yet time-honored security wisdom, coupled with modern tools and international cooperation, can help bring down the cybercrime ecosystem. Use the tactics noted above to ransomware-proof your organization and help others catch their attackers.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...