Skip to Content

True scale of Bitcoin ransomware extortion revealed

By tracking the Bitcoin accounts associated with ransomware, researchers have calculated how much cybercriminals extracted from their victims.

Ransomware is one of the more worrying types of malware to emerge in recent years. It works by restricting access to computer files until a ransom is paid. Victims have included the British National Health Service, the Spanish telecom company Telefonica, the Russian oil giant Rosneft, and many others.

Victims are usually required to pay a Bitcoin ransom equivalent to a few hundred dollars to release their files. Typically, the ransom increases over time until a deadline when the files are supposedly destroyed. Many companies and individuals have had little choice but to pay up.

And that raises an interesting question. How much money have Bitcoin ransomware programs generated for their malicious masters?

US dollar value of ransoms paid to CryptoWall Bitcoin accounts

Today we get an answer thanks to the work of Mauro Conti at the University of Padua in Italy and a couple of colleagues. These guys have created a database of Bitcoin accounts used by ransomware criminals and added up the ransoms paid into them. The result is a comprehensive analysis of the gains made by cybercriminals in this emerging area of crime.

While ransomware can ask for payment in kind of currency, Conti and co focus only on those that ask for Bitcoin payments. That’s because Bitcoin transactions are openly recorded and free to view. So in principle, it should be possible to work out exactly how much each account receives. “Our aim was to accurately measure the USD worth of these payments,” says Conti and co.

The team began by creating a database of Bitcoin accounts associated with this kind of activity since 2013, when the ransomware Cryptolocker became the first to ask for payment in Bitcoin. “We found twenty ransomware that fulfilled our selection criteria, i.e., those ransomware: (i) that used Bitcoin as at least one mode of ransom payment, and (ii) for which at least one Bitcoin address is publicly known,” they explain.

For each species of malware, they provide a useful overview of the way it works and spreads and how it has evolved over time.

Not all payments to these accounts are necessarily ransoms. So Conti and co developed a way to distinguish ransom payments from other types. They do this by looking for payments that correspond to the specific amounts that the malware demands in ransom.

Finally, Conti and co add up all the ransom payments received by each type of malware. Their work reveals the most profitable ransomware but also raises questions about the way these accounts are used and how they can be tracked.

By far the most profitable form of ransomware turns out to be CryptoWall, which began infecting Windows computers in November 2013. It encrypted the files using the RSA-2048 encryption algorithm and then demanded a payment of up to $1,400 to release them.

The malware spread through various vectors, such as download links sent by the Cutwail spam botnet. Some versions of the malware created a unique Bitcoin payment address for each infected user and used the Tor darknet system to provide anonymous links to each victim.

Between its release and December 2015, Bitcoin addresses associated with this malware received $2.2 million in Bitcoin payments and a further $2.3 million in higher-value transactions, which Conti and co suspect may also be ransom payments.

Curiously, the total value of payments received by these Bitcoin addresses was over $45 million. Most of these transactions were not directly linked by Conti and co to ransom amounts. That’s a significant amount of money and raises the obvious question of what it was payment for.

The full ranking of Bitcoin ransomware projects by the US dollar amount they generated is as follows:

Ransomware                     Bitcoin ransom received               USD value

CryptoWall                         5,351.2329                                       2,220,909.12

CryptoLocker                     1403.7548                                         449,274.97

DMA Locker                      339.4591                                           178,162.77

WannaCry                          47.1743                                             86,076.76

CryptoDefense                  126.6960                                           63,859.49

NotPetya                            4.0576                                               9,835.86

KeRanger                            9.9990                                               4,173.12


Interestingly, the WannaCry outbreak received huge media coverage as the malware spread widely. But the attack was foiled by the cybersecurity researcher Marcus Hutchins, who discovered and activated a built-in kill switch that prevented the malware from being more destructive.

“The overall impact (including financial losses) due to WannaCry infection could have been worse … thanks to the early detection of the kill switch, which prevented the infected computers from spreading WannaCry further,” say Conti and co.

The team also discuss other forms of malware that asked for but do not seem to have received any substantial ransoms. These include TeslaCrypt, Hi Buddy!, and KillDisk.

Various other groups have carried out similar analyses and come to similar conclusions. However, Conte and co make their data set publicly available so others can build on it. “The dataset contains a detailed transaction history of all the addresses we identified for every ransomware,” they say.

Cybercriminals use Bitcoin because it provides a seemingly anonymous way of gathering and making payments. However, Bitcoin is pseudonymous rather than anonymous. That means users can protect their identify provided that none of their transactions can be linked to their real identity. But as soon as a single transaction is linked to their personal identification data, then all of their transactions become linked in the same way.

A useful analogy is to authors who publish under a pseudonym. As long as the author’s identity is never linked to any of the pseudonymous articles, he or she remains anonymous. But if it is linked to just one pseudonymous article, it is linked to all of them, and then anonymity is lost.

So pseudonymous protection is a fragile thing. A single transaction that links a Bitcoin account to a personal account can reveal the identity of a cybercriminal. And personal data leaks all the time in web-based transactions.

Last year, we wrote about the imperfections in the anonymity of Bitcoin  transactions. That should provide some hope of tracking these criminals.

Conti and co have set this type of investigation as a future goal. “We will attempt to trace how the received ransoms were used and by whom,” they say.

That’s brave and ambitious. But it also raises a question—what are law enforcement agencies doing in the meantime?

Ref: : On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective

Keep Reading

Most Popular

How a simple circuit could offer an alternative to energy-intensive GPUs

The creative new approach could lead to more energy-efficient machine-learning hardware.

This classic game is taking on climate change

What the New Energies edition of Catan says about climate technology today.

How battery-swap networks are preventing emergency blackouts

When an earthquake rocked Taiwan, hundreds of Gogoro’s battery-swap stations automatically stopped drawing electricity to stabilize the grid.

An AI startup made a hyperrealistic deepfake of me that’s so good it’s scary

Synthesia's new technology is impressive but raises big questions about a world where we increasingly can’t tell what’s real.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.