Ransomware operators made at least $350 million in ransom payments in 2020, according to a Chainalysis report. The figure was calculated by tracking transactions on blockchain addresses associated with ransomware attacks. The total amount paid by ransomware victims increased by 311% compared to 2019.

Quick insights

According to the report, new strains are taking large sums from victims, while a few pre-existing strains are increasing their earnings. 
Ransomware payments are responsible for 7% of all funds received by criminal cryptocurrency.
  • The top earners were Ryuk, Maze, Doppelpaymer, Netwalker, Conti, and REvil. In addition, other families such as Snatch, Defray777 (RansomExx), and Dharma made a profit in millions.
  • There are fewer threat actors than initially thought, with many of these groups keep switching from one RaaS (ransomware-as-a-service) to another as they're being lured by better deals.

Cashing-in the ransom

  • The criminals laundered funds through Bitcoin mixing services and sent the funds to legitimate and high-risk cryptocurrency exchange portals to convert the funds into real-world currency.
  • Some payments were made using bulletproof hosting providers, exploit sellers, and penetration testing services (aka initial access brokers), as ransomware operations involve suppliers.

Money distribution

Ransomware money laundering is focused at the deposit address level. 
  • Around 199 deposit addresses received 80% of all funds in 2020. An even smaller group of 25 addresses accounted for 46%. 
  • More importantly, besides ransomware operations, several other cybercrime operations often reused the same intermediary money laundering services.


From recent trends, it is clear that RaaS has become a full-fledged cybercrime enterprise, earning millions of dollars. In addition, the report indicates that there is a very small group of deposit addresses, with the ability to cash out ransomware proceeds.

Cyware Publisher