{"id":102909,"date":"2021-09-02T08:54:48","date_gmt":"2021-09-02T15:54:48","guid":{"rendered":"https:\/\/www.backblaze.com\/blog\/?p=102909"},"modified":"2025-12-11T13:48:22","modified_gmt":"2025-12-11T21:48:22","slug":"ransomware-economy","status":"publish","type":"post","link":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/","title":{"rendered":"Introducing the Ransomware Economy"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-102911 size-full\" title=\"Introducing the Ransomware Economy\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg\" alt=\"Ransomware skull and code symbols\" width=\"1440\" height=\"820\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg 1440w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy-300x171.jpg 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy-1024x583.jpg 1024w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy-768x437.jpg 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy-560x319.jpg 560w\" sizes=\"auto, (max-width: 1440px) 100vw, 1440px\" \/><\/p>\n<p id=\"bzdropcap\">Ransomware continues to proliferate for a simple reason\u2014it\u2019s profitable. And it\u2019s profitable not just for the ransomware developers themselves\u2014they\u2019re just one part of the equation\u2014but for a whole ecosystem of players who make up the ransomware economy. To understand the threats to small and medium-sized businesses (SMBs) and organizations today, it\u2019s important to understand the scope and scale of what you\u2019re up against.<\/p>\n<p>Today, we\u2019re digging into how the ransomware economy operates, including the broader ecosystem and the players involved, emerging threats to SMBs, and the overall financial footprint of ransomware worldwide.<\/p>\n<div class=\"abstract\" style=\"line-height: 1.8; margin: 24px 12px; padding: 24px 12px 10px 12px;\">\n<p>This post is a part of our ongoing series on ransomware. Take a look at our other posts for more information on how businesses can defend themselves against a ransomware attack, and more.<\/p>\n<ul>\n<li><a href=\"\/blog\/complete-guide-ransomware\/\" target=\"_blank\" rel=\"noopener\">\u201cRansomware: How to Prevent or Recover From an Attack\u201d<\/a><\/li>\n<li><a href=\"\/blog\/object-lock-101-protecting-data-from-ransomware\/\" target=\"_blank\" rel=\"noopener\">\u201cObject Lock 101: Protecting Data From Ransomware\u201d<\/a><\/li>\n<li><a href=\"\/blog\/the-true-cost-of-ransomware\/\" target=\"_blank\" rel=\"noopener\">&#8220;The True Cost of Ransomware&#8221;<\/a><\/li>\n<li><a href=\"\/blog\/ransomware-takeaways-2021-to-date\/\" target=\"_blank\" rel=\"noopener\">&#8220;Ransomware Takeaways: Q1 2021&#8221;<\/a><\/li>\n<li><a href=\"\/blog\/ransomware-takeaways-q2-2021\/\" target=\"_blank\" rel=\"noopener\">&#8220;Ransomware Takeaways: Q2 2021&#8221;<\/a><\/li>\n<li><a href=\"\/blog\/ransomware-takeaways-q3-2021\/\" target=\"_blank\" rel=\"noopener\">&#8220;Ransomware Takeaways: Q3 2021&#8221;<\/a><\/li>\n<\/ul>\n<\/div>\n<p><!--HubSpot Call-to-Action Code --><span id=\"hs-cta-wrapper-bcb54d8e-f8c9-4feb-b802-5dfd0042e420\" class=\"hs-cta-wrapper\"><span id=\"hs-cta-bcb54d8e-f8c9-4feb-b802-5dfd0042e420\" class=\"hs-cta-node hs-cta-bcb54d8e-f8c9-4feb-b802-5dfd0042e420\"><!-- [if lte IE 8]>\n\n\n<div id=\"hs-cta-ie-element\"><\/div>\n\n\n<![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/2832298\/bcb54d8e-f8c9-4feb-b802-5dfd0042e420\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" id=\"hs-cta-img-bcb54d8e-f8c9-4feb-b802-5dfd0042e420\" class=\"hs-cta-img\" style=\"border-width: 0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/2832298\/bcb54d8e-f8c9-4feb-b802-5dfd0042e420.png\" alt=\"\u2794 Download The Complete Guide to Ransomware E-book\" \/><\/a><\/span><script charset=\"utf-8\" src=\"https:\/\/js.hscta.net\/cta\/current.js\"><\/script><script type=\"text\/javascript\"> hbspt.cta.load(2832298, 'bcb54d8e-f8c9-4feb-b802-5dfd0042e420', {\"useNewLoader\":\"true\",\"region\":\"na1\"}); <\/script><\/span><!-- end HubSpot Call-to-Action Code --><\/p>\n<h2><strong>Top Ransomware Syndicates in Operation Today<\/strong><\/h2>\n<p>Cybercriminals have long been described as operating in \u201cgangs.\u201d The label conjures images of nefarious coders furiously tapping away at glowing workstations in a shadowy warehouse. But the work of the ransomware economy today is more likely to take place in a boardroom than a back alley. Cybercriminals have graduated from gangs to highly complex organized crime syndicates that operate ransomware brands as part of a sophisticated business model.<\/p>\n<p>Operators of these syndicates are just as likely to be worrying about user experience and customer service as they are with building malicious code. A look at the branding on display on some syndicates\u2019 leak sites makes the case plain that these groups are more than a collective of expert coders\u2014they\u2019re savvy businesspeople.<\/p>\n<figure id=\"attachment_102914\" aria-describedby=\"caption-attachment-102914\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-102914 size-large\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/Bleepingcomputer.com_-1024x385.png\" alt=\"images of ransomware gang marketing \" width=\"1024\" height=\"385\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Bleepingcomputer.com_-1024x385.png 1024w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Bleepingcomputer.com_-300x113.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Bleepingcomputer.com_-768x289.png 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Bleepingcomputer.com_-1536x577.png 1536w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Bleepingcomputer.com_-560x210.png 560w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Bleepingcomputer.com_.png 1916w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-102914\" class=\"wp-caption-text\">Source: Bleepingcomputer.com.<\/figcaption><\/figure>\n<p>Ransomware operators are often synonymous with the software variant they brand, deploy, and sell. Many have rebranded over the years or splintered into affiliated organizations. Some of the top ransomware brands operating today, along with high profile attacks they have carried out, are shown in the infographic below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-102971\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-1018x1024.jpg\" alt=\"infographic of top ransomware brands\" width=\"1018\" height=\"1024\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-1018x1024.jpg 1018w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-298x300.jpg 298w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-150x150.jpg 150w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-768x772.jpg 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-1527x1536.jpg 1527w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-2036x2048.jpg 2036w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-80x80.jpg 80w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/Heatmap-Victims-R2-560x563.jpg 560w\" sizes=\"auto, (max-width: 1018px) 100vw, 1018px\" \/><\/p>\n<p>The groups shown above do not constitute an exhaustive list. In June 2021, FBI Director Christopher Wray stated that <a href=\"https:\/\/www.reuters.com\/technology\/fbi-says-it-is-investigating-about-100-types-ransomware-wsj-2021-06-04\/\" target=\"_blank\" rel=\"noopener\">the FBI was investigating 100 different ransomware variants<\/a> and new ones pop up everyday. While some brands have existed for years (Ryuk, for example), the list is also likely obsolete as soon as it\u2019s published. Ransomware brands bubble up, go bust, and reorganize, changing with the cybersecurity tides.<\/p>\n<p>Chainalysis, a blockchain data platform, published their Ransomware 2021: Critical Mid-year Update that shows just how much brands fluctuate year to year and, they note, even month to month:<\/p>\n<figure id=\"attachment_102916\" aria-describedby=\"caption-attachment-102916\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-102916 size-large\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/image4-1024x491.png\" alt=\"Top 10 ransomware strains by revenue by year, 2014-2021 Q1\" width=\"1024\" height=\"491\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image4-1024x491.png 1024w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image4-300x144.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image4-768x368.png 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image4-560x268.png 560w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image4.png 1027w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-102916\" class=\"wp-caption-text\">Source: <a href=\"https:\/\/blog.chainalysis.com\/reports\/ransomware-update-may-2021\" target=\"_blank\" rel=\"noopener\">Chainalysis<\/a>.<\/figcaption><\/figure>\n<h2><strong>How Ransomware Syndicates Operate<\/strong><\/h2>\n<p>Ransomware operators may appear to be single entities, but there is a complex ecosystem of suppliers and ancillary providers behind them that exchange services with each other on the dark web. The flowchart below illustrates all the players and how they interact:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-102970\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/RansomwareEconomy-953x1024.jpg\" alt=\"diagram of ransomware syndicate workflow\" width=\"953\" height=\"1024\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/RansomwareEconomy-953x1024.jpg 953w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/RansomwareEconomy-279x300.jpg 279w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/RansomwareEconomy-768x825.jpg 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/RansomwareEconomy-560x601.jpg 560w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/RansomwareEconomy.jpg 1000w\" sizes=\"auto, (max-width: 953px) 100vw, 953px\" \/><\/p>\n<h3><strong>Dark Web Service Providers<\/strong><\/h3>\n<p>Cybercrime \u201cgangs\u201d could once be tracked down and caught like the <a href=\"https:\/\/www.nbcnews.com\/id\/wbna9884895\" target=\"_blank\" rel=\"noopener\">David Levi Phishing Gang<\/a> that was investigated and prosecuted in 2005. Today\u2019s decentralized ecosystem, however, makes going after ransomware operators all the more difficult. These independent entities may never interact with each other outside of the dark web where they exchange services for cryptocurrency:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Botmasters: Create networks of infected computers and sell access to those compromised devices to threat actors.<\/li>\n<li>Access Sellers: Take advantage of publicly disclosed vulnerabilities to infect servers before the vulnerabilities are remedied, then advertise and sell that access to threat actors.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_102918\" aria-describedby=\"caption-attachment-102918\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-102918 size-large\" title=\"Dark Web Service Providers\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/image20-1024x328.png\" alt=\"ad for ransomware syndicate\" width=\"1024\" height=\"328\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image20-1024x328.png 1024w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image20-300x96.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image20-768x246.png 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image20-1536x493.png 1536w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image20-560x180.png 560w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image20.png 1999w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-102918\" class=\"wp-caption-text\">Advertisement from an access seller for access to an organization\u2019s RDP. Source: <a href=\"https:\/\/threatpost.com\/ransomware-4k-cyber-underground\/166145\/\" target=\"_blank\" rel=\"noopener\">Threatpost<\/a>.<\/figcaption><\/figure>\n<ul>\n<li>Operators: The entity that actually carries out the attack with access purchased from botmasters or access sellers and software purchased from developers or developed in-house. May employ a full staff, including customer service, IT support, marketing, etc. depending on how sophisticated the syndicate is.<\/li>\n<li>Developers: Write the ransomware software and sell it to threat actors for a cut of the ransom.<\/li>\n<li>Packer Developers: Add protection layers to the software, making it harder to detect.<\/li>\n<li>Analysts: Evaluate the victim\u2019s financial health to advise on ransom amounts that they\u2019re most likely to pay.<\/li>\n<li>Affiliates: Purchase ransomware as a service from operators\/developers who get a cut of the ransom.<\/li>\n<li>Negotiating Agents: Handle interactions with victims.<\/li>\n<li>Laundering Services: Exchange cryptocurrency for fiat currency on exchanges or otherwise transform ransom payments into usable assets.<\/li>\n<\/ul>\n<h3><strong>Victim-side Service Providers<\/strong><\/h3>\n<p>Beyond the collection of entities directly involved in the deployment of ransomware, the broader ecosystem includes other players on the victim\u2019s side, who, for better or worse, stand to profit off of ransomware attacks. These include:<\/p>\n<ul>\n<li>Incident response firms: Consultants who assist victims in response and recovery.<\/li>\n<li>Ransomware brokers: Brought in to negotiate and handle payment on behalf of the victim and act as intermediaries between the victim and operators.<\/li>\n<li>Insurance providers: Cover victims\u2019 damages in the event of an attack.<\/li>\n<li>Legal counsel: Often manage the relationship between the broker, insurance provider, and victim, and advise on ransom payment decision-making.<\/li>\n<\/ul>\n<h4><strong>Are Victim-side Providers Complicit?<\/strong><\/h4>\n<p>While these providers work on behalf of victims, they also perpetuate the cycle of ransomware. For example, insurance providers that cover businesses in the event of a ransomware attack often advise their customers to pay the ransom if they think it will minimize downtime as the cost of extended downtime can far exceed the cost of a ransom payment. This becomes problematic for a few reasons:<\/p>\n<ul>\n<li>First, paying the ransom incentivizes cybercriminals to continue plying their trade.<\/li>\n<li>Second, as Colonial Pipeline discovered, the decryption tools provided by cybercriminals in exchange for ransom payments aren\u2019t to be trusted. More than a month after Colonial paid the $4.4 million ransom and received a decryption tool, CEO Joseph Blount testified before Congress that recovery from the attack was <em>still<\/em> not complete. After all that, they had to rely on recovering from their backups anyway.<\/li>\n<\/ul>\n<h2><strong>The Emergence of Ransomware as a Service<\/strong><\/h2>\n<p>In the ransomware economy, operators and their affiliates are the threat actors that carry out attacks. This affiliate model where operators sell ransomware as a service (RaaS) represents one of the biggest threats to SMBs and organizations today.<\/p>\n<p>Cybercrime syndicates realized they could essentially license and sell their tech to affiliates who then carry out their own misdeeds empowered by another criminal\u2019s software. The syndicates, affiliates, and other entities each take a portion of the ransom.<\/p>\n<p>Operators advertise these partner programs on the dark web and thoroughly vet affiliates before bringing them on to filter out law enforcement posing as low-level criminals. One advertisement by the REvil syndicate <a href=\"https:\/\/threatpost.com\/inside-ransomware-economy\/166471\/\" target=\"_blank\" rel=\"noopener\">noted<\/a>, \u201cNo doubt, in the FBI and other special services, there are people who speak Russian perfectly, but their level is certainly not the one native speakers have. Check these people by asking them questions about the history of Ukraine, Belarus, Kazakhstan or Russia, which cannot be googled. Authentic proverbs, expressions, etc.\u201d<\/p>\n<figure id=\"attachment_102919\" aria-describedby=\"caption-attachment-102919\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-102919 size-large\" style=\"border: 1px solid black;\" title=\"The Emergence of Ransomware as a Service\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/image9-1024x191.png\" alt=\"Ransomware as a service ad\" width=\"1024\" height=\"191\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image9-1024x191.png 1024w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image9-300x56.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image9-768x143.png 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image9-1536x287.png 1536w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image9-560x104.png 560w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image9.png 1999w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-102919\" class=\"wp-caption-text\">Advertisement for ransomware affiliates. Source: Kaspersky.<\/figcaption><\/figure>\n<p>Though less sophisticated than some of the more notorious viruses, these \u201cas a service\u201d variants enable even amateur cybercriminals to carry out attacks. And they\u2019re likely to carry those attacks out on the easiest prey\u2014small businesses who don\u2019t have the resources to implement adequate protections or weather extended downtime.<\/p>\n<p>Hoping to increase their chances of being paid, low-level threat actors using RaaS typically demanded smaller ransoms, under $100,000, but that trend is changing. Coveware reported in August 2020 that <a href=\"https:\/\/www.coveware.com\/blog\/q2-2020-ransomware-marketplace-report\" target=\"_blank\" rel=\"noopener\">affiliates are getting bolder in their demands<\/a>. They reported the first six-figure payments to the Dharma ransomware group, an affiliate syndicate, in Q2 2020.<\/p>\n<p>The one advantage savvy business owners have when it comes to RaaS: attacks are high volume (carried out against many thousands of targets) but low quality and easily identifiable by the time they are widely distributed. By staying on top of antivirus protections and detection, business owners can increase their chances of catching the attacks before it\u2019s too late.<\/p>\n<h2><strong>The Financial Side of the Ransomware Economy<\/strong><\/h2>\n<p>So, how much money do ransomware crime syndicates actually make? The short answer is that it\u2019s difficult to know because so many ransomware attacks go unreported. To get some idea of the size of the ransomware economy, analysts have to do some sleuthing.<\/p>\n<p>Chainalysis tracks transactions to blockchain addresses linked to ransomware attacks in order to capture the size of ransomware revenues. In their regular reporting on the cybercrime cryptocurrency landscape, they showed that the total amount paid by ransomware victims increased by 311% in 2020 to reach nearly $350 million worth of cryptocurrency. In May, they published an update after identifying new ransomware addresses that put the number over $406 million. They expect the number will only continue to grow.<\/p>\n<figure id=\"attachment_102920\" aria-describedby=\"caption-attachment-102920\" style=\"width: 972px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-102920 size-full\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/image11.png\" alt=\"Total cryptocurrency value received by ransomware addresses, 2016-2021 (YTD)\" width=\"972\" height=\"671\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image11.png 972w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image11-300x207.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image11-768x530.png 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image11-560x387.png 560w\" sizes=\"auto, (max-width: 972px) 100vw, 972px\" \/><figcaption id=\"caption-attachment-102920\" class=\"wp-caption-text\">Source: <a href=\"https:\/\/blog.chainalysis.com\/reports\/ransomware-update-may-2021\" target=\"_blank\" rel=\"noopener\">Chainalysis<\/a>.<\/figcaption><\/figure>\n<p>Similarly, threat intel company, Advanced Intelligence, and cybersecurity firm, HYAS, tracked Bitcoin transactions to 61 addresses associated with the Ryuk syndicate. They estimate that the operator may be worth upwards of <a href=\"https:\/\/www.advanced-intel.com\/post\/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders\" target=\"_blank\" rel=\"noopener\">$150 million<\/a> alone. Their analysis sheds some light on how ransomware operators turn their exploits and the ransoms paid into usable cash.<\/p>\n<p>Extorted funds are gathered in holding accounts, passed to money laundering services, then either funneled back into the criminal market and used to pay for other criminal services or cashed out at real cryptocurrency exchanges. The process follows these steps, as illustrated below:<\/p>\n<ul>\n<li>The victim pays a broker.<\/li>\n<li>The broker converts the cash into cryptocurrency.<\/li>\n<li>The broker pays the ransomware operator in cryptocurrency.<\/li>\n<li>The ransomware operator sends the cryptocurrency to a laundering service.<\/li>\n<li>The laundering service exchanges the coins for fiat currency on cryptocurrency exchanges like Binance and Huobi.<\/li>\n<\/ul>\n<figure id=\"attachment_102921\" aria-describedby=\"caption-attachment-102921\" style=\"width: 770px\" class=\"wp-caption aligncenter\"><a href=\"\/blog\/wp-content\/uploads\/2021\/09\/image10.png\" data-rel=\"lightbox-gallery-jpSNT9xa\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-102921 size-full\" src=\"https:\/\/www.backblaze.com\/blog\/wp-content\/uploads\/2021\/09\/image10.png\" alt=\"diagram of ransomware payment flow\" width=\"770\" height=\"655\" srcset=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image10.png 770w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image10-300x255.png 300w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image10-768x653.png 768w, https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/image10-560x476.png 560w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><figcaption id=\"caption-attachment-102921\" class=\"wp-caption-text\">Source: <a href=\"https:\/\/www.advanced-intel.com\/post\/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders\" target=\"_blank\" rel=\"noopener\">AdvIntel<\/a>.<\/figcaption><\/figure>\n<p>In an interesting development, the report found that Ryuk actually bypassed laundering services and cashed out some of their own cryptocurrency directly on exchanges using stolen identities\u2014a brash move for any organized crime operation.<\/p>\n<h2><strong>Protecting Your Company From Ransomware<\/strong><\/h2>\n<p>Even though the ransomware economy is ever-changing, having an awareness of where attacks come and the threats you\u2019re facing can prepare you if you ever face one yourself. To summarize:<\/p>\n<ul>\n<li>Ransomware operators may seem to be single entities, but there\u2019s a broad ecosystem of players behind them that trade services on the dark web.<\/li>\n<li>Ransomware operators are sophisticated business entities.<\/li>\n<li>RaaS enables even low-level criminals to get in the game.<\/li>\n<li>Ransomware operators raked in at least $406 million in 2020, and likely more than that, as many ransomware attacks and payments go unreported.<\/li>\n<\/ul>\n<p>We put this post together not to trade in fear, but to prepare SMBs and organizations with information in the fight against ransomware. And, you don\u2019t have to fight it alone. Download our <a href=\"https:\/\/hub.backblaze.com\/complete-guide-to-ransomware\" target=\"_blank\" rel=\"noopener\">Complete Guide to Ransomware E-book and Guide<\/a> for even more intel on ransomware today, plus steps to take to <a href=\"https:\/\/www.backblaze.com\/b2\/solutions\/ransomware-protection-and-recovery.html\" target=\"_blank\" rel=\"noopener\">defend against ransomware<\/a>, and how to respond if you do fall victim to an attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn more about the entire ecosystem that makes up the ransomware economy worldwide, including its emerging threat to businesses and organizations today.<\/p>\n","protected":false},"author":159,"featured_media":102911,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[475],"tags":[468],"class_list":["post-102909","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","tag-b2cloud","entry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>The Ransomware Economy: From Crypto Exchanges to Ransomware Profits<\/title>\n<meta name=\"description\" content=\"Even though the ransomware economy is ever-changing, having an awareness of the threats can help prepare you.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Ransomware Economy: From Crypto Exchanges to Ransomware Profits\" \/>\n<meta property=\"og:description\" content=\"Even though the ransomware economy is ever-changing, having an awareness of the threats can help prepare you.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/\" \/>\n<meta property=\"og:site_name\" content=\"Backblaze Blog | Cloud Storage &amp; Cloud Backup\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/backblaze\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-02T15:54:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-11T21:48:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"820\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Molly Clancy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@backblaze\" \/>\n<meta name=\"twitter:site\" content=\"@backblaze\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Molly Clancy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Ransomware Economy: From Crypto Exchanges to Ransomware Profits","description":"Even though the ransomware economy is ever-changing, having an awareness of the threats can help prepare you.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/","og_locale":"en_US","og_type":"article","og_title":"The Ransomware Economy: From Crypto Exchanges to Ransomware Profits","og_description":"Even though the ransomware economy is ever-changing, having an awareness of the threats can help prepare you.","og_url":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/","og_site_name":"Backblaze Blog | Cloud Storage &amp; Cloud Backup","article_publisher":"https:\/\/www.facebook.com\/backblaze","article_published_time":"2021-09-02T15:54:48+00:00","article_modified_time":"2025-12-11T21:48:22+00:00","og_image":[{"width":1440,"height":820,"url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg","type":"image\/jpeg"}],"author":"Molly Clancy","twitter_card":"summary_large_image","twitter_creator":"@backblaze","twitter_site":"@backblaze","twitter_misc":{"Written by":"Molly Clancy","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#article","isPartOf":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/"},"author":{"name":"Molly Clancy","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/person\/a92e54b3011e599a575611dbbb443b5c"},"headline":"Introducing the Ransomware Economy","datePublished":"2021-09-02T15:54:48+00:00","dateModified":"2025-12-11T21:48:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/"},"wordCount":1834,"commentCount":0,"publisher":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#primaryimage"},"thumbnailUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg","keywords":["B2Cloud"],"articleSection":["Ransomware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/","url":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/","name":"The Ransomware Economy: From Crypto Exchanges to Ransomware Profits","isPartOf":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#primaryimage"},"image":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#primaryimage"},"thumbnailUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg","datePublished":"2021-09-02T15:54:48+00:00","dateModified":"2025-12-11T21:48:22+00:00","description":"Even though the ransomware economy is ever-changing, having an awareness of the threats can help prepare you.","breadcrumb":{"@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.backblaze.com\/blog\/ransomware-economy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#primaryimage","url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg","contentUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg","width":1440,"height":820,"caption":"Ransomware skull and code symbols"},{"@type":"BreadcrumbList","@id":"https:\/\/www.backblaze.com\/blog\/ransomware-economy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Introducing the Ransomware Economy"}]},{"@type":"WebSite","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#website","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/","name":"Backblaze Cloud Solutions Blog","description":"Cloud Storage &amp; Cloud Backup","publisher":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#organization","name":"Backblaze","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.backblaze.com\/blog\/wp-content\/uploads\/2017\/12\/backblaze_icon_transparent.png?fit=512%2C512&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.backblaze.com\/blog\/wp-content\/uploads\/2017\/12\/backblaze_icon_transparent.png?fit=512%2C512&ssl=1","width":512,"height":512,"caption":"Backblaze"},"image":{"@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/backblaze","https:\/\/x.com\/backblaze","https:\/\/www.youtube.com\/user\/Backblaze","https:\/\/en.wikipedia.org\/wiki\/Backblaze"]},{"@type":"Person","@id":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/#\/schema\/person\/a92e54b3011e599a575611dbbb443b5c","name":"Molly Clancy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/02\/ClancyMolly_Headshot_reduced-150x150.png","url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/02\/ClancyMolly_Headshot_reduced-150x150.png","contentUrl":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/02\/ClancyMolly_Headshot_reduced-150x150.png","caption":"Molly Clancy"},"description":"Molly Clancy is a content writer who specializes in explaining tech concepts in an easy, approachable way. With more than 15 years of experience, she has a broad background in industries ranging from B2B tech to engineering to luxury travel. A deep curiosity drives her repeated success explaining what terms like OS kernel and preflight request mean so that anyone can understand them.","url":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/author\/molly\/"}]}},"jetpack_featured_media_url":"https:\/\/backblazeprod.wpenginepowered.com\/wp-content\/uploads\/2021\/09\/bb-bh-The-Ransomware-Economy.jpg","_links":{"self":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts\/102909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/users\/159"}],"replies":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/comments?post=102909"}],"version-history":[{"count":0,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/posts\/102909\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/media\/102911"}],"wp:attachment":[{"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/media?parent=102909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/categories?post=102909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/backblazeprod.wpenginepowered.com\/blog\/wp-json\/wp\/v2\/tags?post=102909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}