The economic significance of ransomware campaigns through Bitcoin transactions

Cyber-attacks continue to evolve as they become an increasing concern for computer systems across the world. In 2018, almost 21% of Canadian businesses have been impacted by a cybersecurity incident. Among them, 8% have declared being victims of ransomware[1]. Ransomware is one of the most dangerous cyber-crime threats to individual users and enterprises. According to Symantec, there has been a decrease in ransomware activity during 2018 with the overall number dropping by 20% [2]. While the overall ransomware infections went down, enterprise infections went up by 12% in 2018.

Cybercriminals have been using Bitcoin payment systems to extort ransoms anonymously. The pseudo-anonymous nature of decentralized currencies such as Bitcoin makes it difficult to trace a payee.


Bitcoin is a completely digital currency that is independent from any banks or governments. Such financial systems eliminate the control of centralized authority and provide ubiquity as well as fairness via (quasi) real-time transactions. Bitcoin transactions can be anonymized, though every transaction has a traceable history. Such digital currencies also guarantee a certain degree of anonymity, which raises novel and unique concerns, e.g., a possible growth in illegal activities.

In this article, the authors presented a comprehensive and longitudinal study on ransomware and reported the economic impact of such threat from the Bitcoin payment perspective.

They first presented a lightweight framework to identify, collect, and analyze addresses that belonged to the same user. Then, using the framework, they analyzed the economic impact of all the recent ransomware that used Bitcoin as at least one mode of ransom payment, and for which at least one Bitcoin address was publicly known.



In order to build the identification framework, the authors proceeded by investigating ransomware extortions. They first identified the Bitcoin addresses linked to the ransomware. Then, they obtained the transaction history of these addresses. Finally, they distinguished the transactions associated with the ransom payments.

Regarding the economic impact, the authors found 20 ransomware that fulfilled their selection criteria. They then discussed each of these 20 ransomware as well as their renamed/rebranded versions. The main focus here was to provide an insight into the economic impact of these ransomware from the Bitcoin payment perspective. The analysis showed that CryptoLocker received the maximum number of payments, i.e., 51,766 payments worth 133,045.9961 BTC, which is approximately USD 42,292,191.17. However, the framework classified 3,730 payments received by CryptoWall as ransom payments, which is the maximum number of ransom payments extorted by any ransomware. These payments represent 5,351.2329 BTC or USD 2,220,909.12. On another note, KeRanger received the minimum number of overall payments as well as the ransom payments.


Cite (APA): Conti, M., Gangwal, A. & Ruj, S. (2018). On the economic significance of ransomware campaigns: A Bitcoin transactions perspective. Computer & Security, 79, 162-189.



[1] Statistic Canada. (2018). Impact of cybercrime on Canadian businesses, 2017. The Daily. Retrieved from
[2] Symantec. (2019). Internet Security Threat Report. Symantec: Mountain View, CA. Retrieved from