Ransomware Update: Newly Uncovered Addresses Reveal $21M Worth of New 2020 Ransomware Payments

On January 27, 2021, the Department of Justice (DOJ) announced a major disruption of the NetWalker ransomware strain. FBI agents on the case took down a website NetWalker attackers used to communicate with victims, arrested one of the strain’s most prolific affiliates — a Canadian national named Sebastien Vachon-Desjardins — and seized nearly $500,000 worth of cryptocurrency.

During that arrest, FBI agents also discovered a list of 1,230 previously unseen addresses associated with NetWalker ransomware payments, which they have since shared with us. Analysis of those addresses reveals another $21 million worth of ransomware payments made by victims in 2020. This represents a 6% increase over the total ransomware estimates we initially reported in late January.

This significant increase in data from the takedown highlights one of the primary challenges in tackling ransomware: reporting and information sharing. Without increased reporting and improved information sharing, it is impossible to know the true scale and cost of ransomware, making it difficult for law enforcement to get the resources and data they need to tackle this growing problem.

2020 ransomware payments revisited

As we cover in our 2021 Crypto Crime Report, ransomware attacks skyrocketed in 2020. Our initial estimates from blockchain analysis put the total amount extorted from victims at just under $350 million worth of cryptocurrency, which represents a 311% increase over 2019 totals.

However, the discovery of these 1,230 new ransomware addresses changes that.

Those addresses received roughly $21 million in victim payments in 2020, bringing the year’s new ransomware revenue estimate to a total of just under $370 million. That represents a 6% increase over our previous estimate, and a 336% increase over the 2019 total.

That $21 million also represents a 70% increase in 2020 ransomware victim payments to NetWalker specifically, bringing the strain’s total for that year to $51 million, and it’s all-time total since becoming active in August 2019 to just under $78 million.

Before the addition of victim payments from these new addresses, our analysis found NetWalker was the fourth-most prolific ransomware strain of 2020. With the new addresses, it now ranks second for the year behind Ryuk.

We’ll continue to monitor the situation and provide an update if the new addresses are definitively attributed to NetWalker or to any other strains.

It’s important to report ransomware attacks

The discovery of these new addresses is a perfect example of why we must always assume the true cost of ransomware is higher than any given calculation would indicate. Due to underreporting, it’s nearly impossible to know the true amount extorted from victims in any given time period, so all estimates must be treated as lower bounds of the true number.

However, we hope that this will change over time. Whether they pay or not, it’s crucial that more ransomware victims report their attacks to the authorities. Not only does it help ensure that estimates like ours are more accurate, but more importantly, giving ransomware attackers’ cryptocurrency addresses to law enforcement increases their odds of finding actionable leads, which could eventually help them disrupt the strain in question.