Abstract
Ransomware has evolved from opportunistic attacks into a sophisticated financial enterprise sustained by cryptocurrency markets, despite enforcement pressure. Drawing on the analysis of 525 ransomware strains (2013–2025), we identify three eras: Spray-and-Prey (2013–2018; fragmented payment practices), Big Game Hunting (2018–2021; targeting high-value organizations), and Ransom Bazaar (2021–present; financialized, service-oriented extortion). These eras are analytic ideal types that show how ransomware operators evolved their tactics, which have come to feature negotiation and flexible pricing, to adapt to cryptocurrency market conditions in ways that mirror broader financialization dynamics. This paper offers two main contributions: (1) an empirical map of payment evolution and (2) a theory of ransomware as commercial adaptation to cryptocurrency markets.
Introduction
Ransomware is a form of online extortion whereby ransomware operators deploy malware that denies their victims access to data or systems, most commonly through encryption, and demand payment, typically in cryptocurrency, to restore access (Mabunda, 2019; Salvi & Kerkar, 2016). Its contemporary prominence reflects a broader shift in extortion from coercion grounded in physical threats to coercion mediated through digital dependence (Chin, 2000; Gundur, 2019). When organizations lose access to core systems, they may be unable to deliver services, generate revenue, or safeguard sensitive information.
Although the first widely cited ransomware incident dates to 1989 (the AIDS Trojan), ransomware remained relatively uncommon through the 1990s and early 2000s because collecting payments was cumbersome and risky for ransomware operators (Baker, 2022). The prevalence of ransomware deployments increased sharply in the late 2000s and early 2010s as cryptocurrencies, especially Bitcoin, enabled fast, pseudonymous, cross-border payments at scale (Connolly & Wall, 2019; Kshetri & Voas, 2017). By the mid-2010s, ransomware had evolved into a professionalized criminal industry; ransomware as a service (RaaS) models lowered barriers to entry and supported specialization among various actors within the ransomware ecosystem, including affiliates, negotiators, and infrastructure providers (Baker, 2022; Meurs et al., 2024).
This transformation led to steep growth in incident rates and harm. Verizon’s 2025 Data Breach Investigations Report (indicating 12,195 confirmed breaches across 139 countries) found ransomware present in 44% of breaches; this finding underscores ransomware’s integration into mainstream intrusion activity rather than being isolated nuisance attacks (Verizon, 2025). In the United States, the FBI reported total cybercrime and scam-related losses of US$16.6 billion in 2024, and identified ransomware as a major threat to critical infrastructure, with complaints increasing 9% compared to 2023 (FBI, 2025). Ransomware operators have generated substantial direct revenues. Chainalysis (2025) estimated ransomware payments totaling US$1.25 billion in 2023, marking a record year for on-chain ransom revenue; however, 2024 saw an estimated 35% decrease to US$813 million.
Governments, firms, and civil society have responded with extensive countermeasures, including technical hardening such as patching, multi-factor authentication (MFA), data and network segmentation, offline backups (Cybersecurity and Infrastructure Security Agency [CISA] n.d.), awareness and decryptor initiatives, insurance-driven risk controls (MacColl et al., 2023; Kshetri, 2020), and periodic law-enforcement disruptions (Europol, 2024). Yet ransomware remains resilient. In many settings, ransomware strains appear to adapt faster than defensive measures can suppress them. This persistence raises a core puzzle: Why does ransomware continue to scale and professionalize even as the environment becomes hostile?
This article argues that ransomware’s durability cannot be explained solely by technical advantage, such as better malware or exploitation, or by weak security practices. Instead, ransomware operators have increasingly reorganized their ransom strategies around the financial logics of cryptocurrency markets. In particular, the financialization of cryptocurrency, including growth in market participation, instruments, and profit opportunities, has influenced the incentives, tools, and expectations that structure ransom pricing, payment methods, and cash-out practices (Sawyer, 2013). These market dynamics, we suggest, explain why ransomware deployments have moved beyond “encrypt-and-demand” and now incorporate commercialized practices, which include standardized payment infrastructures, negotiation services, and offender-provided facilitation that help victims pay.
Against this backdrop, the study examines the evolution of ransomware business strategies through three linked research questions:
To address these questions, we assembled and analyzed an original dataset of 525 ransomware strains (2013–2025), coded on first appearance, ransom-note language, solicited payment method(s), and typical amounts demanded. In contrast to much cybersecurity research that foregrounds technical defenses, our analysis centers the payment rails and financial infrastructures that sustain ransomware profitability and underpin its persistence. The article makes two main contributions. First, it maps the evolution of payment instruments, pricing, and cash-out practices across 2013 to 2025. Second, it theorizes key technical and organizational changes in ransomware; these changes include payment and negotiation practices, as commercial adaptations to shifting cryptocurrency market conditions.
The paper proceeds as follows. We first review scholarship on cryptocurrency financialization and ransomware. We then describe our dataset construction, methods, and the analytical strategy. Next, we present empirical findings on payment and pricing trends alongside linguistic and targeting shifts. Finally, we outline implications for theory and for efforts to disrupt the financial infrastructures that enable ransomware.
Literature Review
A Typology of Risks and Protective Factors Inherent in Ransomware Crime
When demanding payment from their victims, extortionists impose several requirements which are designed to obscure the transaction from law enforcement scrutiny and to hamper or altogether deter investigation and interdiction (Rusev, 2018). As with any crime, acquiring the money is moot if the subsequent probability of capture is high or the ability to spend the proceeds of the crime is low. Thus, extortionists must consider not only the execution of a crime, but also its aftermath, for example, the potential for getting caught and the ability to cash out (Gundur et al., 2021). Common, street extortionists generally guard against post-offense capture by seeking cash, the one transactional medium optimized for eliminating traceability and maximizing fungibility for participation in illicit markets (Rusev, 2018). Ransomware operators are inherently extortionists and, as such, are similarly concerned with preventing post-offense capture. Thus, they seek cash-like anonymity, liquidity, and spendability, via virtual transactions, to avoid the problems that arise with cash when extorting people in digital contexts.
The Properties of Cash
Six key characteristics make cash suitable for illicit transactions. First, cash is universally available and easily accessed; thus, cash ensures that, when victims are extorted, victims can readily access the financial instrument through which to pay. Second, cash transactions represent an immediate transfer of value without the possibility of remote retraction, as is the case with bank-mediated electronic payments. Third, cash is both highly liquid and highly fungible; it can be spent immediately upon receipt. Fourth, cash holds its value; its worth and purchasing power are largely predictable. Fifth, cash can be used to transact relatively high values when the requested currency is desirable and available in sufficiently large denominations, such as U.S. dollars, British pounds, or European Union euros. Finally, cash transactions do not generate a record, making them concealable and very difficult—though not entirely impossible—for authorities to trace. Together, these attributes make cash the preferred medium for extortionists in both traditional and digital contexts (Hendrickson & Luther, 2022).
However, unlike extortion efforts in the physical world, digital extortionists cannot easily rely on cash since no physical, untraceable transaction occurs in the digital world. The deposit of cash via a bank generates an investigable record that risks exposing the extortionist. Thus, extortionists trading in the digital world must consider alternative digital means of demanding and receiving monetary value that approximate the attributes represented by cash. Few of the financial transaction methods available to cybercriminals possess all six attributes. That no digital financial mechanism possesses all six cash-attributes may mark an opportunity for law enforcement to conduct investigations and for victims to engage in recovery efforts. The earlier the investigation happens post-event, the less likely it is to be unsuccessful.
This article examines processes, methods, and products in transactions solicited via ransomware and how they have evolved from 2013 to 2025. Our analysis considers how ransomware operators craft their attacks, demand payment, and manage the post-offense threat of investigation, enforcement, and capture. Because ransomware has limited exposure in both practitioner and research circles, we begin with a comprehensive review of the extant research on ransomware crime to contextualize our empirical approach. Our analysis draws from publicly available data on the incidences and characteristics of ransomware attacks during this period to reveal patterns and emerging trends in this increasingly sophisticated form of online criminality. These emerging trends inform our conclusions regarding ransomware and the policies needed to combat it. Chief among these trends is the emergence of cryptocurrencies as replacements for cash and the cross-national aspects of ransomware attacks. Consequently, we focus on the need to establish cooperative data sharing for the purposes of investigation, interdiction, and research.
What We Know About Ransomware
Since its introduction in 1989, ransomware has rapidly evolved (Kalaimannan et al., 2017; Maigida et al., 2019; O’Kane et al., 2018; Richardson & North, 2017), with changes in software development (Aurangzeb et al., 2017; Choudhary et al., 2016; Hull et al., 2019), payment systems (Aurangzeb et al., 2017), and target selection (Gibson & Banik, 2017; Zimba & Chishimba, 2019). Ransomware deployment strategies have also changed. For example, RaaS applications can be contracted from criminal entrepreneurs (Meland et al., 2020). Moreover, ransomware is no longer limited to computers; deployment now also occurs via smartphones and internet-of-things (IoT) devices (Yaqoob et al., 2017). This expansion of platforms and varieties of ransomware, along with exponential growth in hardware development (particularly computing power and cloud computing), have accelerated the impact and number of ransomware attacks in response to various market pressures and opportunities (Hampton et al., 2018; CrowdStrike, 2025).
Research is emerging on the financial exchange systems used by ransomware developers to receive payments from their victims. In an early comparison of 40 studies across the ransomware literature, Aurangzeb et al. (2017) compiled a list of popular payment methods, which included iTunes gift cards, paysafecard, and prepaid online payment systems. As a loose rule, crypto ransomware, which encrypts a user’s files, most often asks for payment via cryptocurrencies (primarily Bitcoin). Meanwhile, locker ransomware, where users are denied wholesale access to their devices with ransomware operators only allowing the user to initiate payment, mostly asked for payment via a voucher (Richardson & North, 2017). Now, with the professionalization of ransomware and an increase in other cryptocurrency-related crimes, payment requests involve primarily cryptocurrency (Chainalysis, 2025).
Most investigations of the economics, traceability, or impact of ransomware focus primarily on Bitcoin, with significantly less attention paid to other lesser known, yet established forms of cryptocurrency, such as Ethereum, Litecoin, Monero, and Dash. Huang et al. (2018) traced transactions from the victims’ acquisition of Bitcoins to the ransomware developers’ cashing-out process, tracking US$16 million in potential ransom payments. They traced disproportionate impacts of ransomware in South Korea to a family of malware programs referred to as Cerber. Cerber, however, is one of many different ransomwares that have disproportionately impacted a specific country. Further studies are needed to systematically identify geographic locations that ransomware primarily targets, as well as the type of malware most likely to be implemented based on the geographical location of ransomware victims and ransomware operators. To date, no literature has identified geographic preferences toward one payment system over another, nor the geographic implications of non-English deployments of ransomware. These limitations represent serious gaps in the knowledge base.
Other studies have focused on the interplay between ransomware versions and cryptocurrency financial streams, both legal and illegal. For example, Paquet-Clouston et al. (2019) created an automated method to trace monetary flows, which they applied to Bitcoin transactions within ransomware networks. Meland et al. (2020) examined RaaS and its impact upon the online marketplaces of the darknet. Others have focused on the extent to which cryptocurrencies, especially Bitcoin, achieve critical thresholds for transactional liquidity and fungibility (Kshetri & Voas, 2017). Cryptocurrencies’ dual status as forms of value storage and commodities creates unique challenges for ransomware operators and their victims. For instance, Conti et al. (2018) studied the economic impact of ransomware from a Bitcoin payment perspective, stressing the volatility of Bitcoin as a payment system and the potential for this volatility to skew the final valuation of ransomware’s cost. Hernandez-Castro et al. (2020) examined pricing distribution and strategies across various families of ransomware. However, studies do not always consider fluctuations in Bitcoin price and the periphery or transaction fees associated with ransom payments; thus, many studies may either inflate or underestimate monetary results, given unknowns regarding cashing-out regimes and routines; no crypto equivalent of “real prices” standardization exists to facilitate consistent comparison over both time and cryptocurrency type. Accordingly, we could not identify studies that considered the criminogenic implications of the intersection of amounts ransomed and payment instruments requested.
While the technical literature on ransomware is robust, notable gaps exist beyond the technical context, particularly because the data required to conduct more nuanced behavioral and economic analyses are held by private corporations that have little or no interest in sharing data for research (see our discussion for a full treatment of this issue). Security corporations, such as Chainalysis, McAfee, and Malwarebytes, among others, are responsible for most of the statistical research related to ransomware. However, these corporations have no obligation to, and largely do not, report all the information they obtain or how their proprietary methodologies work. Furthermore, limited peer-reviewed research is available on the economics of ransomware; few studies focus on the economic impact of ransomware or the specific economic impacts of the payment systems employed in ransomware demands.
The economic studies that do exist focus primarily upon Bitcoin to the exclusion of other payment systems. Moreover, these studies are constrained by the underground nature of ransomware and lack of consistent law enforcement interdiction that would produce usable statistics for empirical research and model testing. Consequently, systematic data on the background characteristics of ransomware operators and victims are difficult to identify for the purposes of developing testable profiles or a consistent typology of risk and protective factors vis-à-vis ransomware attacks. Thus, little non-proprietary knowledge exists, regarding the precise proportion of victims who pay ransoms, those who perpetrate the bulk of ransomware attacks, where ransomware operators are located, and whether these factors and ransomware operators’ motivations have changed over time. To complicate matters, in some jurisdictions, ransom payments are illegal (Iwasaki, 2025).
Although the technical literature depicts ransomware as a fast-moving malware ecosystem, it remains silent on why certain business models (rapid affiliate chains, aggressive double- and triple-extortion, pivots to privacy-coins and stable coins in payment requests) outpace others. Empirical gaps, surrounding payment instruments, financial exchange and transfer limitations, and risk-sharing arrangements within the context of cryptocurrency markets, suggest that a purely technological reading cannot fully explain contemporary attack patterns. To account for these unexplored economic dynamics, this study presents an illicit financialization perspective and presents ransomware operators as both hackers and shadow financial actors who, like licit financiers, work to expand and proliferate new financial markets, in this case, the cryptocurrency market (Sawyer, 2013).
This Study: Data and Methods
To address our three research questions, we assembled an original dataset of 525 ransomware strains that appeared between 2013 and 2025. All data utilized was publicly sourced and contained no personally identifiable information. Per institutional guidelines for the analysis of public data, ethical approval was not required (Winter & Gundur, 2024).
We began with security researcher Florian Roth’s (Twitter/X.com: cyb3rops) list of ransomware from 2010. We supplemented this list with notable ransomware strains identified through September 2025 via news reports, gray literature, and security researchers’ disclosures. Only strains explicitly requesting monetary payment were retained. Strains from 2010 to 2012 were excluded due to incomplete historical records and sparse payment method documentation. Non-monetary malware strains (e.g., wipers, political malware) were also excluded.
Data collection followed a multi-source triangulation protocol that utilized primary, secondary, and tertiary sources. Primary sources consisted of ransom notes retrieved via reverse image searches, using individual strain names. Secondary sources included news databases, such as LexisNexis and Google News; security blogs, including BleepingComputer and Krebs on Security; and gray literature, such as Chainalysis and CrowdStrike reports. Tertiary validation drew from security researcher disclosures shared via X/Twitter, Reddit, and specialized security forums. For each of the 525 ransomware strains, we systematically coded four key variables linked to specific research questions: year first recorded (
The primary unit of analysis is the ransomware strain. Each strain is treated as a distinctly named family/variant for which ransom-note artefacts and/or consistent descriptions of payment instructions could be identified. We coded strain-level attributes (language, payment instrument(s) requested, typical demanded amount, and year first recorded) from ransom notes and triangulated reporting. While a single operational group may deploy multiple strains (and a strain may be used across multiple campaigns), our strain-level dataset does not directly observe group structure, campaign volume, or realized economic impact.
Attribution of specific ransomware operators over time has been an ongoing challenge; it is not possible to authoritatively disambiguate which parties are responsible for all ransomware activity. The professionalization of ransomware, however, has led to analysis that indicates that groups of coordinated actors exist. References to specific “groups” or “campaigns” are, therefore, used only as contextual illustrations drawn from external reporting and are not the basis of the quantitative summaries. The variable year first recorded reflects the earliest public documentation of the strain in our sources (e.g., a dated ransom note, analyst report, or reputable disclosure). This timestamp is used as a consistent marker of emergence for comparative purposes, but it does not necessarily indicate the period of peak prevalence or economic impact.
To address the three research questions, we coded each strain on a common set of attributes drawn from ransom-note artefacts and triangulated reporting. For
Thus, our data map the evolution of ransomware payment requests, pricing signals, and negotiation practices over time, but they do not directly observe offender decision-making, victim conversion rates, or causal counterfactuals. Accordingly, we treat “financialization” as a macro-structural context operationalized via observable proxies (e.g., expanding payment rails, liquidity, and accessibility), and we interpret associations as mechanism-consistent evidence of adaptation rather than definitive proof of unidirectional causality.
Limitations
It is not possible to provide a comprehensive analysis of all ransomware strains; as a result, this study has limitations. Our dataset likely overrepresents high-profile strains (e.g., CryptoLocker, Ryuk, Conti) due to their disproportionate visibility in news coverage and security reports; at the same time, it may underrepresent failed, regional, or low-impact strains that evade public documentation. This selection bias favors successful strains with higher reporting rates, potentially skewing perceptions of payment evolution toward dominant market leaders.
Western and English-language reporting bias further constrains generalizability. Primary sources (security blogs like BleepingComputer, Krebs on Security) and news databases (LexisNexis, Google News) predominantly cover English-speaking victims and Western targets, while systematically underrepresenting non-English regional campaigns prevalent in Eastern Europe, Latin America, Africa, and Asia. We made a concerted effort to look for non-English ransom notes, using the linguistic skills of the team; we coded those notes when we identified them. Non-English ransom notes, however, likely remain underrepresented due to linguistic barriers in source materials.
Another limitation relates to measuring and reporting the success metrics of ransomware deployments, which include infection rates, conversion rates (proportion of ransomware victims paying), and total payments received. The methodologies that estimate these metrics remain proprietary to private security firms like Chainalysis, CrowdStrike, and Sophos. This shortcoming represents a systematic field-wide data gap that hampers comprehensive economic analysis of ransomware profitability, a critical limitation acknowledged across cybersecurity literature but rarely resolved through data-sharing initiatives between industry and academia.
Our reliance on publicly available sources (ransom notes, security blogs, and news reports) introduces a potential underreporting bias. Unreported strains, failed deployments, or ransom negotiations conducted via ephemeral communication channels (e.g., Jabber, Telegram, or communications with disappearing messages) may be not be represented in our 525-strain dataset. Similarly, ransom amount reporting may be incomplete for negotiation-based demands, where final payments often diverge substantially from initial asks, a methodological constraint inherent to observational cybercrime studies.
Another limitation relates to the temporal scope, which concluded in September 2025; ransomware’s rapid evolution demands continuous dataset updating. Nonetheless, our three-era framework (Spray-and-Prey, Big Game Hunting, Ransom Bazaar) provides a robust analytical structure for incorporating future strains. Importantly, because our temporal coding captures first documented emergence rather than prevalence, our results should be interpreted as changes in the availability and design of payment requests over time, not as definitive estimates of which strains or groups were most disruptive or economically consequential in a given year.
Finally, our analytical focus on payment systems necessarily underemphasizes complementary technical dimensions, such as attack vectors (phishing vs. exploit kits), encryption strength, or evasion techniques. While payment evolution constitutes our core research questions, future studies should integrate these technical dimensions to fully map ransomware’s financial-technical co-evolution.
Despite these constraints, this study delivers the most comprehensive publicly available analysis of ransomware payment evolution across 525 strains and 12 years. Critically, our findings highlight systematic data gaps, which require improved collaboration between security firms, law enforcement, and researchers. Enhanced data-sharing protocols, potentially through anonymized aggregate metrics or public-private research consortia, would enable more definitive economic analyses of ransomware’s financial resilience and inform more effective policy interventions.
Results and Analysis
The analysis of these ransomware streams shows that, as in the 2010s, ransomware in the mid-2020s continues to proliferate with significant economic impact (National Cyber Security Centre, 2025). However, our analysis further considers themes that are absent from the literature, such as the language of deployment and implications of the types of payment instruments used to request funds. Additionally, our study demonstrates a shift in past practice, with current large-scale deployments of ransomware primarily using English and seeking Bitcoin (and most recently other, more secure cryptocurrencies, such as Dash and Monero), with a greater emphasis on and targeting of corporate actors capable of paying high ransom requests, and an adaptation of communication behavior to improve the likelihood of ransomware payment.
Ransomware Since 2013
New ransomware strains do not appear to exhibit specific trends over time; moreover, patterns regarding the proliferation of ransomware deployments and volume of ransoms are not well understood. Figure 1 shows that the introduction of new ransomware strains rose sharply in 2016 and 2017 relative to other years. However, no account exists as to why these 2 years experienced this upsurge of new strains. In addition, 2016 was a historic high-point for the number of ransomware attacks, matching the high in new ransomware strains introduced (Vojinovic, 2023).
Frequency of new ransomware strains by year.
One possible explanation for the decrease in new ransomware post-2017 may be the association between ransomware development and high-profile takedowns. The December 2016 transnational, multi-agency takedown of Avalanche, a cloud-based bulletproof hosting service that various cybercriminal actors, including ransomware operators, would have leveraged, correlates with the decrease in ransomware deployments over the following year (Wainwright & Cilluffo, 2017). Little indication exists as to where these bulletproof hosting customers are displaced. The need for “cash-like” characteristics (discussed above) indicates that such a service is necessary for successful ransomware attacks. Ransomware operators benefit from bulletproof hosting providers’ secure nature and their central role in operating the command-and-control structures ransomware operators typically use to deploy ransomware and manage their attacks successfully (Provos et al., 2007; Tajalizadehkhoob et al., 2017).
The 2017 coordinated takedown of the dark web criminal marketplaces, AlphaBay and Hansa Market, also correlates with the decrease in ransomware attacks that occurred the following year. Eventually, however, these customers displaced to Dream and, after Dream’s demise, to Empire, both of which had sellers who provided RaaS sales and support (Meland et al., 2020). Nonetheless, both Dream and Empire appear to provide only a modest amount of RaaS and no access to the most damaging strains (Meland et al., 2020). Without data on infection rates, it is not possible to estimate operational arcs of ransomware deployments generally. A given ransomware deployment may die out if the vulnerabilities it exploits are successfully patched or if the ransomware deployment is not being used actively (Eshghi et al., 2014). Reports indicate that a small number of ransomware families have better staying power and account for a disproportionate number of infections and ransom demands (Abrams, 2021; Palmer, 2021; SonicWall, 2022).
Over the period studied, three eras of ransomware appeared: the Spray-and-Prey Era (2013 to mid-2018), the Big Game Hunting Era (from mid-2018 to late 2021), and the Ransom Bazaar Era (from late 2021 and still ongoing at the time of writing). Ultimately, the eras proposed are heuristic frameworks for how payment demands have evolved; they should not be viewed as discrete empirical regimes. In other words, these eras represent analytic ideal types, that is, stylized models that distill dominant payment/targeting patterns. While we anchor the analytic boundaries between the eras to pivotal market developments—the introduction of CryptoLocker in 2013, the introduction of Ryuk in 2018, and the aftermath of the post-Colonial Pipeline attack in 2021—we acknowledge that some payment demands and processes overlap, while some ransomware strains appear across eras.
Figure 2 illustrates the progression of ransomware from early opportunistic campaigns to professionalized, market-based operations, marked by key turning points.
Timeline of major ransomware eras and key events (2013–2025).
The Spray-and-Prey Era (2013 to Mid-2018)
The Spray-and-Prey Era (2013 to mid-2018) began with the release of CryptoLocker in late 2013, the first ransomware strain to successfully combine strong public-key encryption with an automated Bitcoin-based payment system. This marked the point at which ransomware ceased to be an isolated technical nuisance and became a scalable criminal enterprise. CryptoLocker demonstrated that ransomware operators could coerce victims, be they individuals, small and medium enterprises (SMEs), or larger businesses, into paying digital ransoms at scale, and net an estimated US$3 million before authorities disrupted the operation (Baker, 2022). CryptoLocker’s success triggered a wave of copycats, derisively known as “script kiddies,” who used simplified RaaS kits on underground forums that enabled low-skill offenders to distribute ransomware indiscriminately through phishing campaigns and exploit kits. The combination of accessible code, easy-to-use Bitcoin wallets, and global email delivery tools gave rise to the “spray-and-prey” strategy—mass distribution with little regard for target selection—characteristics which defined the early years of ransomware’s evolution toward professionalization.
This early period is marked by ransomware deployments that were largely automated affairs, “spraying out” ransomware, using simple solutions, such as phishing emails, which preyed on whoever clicked. To achieve payment compliance from their victims, ransomware operators undertook two measures. First, ransomware operators wrote notes to victims in their native languages so that victims understood that they were being ransomed. Second, ransomware operators requested modest amounts to ensure that victims would be likely to pay. These early ransom requests rarely eclipsed US$500; however, some notable ransomware strains appearing in this period, such as WannaCry and Cerber, asked for up to US$1,200. Cryptocurrency requests of this period, particularly through Bitcoin, are well documented in the literature and in the press. One study that surveyed ransomware from 2016 and 2017 estimated that cryptocurrency was the third most popular way to request funds (12%) after pre-paid cash vouchers (42%) and wire transfers (14%; Conti et al., 2018; Liao et al., 2016; Paquet-Clouston et al., 2019; Simoiu et al., 2019).
The final eight months of the Spray-and-Prey Era saw two notable developments in how ransomware operators requested payment. First, starting in 2017, ransomware operators deployed ransomware that requested payment to uniquely generated Bitcoin wallets, whereas previous attacks asked victims to pay into a small number of Bitcoin wallets (SonicWall, 2018). This change made it more difficult for anyone to track payments and to estimate infection success; later, researchers demonstrated that it was still possible to track the movement of these payments as they were consolidated (Ahmed et al., 2019). Second, ransomware operators began to ask victims to make direct contact to negotiate payment. Based on the lack of clear reporting on ransom strains using this strategy, we suspect it was employed to maintain secrecy regarding payment amounts and addresses. Over the time monitored, 13% of the ransomware strains examined requested victims to initiate contact with the ransomware operators and negotiate payment.
The Spray-and-Prey Era was more linguistically diverse than the ransomware eras that followed. While ransomware deployments have been, historically overwhelmingly, in English, at least 18% of ransomware strains during the Spray-and-Prey Era used a language other than English (and sometimes in addition to English) each year, with the exception of 2014, which had few new ransomware deployments. Linguistic diversity supports that ransomware operators were targeting a wide range of low-value targets over a wide geographical swath.
Given that payment data suggests that easily accessed financial instruments were most commonly used during the height of the Spray-and-Prey Era to request ransom, we suggest that ransomware operators were primarily concerned with communicating their demands in a manner easily and immediately understood by their victims. If a ransom is delivered only in English, then a user who does not speak English or does not recognize Roman letters is unlikely to respond to the ransom or pay it. Any barrier that requires low-value victims to decipher what must be done to recover access to their devices likely decreases the likelihood ransomware operators will receive a successful payment for two possible reasons: Victims will require expert help from a third party who is unlikely to recommend paying the ransom; and victims will reset the device to regain its usage despite losing their data. Thus, to ensure payment compliance from their victims, small-scale deployments of ransomware strains were more agile in their strategies, using non-English languages and local payment systems to ransom small-value targets.
The Big Game Hunting Era (Mid-2018 to 2021)
The start of the high-ransom period was marked by the August 2018 entry of Ryuk, a protocol based on the ransomware Hermes that debuted in 2017. While Hermes requested modest sums, Ryuk asked for and received ransoms of hundreds of thousands of dollars; the average payment made in the fourth quarter of 2019 was US$780,000 (Schwartz, 2020). Ransomware deployments now evolved from automated attacks, indiscriminately targeting victims and their capacity to pay, to tailored attacks that targeted high-value (usually corporate) victims, able to pay larger ransoms. Moreover, these ransomware deployments employed targeted breaches (i.e., hacking) to gain entry to a secure system and deploy the malware (Chandler, 2020; Europol, 2020).
The Big Game Hunting Era also saw the introduction of significantly fewer new ransomware strains. With the success of a few dominant strains—the average payment across ransomware strains in the second quarter of 2020 was nearly US$180,000—ransomware developers appeared to be developing tools to target high value victims with the ability to pay large sums (Lallie et al., 2021). The RaaS model continued in the Big Game Hunting Era; however, compared to the ransomware available in the Spray-and-Prey Era, the ransomware sold in this period improved its level of encryption, its capacity to operate independently of command-and-control servers, and its highly configurable nature (Keijzer, 2020). Although fewer ransomware strains appear to be operating in this era, by 2021, it became clear that ransomware strains can remain dormant for years before being redeployed with minor tweaks (Palmer, 2021).
Ransom payment requests in the Big Game Hunting Era were dominated by cryptocurrency. All but one of the ransomware strains in our database, introduced in this era, used Bitcoin, Dash, or Monero for payment. These payment systems are capable of transacting values that are significantly higher, with lower risk to the cybercriminal, compared to the preferred voucher systems and bank transfers of the Spray-and-Prey Era. Although reports identify cryptocurrencies as the focus of payment requests, some ransomware strains additionally mandate that victims engage with the strain’s operator to finalize the negotiation, leaving the possibility that other transaction methods are used, but not reported by victims.
Of the three cryptocurrencies used in ransomware applications in the Big Game Hunting Era, Bitcoin was the most popular, with 16 of the ransomware strains using it to request payment. Dash was used by two: GandCrab and Antova; however, GandCrab began accepting Bitcoin reportedly due to victims’ low payment compliance with Dash, a cryptocurrency which is less likely to be stockpiled and accessed by victims or their insurance companies. Sodinokibi, also known as REvil, started ransoming with Bitcoin, but moved to Monero, due to its superior anonymity. While ransoms of US$42million and US$50 million have been reported, no definitive indication exists of payments of that magnitude; however, lower sums (still in the millions of US dollars) have been paid (Abrams, 2021; Cimpanu, 2021; Nixon, 2021).
The reported geography of ransomware infections and targets was reported inconsistently across the gray literature during the Big Game Hunting Era. High concentrations of victims were variously reported as being in the United States (SonicWall, 2018) and the Middle East (Kaspersky, 2020). This era also displayed less linguistic diversity compared to the Spray-and-Prey Era, with only three strains appearing to actively ransom victims in languages other than English. This practice did not reveal systematic patterns in terms of province or targets of ransomware, but suggests English, the lingua franca for business, is the most efficacious language in goading victims to act. Notably, high-value targets frequently operate in the English-speaking world or are multinational corporations that trade at least partly in English.
Importantly, the operators of the most successful ransomware strains in this period sought to ensure payment from their victims (or their victims’ insurers) via double- and triple-extortion. In some cases, these multi-lever extortion attempts deployed increasing sophistication and homed in on larger, institutional targets. In others, ransomware operators combined encryption of files along with data theft and, at times, denial-of-service attacks. These multiple coercive levers, running in parallel, escalate compliance with the extortioner’s ransom requests without major technological innovation. Moreover, ransomware operators and other criminals, including state-sponsored actors, such as North Korea, leveraged the lack of regulatory consistency throughout the world to cashout the proceeds of their cybercrimes (Park, 2021).
The presence of this growth-oriented extortion strategy indicates the Big Game Hunting Era was driven by ransomware operators who were consistent, rigid, and focused on high-value targets, and who employed technological innovations that ensured payment with greater security and bigger payoffs.
The Ransom Bazaar Era (2021 to the Present)
The Ransom Bazaar Era (2021–present) emerged in the aftermath of several high-profile enforcement shocks that disrupted the Big Game Hunting model. Following the 2021 Colonial Pipeline and Kaseya ransomware attacks, global law enforcement intensified scrutiny of centralized ransomware operations, resulting in arrests, takedowns, and cryptocurrency seizures (CISA, 2021, 2023). In response, ransomware developers began to decentralize their infrastructure, adopt affiliate-based RaaS models, and diversify payment options to reduce exposure. These changes, coinciding with the maturing of cryptocurrency markets and the growth of stablecoin liquidity, marked the transition into a new phase of ransomware’s evolution—one defined by negotiation, modularity, and financial sophistication.
The Ransom Bazaar Era has kept many features of the Big Game Hunting Era, including a focus on high-value targets, large-scale data encryption, and the use of cryptocurrency for payment. However, it also has marked a shift toward more flexible and layered extortion tactics. By 2021, professionalized ransomware operations, including Black Basta, DataLeak, Browlock, and Phobos, began using negotiation-based approaches, where ransom demands were adjusted based on the victim’s ability to pay or willingness to engage. In 2022, the emergence of Amerlife (an offshoot of Black Basta) and Anubis offered a RaaS tool that allowed affiliates to both encrypt and destroy files; thus, ransomware operations were becoming more customizable and business-like in structure.
In addition, in 2021, ransomware entered a phase marked by flexibility in payment design and deal-making underwritten by the maturation and diversification of cryptocurrency markets. The Ransom Bazaar Era has also experienced increased enforcement and defensive pressures (Chainalysis, 2025). Consequently, ransomware operators have increasingly adapted payment architecture and negotiation scripts to reduce frictions for victims while managing heightened surveillance and cash-out constraints. Thus, ransomware operators have created a commercialized experience where they supported victims through the payment process.
Payment request strategies have also evolved in this era. Among the ransomware strains for which the payment method is known (77% of all strains), every case involved a cryptocurrency-based demand of either Bitcoin or another digital currency. Bitcoin remained the most common payment request (66.7% of all strains in this era), while alternative cryptocurrencies, such as Monero and stablecoins, accounted for around 10% of the requests. Monero enhances anonymity by concealing transaction details at the settlement layer, whereas stablecoins provide price stability and predictable valuation for both victims and insurers. Increasingly, ransom notes list multiple payment options, allowing operators to hedge against enforcement constraints, regulatory exposure, and victims’ limited access to specific cryptocurrencies.
Importantly, the financialization of the cryptocurrency marketplace means that, even when Bitcoin is requested, it now operates in a materially different context than when the first ransomware strains were released. Major cryptocurrencies, notably Bitcoin, are more valuable (see Figure 3) and liquid, making Bitcoin easier to buy and sell compared to earlier ransomware eras. This difference in price, liquidity, and, to some extent, fungibility influences ransomware operators’ considerations, regarding feasibility, negotiation leverage, and cash-out options.
Bitcoin price over time.
Ransomware operators’ social engineering strategy makes use of “contact-first” instructions that require victims to open a communication channel before payment terms, such as amounts and wallet addresses, are disclosed. This tactic frustrates blockchain surveillance, enables dynamic pricing tailored to perceived ability to pay, and decentralizes traceable flows. The move allows for closed discussions between the ransomware operators and their victims, regarding how the ransom is to be financed; notably, press coverage of cryptocurrency settlements has decreased dramatically in the Ransom Bazaar Era.
From 2023 to 2025, the resurgence and persistence of previously seen ransomware strains, including LockBit, ALPHV/BlackCat, Ryuk, Kremlin, Phobos, and WastedLocker, coincide with the broader adoption of multiple-cryptocurrency payment options, in the form of Bitcoin, Monero, or Tether, and the issuance of contact-first instructions.
Across all three ransomware eras, Bitcoin remained the dominant payment method, accounting for 70.5% of identified strains during the Spray-and-Prey Era (2010–2018), 78.3% in the Big Game Hunting Era (2019–2020), and 66.7% in the Ransom Bazaar Era (2021–2025). Nonetheless, a range of alternative ransomware operators requested victims to pay via alternative mechanisms to varying degrees. During the Spray-and-Prey Era, attackers sometimes relied on prepaid systems, such as Ukash (1%), gift cards (1.3%), and vouchers (0.7%), alongside direct cash transfers (0.7%). These methods mirrored the early need for accessible, low-traceability payments.
By contrast, in the Big Game Hunting Era, nearly all non-cryptocurrency payment requests (i.e., Ukash, gift cards, and vouchers) collapsed, with Bitcoin representing 78.3% of all strains in that period (where the payment method is known) and other cryptocurrencies briefly representing nearly all non-Bitcoin payment requests (13% of those strains where the payment method is known). This pattern is consistent with the observed shift to enterprise-level targets and more professional operations.
In the Ransom Bazaar Era, the ecosystem diversified again. While other cryptocurrencies (10%) remained the dominant alternative to Bitcoin (66.7%), the coins requested changed. Privacy-oriented coins like Monero (1.7%) and various stablecoins such as Tether (1.7%) began to be requested by ransomware operators. That shift likely reflects ransomware operators’ adaptation to the imposition of regulatory requirements onto the cryptocurrency financial ecosystem, including, inter alia, know-your-customer (KYC) checks, as the cybercriminals seek more cash-like, that is, stable or less traceable, payment mechanisms (Cole & Gundur, 2024). Notably, legacy payment requests for payment via Ukash, gift cards, vouchers, and direct transfers largely disappeared.
Together, these patterns mark a transition from a singular monetization pathway to a responsive ransomware economy in which attackers mix and match payment methods, currencies, and coercive levers to preserve their capacity to hold and transact the proceeds of their ransoms, while minimizing their risk of having law enforcement attribute them to a specific crime. The objective of ransomware operators remains primarily financial, but their deployments of ransomware strains are fluid, contextual, and adaptive. Thus, ransomware operators increasingly behave less like software developers and more like financial engineers, tuning payment architecture to the constraints and incentives of a regulated market.
Notably, neither the Big Game Hunting Era nor the Ransom Bazaar Era featured a significant number of small-ransom deployments, indicating that the dominant operators do not view them as financially viable. Given the lack of reporting, however, it is impossible to determine whether small-ransom deployments of ransomware are threats of the past. We posit that small-ransom ransomware strains could be redeployed in the future by targeting users of refurbished and unsecured devices where support is no longer offered (e.g., devices which run old operating systems, such as Windows 10 or Android Nougat and those which predate them, which are in common usage throughout the developing world and, for example, in legacy systems worldwide that are updated less frequently in industries, such as healthcare and government).
Payment Instruments and Regulatory Implications
Although the three ransomware eras reveal a variety of payment instruments used to ransom victims, many of those instruments that dominated the Spray-and-Prey Era were abandoned with the onset of the Big Game Hunting Era. Understanding which systems retained staying power and which did not is instructive. First, analyzing how a given type of financial transactional system optimally comports with different types of ransomware can reveal core principles of ransomware development and deployment that may be useful in future prevention and interdiction efforts. Second, an assessment of how and why various transactional systems and media are adopted by ransomware software designers and operators over time may explain how and why large-scale shifts in ransomware strategy take place and may predict such changes early. Thus, mapping which financial platforms dominated across ransomware eras shows how these platforms both enable ransomware payments and signal the payment practices that are likely to emerge or re-emerge as new technologies develop and cryptocurrency markets evolve.
Accordingly, this section presents the methods used in ransomware deployments to request funds from their targets and considers the five following elements in the context of law enforcement and regulation:
(1) The ease of use and market penetration (fungibility) of the payment platform;
(2) Typical values requested;
(3) Traceability of the transfer;
(4) Regulations in place to respond to and investigate extortive transfers; and,
(5) Geographic indications of victims or ransomware operators based on a payment platform. The payment options have been clustered into three groups: payment vouchers; transactional systems, including mobile money and payment portals; and cryptocurrency.
Payment Vouchers
During the Spray-and-Prey Era, ransomware operators commonly requested that victims remit their ransoms using payment vouchers (Simoiu et al., 2019). Our data suggests that the three most popular vouchers were (in descending order): Ukash, paysafecard, and MoneyPak. Others may have been used in instances where victims made direct contact with their ransomware operators. Prepaid payment vouchers, generally, are as private as cash and allow users to spend anonymously. However, they are not as widely accepted as cash or credit cards. Nonetheless, prepaid payment vouchers are commonly accepted by online merchants and utilities companies, allowing for direct spending of ill-gotten voucher codes, such as those acquired via ransoming victims, and by gambling and video gaming platforms. The link to gambling and gaming platforms is notable, given long-standing money laundering methods that leverage regulatory loopholes in reporting gambling earnings (Levi, 2009).
The now defunct Ukash was the most commonly requested voucher: 23 ransomware strains requested Ukash, along with other voucher systems; 9 ransomware strains requested Ukash as the only form of payment. Ukash, distributed by Smart Voucher Limited, was a UK-based electronic money system that functioned in 50 countries. Users purchased secure, 19-digit codes with fiat currency (similar to purchasing a money order). Then, those secure codes could be used to make payments online. Ukash functioned like cash; the company did not track transactions, and if codes were lost, like cash, they were considered gone. The requested Ukash ransoms were either 100 or 200 units in the fiat currency; the most common, in increasing order, were US dollars, British pounds, and euros. Most Ukash ransom requests (90%) demanded payment in euros; however, some requests permitted additional currencies. The UK’s Financial Services Authority (FSA) approved Ukash to operate as a regulated e-money issuer and permitted single maximum online cash payment transactions of up to £500 to occur. FSA regulation abided by the Fourth EU Anti-Money Laundering Directive (4AMDL) and created a €250 limit under which companies could waive the need to conduct due diligence via KYC requirements that force financial services providers to establish and maintain knowledge of their clients’ identity.
In April 2014, Ukash was acquired by digital wallet provider Skrill Group, which merged Ukash with paysafecard. Paysafecard (stylized as paysafecard) was the second most commonly requested payment voucher, with 23 ransomware strains requesting paysafecard as an option, usually with Ukash, and 3 requesting paysafecard uniquely. Paysafecard has a presence in over 40 countries and operates much like Ukash, in that its transactions are unlinked to identifying information. Paysafecard ransom requests primarily targeted European users, with requests appearing in euros and communicating via non-English, European languages, namely French and German. In France, in 2020, ransoms requested paysafecard payments of €300; however, the success rate of these ransom requests is unknown. The ransom demand would have required multiple payments of low-value cards, given the implementation of the Fifth EU Anti-Money Laundering Directive (5AMLD), which lowered the threshold of the KYC waiver to €150 and limited single transactions to €50 without the business having to identify its customer. Some ransomware deployments, over time, turned toward MoneyPak, the only other prepaid voucher that was requested in multiple instances.
Green Dot’s MoneyPak system is another evoucher system which is purchased similarly to Ukash and paysafecard. However, unlike Ukash and paysafecards, MoneyPak codes are easily deposited onto prepaid debit cards. MoneyPak appeared in six ransom requests, but never as the only option. Typical ransoms ranged from 100 to 1,000 US dollars or euros, with most requesting 300 US dollars or euros. Early ransomware operators benefited from MoneyPak’s convertibility into the now defunct LibertyReserve payment ecosystem.
Other ransom requests used credit vouchers for Vodafone airtime, Google Play, Amazon, and the now discontinued PayPal, My Cash Card. However, these payment options appeared only once and in poorly designed ransomware with unlock codes easily obtained. Consequently, they were less likely paid. Moreover, these payments are easily traceable via the card issuers, since the payments must link to accounts with confirmed identities; however, the extent to which payment card issuers cooperate in trace requests is unknown.
Nonetheless, prepaid vouchers represent an ongoing risk should low-value, spray-and-prey ransomware return to market. In the future, ransomware operators in this low-value space may improve payment compliance by threatening, as the ransomware operators of the Big Game Hunting and Ransom Bazaar eras have done, to expose personal data to encourage payment. Ransomware operators may also leverage low-value transactions outside the KYC requirements to request funds and then use money mules to aggregate these funds as a predicate step in their laundering and cashing out processes (Galdo et al., 2018; Moiseienko & Kraft, 2019).
Transactional Systems
In the Spray-and-Prey Era, some victims paid their ransoms using direct transfers even though there is little indication that such transfers were commonly requested. Nonetheless, several ransom requests demanded payment using legitimate payment systems. Some requests involved globally available systems, such as direct credit card payment (requested in Nagini and Ransoc in 2016) and the Perfect Money financial ecosystem (requested in Locker, 2014). Although these financial systems use KYC, the degree to which Perfect Money complies with KYC regulations is unknown; the platform remains commonly used in gray cybermarkets that sell bulletproof hosting (Moiseienko & Kraft, 2019). Direct credit card payments would be traceable to specific actors if reported; Ransoc’s operators attempted to deter their victims from reporting by informing them that the software had identified child sexual assault material on their computers.
Westerners often assume that ransomware and cyber-scams generally involve targeting of English speakers by Russian speakers under the protection of the Russian or Chinese State (Mandiant, 2017). Nevertheless, Russophones have been targeted, ostensibly by Russia-based, Russian speakers (Group-IB, 2018). Ransomware, targeting Russian-speaking victims, has used various mobile money transaction systems that operate primarily in Russia or Ukraine. These systems include Yandex.Money, Qiwi Payments, and Beeline phone monetary transfers. Ransom requests using these systems ask for modest sums of Russian rubles (₽), totaling between ₽5,000 and ₽10,000 (approximately US$70–US$140), perhaps reflecting victims’ lower abilities to pay.
Millions of Russians use e-payment systems, which operate as both anonymous and verified fiat e-wallets, and which are always linked to mobile phone numbers. Verified e-wallets, which can accommodate larger transactions, are also linked to bank cards. Anonymous e-wallets maintain modest maximum balances and spending caps. In response to these measures, to move large values, cybercriminals have aggregated thousands of e-wallets (Persianinov, 2017). While these cases apply only to the Russian-speaking context, they demonstrate the capacity of criminal entrepreneurs to use mobile money, a payment mechanism that is quickly growing as the world abandons cash transactions (Aron, 2017; Pasti, 2019; Zhdanova et al., 2014), to ransom victims and transfer value.
Cryptocurrencies
Cryptocurrencies share two characteristics with cash: Transactions are instant, and high values can be transacted; some cryptocurrencies are also anonymous, though others overstate their anonymity. Nonetheless, ransomware operators have used cryptocurrency across all three eras, with about three-fourths (69.1%, n = 363) of all ransomware strains, where the payment method is known, requesting payment using cryptocurrency. Ransomware operators use these financial resources because the payments are irrevocable and are perceived as difficult (if not impossible) to trace (Samani et al., 2013). However, cryptocurrencies lack the liquidity of cash—requiring arduous protocols to transfer value via online wallets—lack a stable minimum value, and are not universally available or accepted, as several countries have banned their trade. Moreover, with only a couple of localized exceptions in El Salvador and the Central African Republic, cryptocurrencies are not legal tender, and exchanges that facilitate their trade have come under additional scrutiny and regulation in the latter part of the 2010s and 2020s (Cole & Gundur, 2024).
By far, the strains within our sample that request cryptocurrency demand Bitcoin (65.1%, n = 342). Bitcoin is pseudonymous, and, although there is sufficient publicly available information to trace the currency across the blockchain, some cybercriminals have developed methods to increase uncertainty in these forensic/investigative processes (Cipher-Trace, 2019). Bitcoin, however, as the cryptocurrency with the largest market capitalization, has one key advantage over other cryptocurrencies: relative to all other cryptocurrencies, Bitcoin is more universally accepted and easier to acquire and transact. Nonetheless, questions remain as to how difficult it is to anonymize Bitcoin transactions and cash out Bitcoin to pay for everyday and high-value items (Reid & Harrigan, 2013; Reynolds & Irwin, 2017).
Despite being banned in several countries, cryptocurrencies are increasingly accepted in others, with cryptocurrencies increasingly being linked to the fiat economy via established payment mechanisms, such as MasterCard, and with the introduction and expansion of online trading platforms, like Coinbase (Kazerani et al., 2017) and Binance (Song et al., 2019) that permit the free exchange of cryptocurrencies with fiat currencies. Moreover, the volatility of cryptocurrencies may make it plausible to cash out significant amounts with little accounting of the cryptocurrency’s origin, despite improved KYC regulation vis-à-vis cryptocurrency exchanges (The Law Library of Congress, 2018). So long as investigative efforts are actually and/or perceived to be underfunded, the impact of any regulation will likely be limited. While defunct cryptocurrency exchange BTC-e was associated with a high proportion of illicit Bitcoin cash out until its demise in 2017 (Hu et al., 2019), recent cash out efforts may leverage stolen identities to create shell accounts through which cybercriminals move the Bitcoin proceeds of their cybercrimes through Binance and Hobi, two well-known cryptocurrency exchanges (Cimpanu, 2021). The degree to which law enforcement agencies chase these cashouts is unknown; successful cases may be well publicized as indicators of agency accomplishment and distort the underlying risks for offenders (Cimpanu, 2020; McMillan & Metz, 2013). We also do not know what offenders perceive the risks to be, which is relevant to both deterrence and prevention.
As noted, during the Big Game Hunting Era, ransomware strains requested payment in Dash (GandCrab) and Monero (Sodinokibi/REvil), which are more privacy-focused cryptocurrencies. Meanwhile, Sodinokibi/REvil has continued to ransom with Monero, though it has reserves in Bitcoin and has used those reserves to expand its network of Russian-speaking cybercriminal affiliates (Chandler, 2020). A switch to more privacy-focused cryptocurrencies accords with the desire to replicate the privacy of cash. However, the capacity to immediately use cryptocurrency proceeds of ransomware extortions to purchase further goods is, in theory, limited—even though little is known regarding the current efficacy of regulation enforcement.
Cryptocurrency investigations face several challenges. These include whether the police, who often lack the capacity or judge such cases as cost-ineffective or not within their capabilities, will investigate such crimes (Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services, 2019); whether overall technical capacity can detect regulatory compliance cheaters; and whether regulation can stay ahead of criminal innovation and therefore have a legal mandate to act. Although government focus on cyber threats to national security is high, ransomware often fails to meet the threshold necessary to be considered a threat to national security. And, although investigable by the National Crime Agency and by local police forces in the UK and their counterparts throughout Europe, the US, and Australia, cybercriminals operating outside a country’s local jurisdiction may present jurisdictional obstacles to extradition, asset-freezing, or confiscation even when reasonably good attribution exists. Examples include fraudsters Ruja Ignatova, of OneCoin, and Zhiman Qian, who ran a Ponzi Scheme in China that netted US$9 billion; both held the proceeds of their crimes in Bitcoin. Others include Yaroslav Vasinskyi and Yevgeniy Polyanin, who were identified as responsible parties behind the Kaseya ransomware attack.
The international business and political “communities” are divided over how to deal with cryptocurrencies—whether by prohibition, regulation, or toleration. The Ransom Bazaar Era appears to be taking advantage of this inconsistent response as ransomware operators seek to negotiate with victims and circumvent expert advice or legal restrictions to ensure that victims comply with payment.
As a result of this persistence of ransomware and its use of cryptocurrency for payment, the global anti-money laundering standard setter, the Financial Action Task Force (FATF), has displayed growing concern about cryptocurrencies (FATF, 2023). However, assessing cryptocurrency and related risks are not major features of the National Risk Assessments FATF mandates (Ferwerda & Reuter, 2019) or of the previous (fourth) round of national Mutual Evaluation Reports on most countries around the world (FATF, 2020; Levi, 2020; Pavlidis, 2020; Poskriakov et al., 2022). Although FATF and international financial institutions, such as the International Monetary Fund (IMF) and World Bank, are encouraging global action to address illicit finance risks in virtual finance, the rapid changes in the threat landscape may make it challenging to consistently and accurately assess and integrate cryptocurrency issues into FATF’s (2025) Mutual Evaluation Reports.
Discussion: The Evolution of the Business of Ransomware
Our analyses indicate that the financialization of cryptocurrency has created enabling conditions that make cryptocurrency-based extortion easy to monetize and, in many cases, remain profitable. Accordingly, ransomware operators continually develop and refine adaptive mechanisms to secure economic benefits while simultaneously minimizing their exposure to detection and legal consequences. Ransomware operators achieved these goals, initially, through technical advancement; now, they achieve these goals by commercializing the victim experience and by providing bespoke support to victims in an effort to secure payment. This process of commercialization, therefore, emerges both as an economic choice and a fundamental survival strategy integral to ransomware’s operational longevity and growth. Consequently, the commercialization of the ransomware business can be conceptualized as an adaptive theoretical framework that explains how cybercriminals strategically innovate financial methods in response to an increasingly restrictive cybersecurity environment.
Originally, ransomware strategies employed straightforward yet varied payment mechanisms, such as prepaid vouchers and direct financial transfers, which quickly extracted relatively small sums from numerous victims. Termed the Spray-and-Prey Era, this period was characterized by its transactional simplicity. However, as defensive technologies strengthened and law enforcement intensified its regulatory responses, ransomware operators increasingly professionalized and adapted their financial strategies.
This evolution resulted in the subsequent Big Game Hunting Era, beginning around mid-2018, characterized by highly professionalized attacks on lucrative corporate and governmental entities, capable of substantial financial responses. Cybercriminals pivoted to sophisticated payment methods, notably cryptocurrencies, like Bitcoin, and privacy-enhanced alternatives, such as Monero, to enhance transaction privacy and reduce traceability. Ransomware operators adapted their strategic responses to external pressures, embedding their criminal activities within advanced financial ecosystems, thereby ensuring ongoing profitability and operational sustainability.
This professionalization is also visible in the language of ransom demands. As attacks became more corporate-facing and negotiation-heavy, English increasingly functioned as a tool for reach and as part of the strategy for compelling organizational compliance. The growing dominance of English in ransom notes is not about reaching more victims. In large, high-value corporate attacks, language is part of the pressure strategy. Using English makes the demand look legitimate and “professional.” These characteristics matter when organizations have to explain their decisions internally and externally to insurers, lawyers, and incident-response firms. English is also the common language used in global corporate governance and cross-border compliance, as well as the professional services that now sit inside many ransomware incidents.
As ransomware has become more negotiation-focused and service-like, offenders increasingly use English to imitate the routines of ordinary business. Notes and portals often read like a formal process, with deadlines, “terms,” steps for proving decryption, and promises about system restoration. This framing makes payment look like a manageable administrative transaction rather than an admission of defeat. Thus, English dominance reflects not only who is being targeted (multinationals and English-facing firms), but also how offenders secure organizational compliance by speaking the institutional language through which risk, loss, and recovery decisions are made.
The most recent shift toward an adaptive, negotiation-heavy Ransom Bazaar Era reflects a downstream effect of situational crime prevention efforts (SCP), which alters the opportunity structure of ransomware. Instead of changing ransomware operator dispositions, SCP changes immediate conditions, such as raising effort, increasing risks, and reducing rewards. We speculate that, across the last decade, widespread target hardening and cyber hygiene measures have progressively eroded the expected value of the classic “encrypt-and-pay” model; consequently, ransomware operators are forced to recover revenue through bargaining scripts, multiple payment options, and auxiliary pressure, such as double- and triple-extortion, data exfiltration, and reputational damage threats.
Increasing effort measures likely made initial compromise and reliable encryption difficult. Endpoint controls, application allowlisting (that allows only approved processes, files, and applications to run), MFA on remote access, macro-blocking by default, and segmented networks increase the work required for ransomware operators to breach a system and obtain domain-wide impact. The move from Spray-and-Prey to Big Game Hunting reflects this trend: Mass spam gives way to intrusion-led attacks against organizations with the highest observable payoff relative to effort.
Expanding risk has changed the calculus around cashing out the proceeds of ransomware extortion. Exchanges are increasingly required to engage in KYC and abide by AML regulations. Plus, blockchain tracing, mixer 1 takedowns, leak-site seizures, and coordinated incident-response reporting make one-shot, high-value payments more conspicuous. In turn, actors hedge by offering multiple payment options (BTC with privacy guidance, Monero for deniability, and, more recently, stablecoins such as Tether to avoid volatility and settlement friction). Although Bitcoin remains dominant as the primary payment option, our data shows a diversification in payment options offered to victims, which indicates ransomware operators’ perceived risk or difficulty in cashout.
Reducing rewards could also be important in curbing ransomware. The steady adoption of defensive measures, like offline backups, faster restoration processes, and cyber-insurance conditions that require such defensive measures, directly undercut the profitability of encryption-only attacks. Ransomware operators adapt with double extortion (data theft plus leaks) and triple extortion (pressuring clients/suppliers or threatening DDoS) to re-create leverage where restoration would otherwise neutralize the ransom. Negotiation becomes core business logic: initial demands are high, but price discovery happens in chat portals with proof-of-decryption, deadline resets, “discounts,” and installment plans—techniques that aim to generate some payment rather than a total loss.
Finally, removing excuses and reducing provocations are important at times of emergency and urgency. Clear organizational policies, user training, and tabletop rehearsals reduce panic and encourage report-first responses and consistent refusal policies when feasible. Ransomware operators counter by personalizing pressure, such as naming executives, threatening corporate, organizational and/or individual reputational harm, and offering “helpdesk”-style support, to re-introduce urgency and moral cover for paying (“It’s cheaper for everyone if you cooperate.”).
Through these SCP gains, ransomware operators acquire market discipline. When effort and risk increase and expected rewards decrease, revenue is salvaged through functional displacement from pure encryption to data-centric coercion; tactical adaptation toward negotiation and price discrimination; and payment diversification (multiple payment option menus that reduce cash-out frictions). These features make the current period look like a bazaar: Ransomware operators no longer rely on a single coercive lever or a single payment option; they assemble a bundle that maximizes not only the probability of success but also the size of payment under more hostile conditions.
This continuous adaptation underscores an iterative relationship between cybercriminal innovation and regulatory countermeasures. Commercialization, thus, represents a dynamic cycle, where ransomware perpetrators systematically evolve their practices to market conditions, to circumvent detection and financial interdiction. Consequently, effective policy responses should explicitly focus on disrupting these adaptive financial strategies, while enhancing international cooperation, creating regulatory frameworks around cryptocurrency use, and improving investigative capabilities, that effectively counteract ransomware actors’ financial adaptations.
To summarize, understanding the evolution of ransomware as a market-driven process of commercialization identifies five interconnected elements that explain ransomware’s adaptive evolution. First, ransomware operations exhibit continuous adaptation that strategically develops technical and communications methods over time to maximize profitability while minimizing exposure to detection and regulatory interdiction. Second, the framework recognizes distinct evolutionary phases; what began with widespread, indiscriminate attacks, that used accessible financial mechanisms, transitioned into highly targeted operations aimed at extracting large ransoms from lucrative targets through cryptocurrencies and privacy-centric transaction systems. Third, these financial strategies reflect ransomware’s embeddedness within broader economic infrastructures that leverage mainstream financial tools for criminal purposes. Fourth, a cyclical and dynamic interaction emerges, wherein ransomware operators continuously adjust their financial methods in response to advancements in cybersecurity, evolving regulatory environments and law enforcement strategies. Finally, policy implications arise directly from understanding this adaptation, highlighting the necessity of international cooperation, targeted cryptocurrency regulation, and enhanced investigative capabilities, which can disrupt ransomware commercialization effectively.
Adapting to Survive: The Future of the Ransomware Business
The analysis presented emphasizes that ransomware operates within a criminogenic, digital environment, characterized by continuous adaptation against a backdrop of the financialization of cryptocurrency and increasing defensive cybersecurity measures. The ongoing refinement and sophistication of financial methods represent strategic responses to restrictive, external pressures. Cybercriminals embed their activities within sophisticated financial ecosystems, which benefit from innovations such as cryptocurrency adoption and RaaS models. These adaptations allow ransomware networks to sustain and expand their operations by continually innovating in response to evolving defensive technologies and regulations.
The adaptive strategies canvassed in this article demonstrate that ransomware operators address shifts in their own risk landscape to operate a successful illicit business without capture or attribution. In ransomware, commercialization manifests when the primary innovation responds not to technical escalation (stronger encryption, novel exploits) but to market dynamics. Thus, ransomware groups now behave less like ad-hoc hacking crews and more like shadow FinTechs that treat illicit encryption as a revenue-generating asset class that has appreciated exponentially in value with the democratization and financialization of cryptocurrency (Wheat & Eckerd, 2022). Viewed through this lens, ransomware squarely intersects with—and extends—scholarship on the “criminalization of finance” (Levi & Smith, 2011; Naylor, 2003).
The high value of ransoms paid and sustained ransoms captured indicate that ransomware operators have significant reserves of capital. Nonetheless, although cashout may not be impossible, it may be an ongoing inconvenience as improved compliance with regulatory efforts may make cashout more difficult in some cases. Notably, cybercriminal groups exploit the lack of regulatory harmonization to sustain their cashout efforts (Park, 2021).
The financialization of cryptocurrency, however, not only sustains the viability of ransomware (even if success rates of paid extortions drop), but also may provide opportunities to ransomware operators and other cybercriminals who have accrued cryptocurrency to pivot to illicit finance. While immediate capacity to cashout may be attractive to criminal actors, those with significant fortunes may not need to liquidate their funds quickly.
Although no evidence is available to explain the financial behaviors of cybercriminals, Berry et al. (2023) show how illicit businesspeople in the analogue world reinvest the proceeds of their crimes in less risky enterprises often with cash infusions, that go unexamined by any authorities, to initialize a new business. Groups with significant cryptocurrency reserves could, ostensibly, enter the business of crypto financing, leveraging their knowledge or market incongruence to create businesses in low-oversight jurisdictions. While this strategy represents a medium- to long-term undertaking, the millions in stolen currency may never be expendable in one process; transitioning to gray-zone or even licit finance could be a long-term wealth creating strategy. This pivot would be in line with the primary behaviors observed within our final era, the Ransom Bazaar, where ransomware operators fundamentally seek profit maximization in response to market dynamics.
Another issue at play is the role of volatility in cryptocurrency markets. From a historic peak in October 2025 through February 2026, cryptocurrencies as a whole experienced a sharp decline in value, with the market cap decreasing by US$2 trillion. Most cryptocurrencies in February 2026 were down on a year-on-year basis, with losses starting to be noticeable in August 2025 and increasing by December 2025. It is not possible to determine who is selling off their crypto holdings, nor is it possible to determine what percentage of cryptocurrency sold was acquired illegally, such as through ransomware extortions and whether this behavior indicates profit taking by long-term cryptocurrency holders. Regardless, the increase in trading and players in cryptocurrency markets likely makes it easier for criminal actors to cash out; criminal actors can transact large volumes of notable cryptocurrencies, such as Bitcoin, Ethereum, Dash, and Monero, without drawing significant attention to themselves (Gundur et al., 2021).
Nevertheless, these findings and the theorization developed from them are only as effective as the data available, a significant limitation due to the proprietary nature of most ransomware data. Pertinent information about ransomware attacks is often held by private entities unwilling to publicly disclose their victimization, fearing reputational harm or exposure of vulnerabilities. Without systematic and reliable access to such data, research and intervention strategies remain limited. Moreover, many ransomware attacks occur across national borders, presenting additional jurisdictional barriers to comprehensive data collection and analysis. Despite regulatory encouragement in jurisdictions like the US and UK, currently, no central repository of ransomware crime data exists, to adequately test and refine theoretical models and interventions.
Addressing these challenges, Topalli and Nikolovska (2020) propose a brokered arrangement for sharing data among government enforcement agencies, victimized private companies, and academic research institutions. Under this arrangement, data would be confidentially collected, anonymized, and systematically analyzed, facilitating enhanced understanding and proactive intervention. Such brokered data-sharing arrangements could be coordinated through international entities, like Interpol, under the auspices of the United Nations Interregional Crime and Justice Research Institute, involving both governmental agencies and private sector stakeholders.
Targeted Policy Interventions for Payment Mechanisms
As ransomware payment systems become more finance-like, policy is likely to be more effective when it targets the specific chokepoints that make payment and cash-out reliable, rather than relying mainly on general calls for coordination or better regulation. One chokepoint is the growing use of stablecoins, which can reduce price risk and simplify settlement; stablecoins make compliance and monitoring at crypto on/off-ramps and conversion services especially important. Strengthening customer due diligence, suspicious-transaction monitoring, and rapid reporting obligations for services that facilitate fiat–crypto conversion and stablecoin acquisition would increase friction at the moment victims are pressured to obtain the demanded asset.
Another chokepoint is the negotiation and payment-portal infrastructure that standardizes bargaining, deadlines, and proof-of-decryption; this infrastructure effectively acts as the “service layer” of ransomware. Focusing enforcement on negotiation portals that appear repeatedly through coordinated takedowns and monitoring for re-use of the same hosting or portal patterns can disrupt the systems that make high-value extortion efficient and repeatable.
A third chokepoint is the role of insurers and professional intermediaries in incident response and payment facilitation. To improve investigative visibility, one option is to require timely reporting of high-value ransom-payment decisions (e.g., above a specified monetary threshold), to document negotiation and payment workflows, and to condition reimbursement on minimum due diligence checks and auditable transfer records. Finally, measures that constrain obfuscation and cash-out services, including enforcement actions and sanctions where legally available, can raise the costs of converting ransom proceeds into usable funds. Complementary “pull” policies that incentivize rapid restoration and resilience investments (rather than payment) can further reduce victims’ perceived need to comply.
In conclusion, our analysis frames the financialization of cryptocurrency as a key enabling condition that has shaped the commercial evolution of ransomware, while ransomware commercialization emerges as an adaptive strategy through which operators remain viable in an increasingly constrained cybersecurity environment. Effective disruption of ransomware cybercrime, thus, necessitates comprehensive international cooperation, targeted cryptocurrency regulation, and robust investigative frameworks, combined with systematic and cooperative data-sharing practices among relevant stakeholders.
Footnotes
Acknowledgements
The authors thank Isobel Scavetta for editorial support and the two anonymous reviewers for their helpful comments.
Funding
The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This paper was funded, in part, by a grant by the UK Home Office.
Declaration of Conflicting Interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Notes
Author Biographies
.