Report: Ransomware groups show preference for Monero, charge more for Bitcoin ransom

Ransomware attackers prefer to receive their ransom payment in a popular privacy token, Monero (XMR), due to its ability to obfuscate sending and receiving wallets, according to a report by blockchain analytics firm, CipherTrace.

In the report titled Current Trends in Ransomware, the analytics firm highlighted the observable trends in ransomware attacks between 2020 and 2021. According to the firm, there was notable growth in “double extortion attacks” within the said time frame.

A double extortion attack occurs in a situation where the hacker not only steals his victims’ sensitive data but also encrypts it. This forces the victim to pay a ransom to access the data even as the malicious actor may still have a copy.

Premium on Bitcoin for Ransomware 

The report said most ransomware attackers receive their payment in Monero, while those who accept other digital assets like Bitcoin usually add 10% to 20% premiums.

“Higher prices for BTC are most likely seen by the ransomware actors as a premium for dealing with the increased risk in using an easily traceable cryptocurrency like BTC.”

The report added that at least 22 of the more than 50 ransomware groups accept only Monero. An example is the Everest Group, a Russian-speaking ransomware group that claimed it hacked the US government last year and is “currently trying to sell the data for $500,000 worth of XMR.”

Another Russia-based REvil ransomware group that was dismantled earlier this year also switched from receiving payments in BTC to XMR in 2020.

However, some groups still accept payments in both Monero and BTC. The DarkSide group, which hacked Colonial Pipeline in May 2021, requested ransom in BTC or XMR.

Monero is planning a hard fork.

The Monero community believes the coin’s privacy feature provides its users with utopian financial freedom; several crypto exchanges have been forced to delist these privacy coins because of their widespread use by malicious actors.

However, the de-listing is not a deterrent to the project developers who are planning a hard fork in July, which would increase its chain ring size from 11 to 16. 

This move would help increase anonymity by making it harder to reverse engineer transactions. The hard fork also intends to add view tags to output, implement fee changes, and introduce bulletproof.