BTC 1.29%
ETH 1.03%
SOL 3.19%
PEPE 1.51%
SHIB 2.89%
BNB 0.63%
DOGE 7.58%
XRP 3.98%
Pepe Unchained ($PEPU)
The Hottest Presale

The Most Popular Cryptocurrencies In Ransomware Attacks

Alex Lielacher
Last updated: | 5 min read

Ransomware attacks are on the rise and bitcoin is often blamed to be a popular payment system for hackers who engage in this criminal activity due to its pseudo-anonymous nature. However, recent attacks have shown that other decentralized digital currencies are increasingly being used in ransomware attacks.

Source: iStock/Zephyr18

Perpetrators of ransomware favor the use of cryptocurrencies because decentralized digital currencies offer certain advantages in comparison to fiat currency. While there are a large number of cryptocurrencies currently in circulation, there is a small subset that is more commonly demanded as a ransomware payment method by cybercriminals.


In the early days of bitcoin, it was a common payment method on a number of dark web websites. As a result, it was introduced to a wide array of undesirable characters who would recognize the opportunity that the digital currency presented due to its pseudo-anonymity.

This shadowy association led to a number of ransomware attackers demanding a payout in exchange for decryption of locked files in bitcoin. Moreover, due to the fact that bitcoin is the oldest and most popular cryptocurrency, cybercriminals are drawn to demand ransoms through it as they know it is easier to access bitcoin for their victims, which increases the likelihood of receiving a payment.

Probably the largest ransomware attack involving bitcoin was last year’s WannaCry attack. The WannaCry attack was first reported in May 2017. In a matter of weeks, the malicious software had spread to a substantial number of machines all over the world. The malware affected a wide berth of individuals as well as organizations. Most notable of these was the UK’s National Health Services, LG Electronics, and Deutsche Bahn, amongst others. The perpetrators demanded between USD 300 and USD 600 in bitcoin per computer. The WannaCry perpetrators ended up receiving bitcoin ransoms that reportedly amounted to around USD 241,000.

Another high profile example is the Not Petya malware that began to spread in June 2017. The software was highly sophisticated, spreading itself from device to device without the need for human execution as most malware does. The cybercriminals demanded USD 300 in bitcoin in order to restore access to files. The total amount that was received by the attackers reportedly was around USD 18,000.

Bitcoin Cash

The altcoin that was created as a result of a bitcoin hard fork in August 2017 is already being used by cybercriminals despite being in existence for less than a year. A ransomware known as Thanatos infected computers around the world. Once the malware has infiltrated the machine, it displays a popup demanding USD 200 to be paid in bitcoin cash.

This is the first ransomware that is demanding payments in the digital currency. Thanatos, however, also accepts payments in Bitcoin and Ethereum.


While bitcoin is the best-known cryptocurrency, cybercriminals are moving increasingly towards the privacy-centric coin Monero. Monero is being heavily utilized on dark web marketplaces and is also becoming a new payment method of choice for ransomware demands because of its privacy features.

Kirk ransomware is a malware whose orchestrators demand USD 1,100 in Monero in order to decrypt files. This malware is unique as it is not possible to decrypt the files in any other way but to receive the key from the attackers.


Ethereum is the second largest cryptocurrency by market capitalization and as its popularity and value continues to grow, cybercriminals are looking cash in on the action by demanding payments in the digital currency.

A new type of malware known as the HC7 Planetary Ransomware is currently making the rounds. The software gains access to a computer and spreads to any other machines on the network.

In the event that only one computer is infected, the attackers are demanding USD 700. However, if a number of machines are infected within a network, the cybercriminals are demanding USD 5,000 to reinstate access to all the computers affected therein.

Other cryptocurrencies of note within the ransomware space are Verge and Dash. These cryptocurrencies also have privacy features that are attractive to criminals looking to avoid detection and subsequent conviction.

While cryptocurrencies are being used by cybercriminals, it is important to recognize that all innovative payment methods were used by perpetrators, especially in their early stages. It is likely a matter of time before protocols are implemented to track the criminals down, as is the case with transactions on the Bitcoin blockchain now.


What is Ransomware and How Does it Work?

Ransomware is a type of malware that is designed to infiltrate a computer or a network of machines and deny its owners access to the files contained within. The malicious software makes it near to impossible for victims to use their files because once infected, all files are encrypted.

When trying to access the files, owners of the infected computer typically see a message demanding a certain amount of money in order to decrypt the file and restore access to the user. The perpetrators of this cybercrime aim to capitalize on people’s dependence on their computers, especially for those in a professional environment.

Ransomware attacks are not a recent invention as the first instance of such an exploit is recorded as early as 1989. At the time, the criminals would use low tech methods to receive funds from their victims. Sending money through to a postal box through snail mail as well as calling international numbers, where the criminals would profit from the tariff charged, were the most common. However, as the software became more complex and sophisticated, so did the payment methods.

A recent report titled the ‘Internet Organised Crime Threat Assessment (IOCTA) 2017’ explained the prevalence of ransomware attacks: “Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen following the emergence of self-propagating ‘ransomworms’.”

It is becoming evident that ransomware is the new route through which criminals are looking to take advantage of the public, overtaking other forms of malicious software. Interpol explains: “Moreover, while information-stealing malware such as banking Trojans remain a key threat, they often have a limited target profile. Ransomware has widened the range of potential malware victims, impacting victims indiscriminately across multiple industries in both the private and public sectors, and highlighting how connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.”