How centralized is the ransomware industry -- and why does it matter?

Trent Fowler
May 25, 2022

Elementus recently released a blockbuster ransomware report on the ransomware industry, which contained many new insights about how it's structured, its mechanics, and how its players operate.

Although it’s well-known that the size of the targets and the payouts to ransomware groups have been steadily growing, this report breaks new ground in detecting more than $1 billion dollars in ransom paid in 2021, the most uncovered for a single year:

What’s more, the report also reveals new details about the connection between Russia and ransomware – the majority of ransomware groups today are from Russia – and documents how they are becoming increasingly adept at hiding their tracks; are willing to taint the broader crypto ecosystem including legitimate exchanges in their hunt for cash-out points; are becoming bolder every day in the size and scope of their targets, moving from individuals and small businesses to national infrastructure and national governments.

One of the more intriguing insights to have come from our investigations is the fact that the ransomware space is likely controlled by a relatively small number of teams that are responsible for creating and maintaining multiple strains.

This is not a trivial realization. When looking at a wide variety of different strains executing attacks multiple times a year, it could be that each ransomware strain is the product of a unique criminal group, or it could be that many strains are coming from a common source. Either scenarios is possible.

How did we untangle this situation to discover that the industry is concentrated around a few key players?

The Ransomware Market is Highly Centralized

We can start by simply noticing that the lion’s share of ransomware payments are going to a small number of strains:

This chart displays payments received for 2020 (black bar) and payments received for 2021 (orange bar), with the strains being ranked in descending order based on payments received for 2021.

Of the roughly $1 billion raked in by ransomware strains in 2021, a quarter ($250 million) went to the most prolific ransomware strain, Conti. If we eyeball the chart and look at the top 4 strains, that percentage rises to almost half.

This is clear and compelling evidence that there’s a high degree of concentration in this market, but a closer examination of the data reveals that there might be even more concentration than there initially appears to be.

Family Ties

There are two basic lines of evidence for the concentrated market hypothesis. The first is fairly straightforward: using the Elementus platform we can actually see networks of fund transfers in which a single entity acts as a common repository for crypto stolen by several other ransomware strains.

That’s precisely what’s happening here in Elementus Pulse™; the hacker group Wizardspider (represented by the red node at the top) is receiving funds from numerous wallets controlled by two ransomware groups, Conti and Ryuk (represented by gray nodes throughout the rest of the image):

The second line of evidence for this industry concentration is the sudden and precipitous drop in payments received by certain strains between 2020 and 2021. For example, in the second chart above we observe the payments received by Egregor decline from $170 million to $40 million over the two years.

As a point of comparison, a decline this sharp would be equivalent to a big American company moving from massive prosperity to near obscurity in a matter of months. In the case of these ransomware “strains,” as they are often called, the best explanation is that there is a single entity behind multiple strains that quickly evolves into a new variant, much like biological viruses tend to do, causing the old one to simply disappear. The idea of rapidly evolving and increasingly destructive ransomware strains was the motivation for our ransomware report comparing this situation to a pandemic.


Though the power, reach, and concentration of these ransomware families is troubling, it could also represent a serious opportunity for law enforcement to track and prevent future attacks, as well as to recover some of the billions of dollars of stolen funds.

If the space has fewer masterminds, in other words, countermeasures that target only the most prominent ones might be enough to mitigate the threat it poses.

For additional analysis and specific recommendations for how to mitigate the rising ransomware pandemic, be sure to check out the full report.

Contact us at for a demo of our platform.

About Elementus

Elementus is a best-in-class blockchain analytics platform that detects a wide variety of bad actors on-chain. We are building the Who’s Who of bad actors on the blockchain, enabling legitimate entities in the space to avoid exposure to ransomware funds, solve complex crypto crimes, and remain in compliance.

Powered by SourceFlow™, EntityIndex™, and patent-pending Intelligent Network Expansion™ technology, the Elementus platform automatically examines large structures of on-chain activity to rapidly detect risks that are otherwise impossible to see.

We trace the movement of crypto in an automated fashion, achieving in seconds what previously took days or weeks of manual analysis and making blockchain data more transparent than it has ever been.

Elementus is based in New York City. The CEO and founder is Max Galka.

Follow the crypto — with Elementus.

For more information, please visit
Our email is