We're sorry but your browser is not supported by Marsh.com.au

For the best experience, please upgrade to a supported browser:


Research and Briefings

Ransomware: Paying Cyber Extortion Demands in Cryptocurrency


One of the most common and serious cyber attacks involves ransomware, in which a threat actor locks an organisation’s data with encryption until a ransom demand is met. These attacks are increasing not only in number, but also in severity. In the first half of 2020, average ransomware payments increased by 60%, with bitcoin used for most payments.

Bitcoin accounts for approximately 98% of ransomware payments. Whether an organisation pays the ransom or attempts to recover the data independently, a clear understanding of bitcoin is essential for cyber incident response planning.

Why Bitcoin?

Anonymity. Speed. Access.

Bitcoin, like other cryptocurrencies, allows cybercriminals to receive funds with a high degree of anonymity, making transactions difficult to track. Bitcoin gained notoriety as the common currency of the Dark Web, where it remains popular. It is seen as the essential cryptocurrency — easy to acquire and use, making threat actors believe victims will be more likely to pay.    

Occasionally, cyber threat actors demand other cryptocurrencies, such as Monero and Zcash. These have additional privacy features that make tracking payees more difficult, but are the exceptions to the rule.

How Payment Works

Organisations should be aware that arranging a cryptocurrency payment may take more time than expected. It is advisable to have payment arrangements pre-established in your cyber incident response plan. Prior arrangements can speed up and expedite recovery. Prior to doing so, you should consult with your legal counsel to comply with OFAC or other regulatory guidance relating to ransomware payments.  If a ransomware payment is permissible, your external counsel or forensic analysis service provider may be able to serve as an intermediary in acquiring bitcoin.

A cryptocurrency transaction consists of a payer sending funds to a payee, with both parties identified only by an account number, or address. To purchase and send bitcoin, you need to set up a bitcoin wallet and use a cryptocurrency exchange to complete the transaction. Alternatively, you can use a bitcoin ATM.  

While bitcoin operates on a public blockchain that allows anyone to see all bitcoin transactions, there is no direct way to determine the account owner.

Can Cyber Criminals be Traced?

Law enforcement, private sector companies, and service providers have teamed up to develop approaches to trace bitcoin transactions. These approaches combine multiple data sources (including social media activity) and analytics to identify transaction patterns that sometimes make it possible to determine individual identities.

Cyber criminals, however, use obfuscation techniques to increase anonymity and avoid detection. One common approach is “mixing,” in which a service provider mixes the funds of different users to break the traceable trail of transactions, making it unlikely they will be caught.

What You Can Do?

With ransomware attacks increasing, organisations need to be prepared well in advance. Effective data backups are critical. And it’s important to update your incident response plans to account specifically for ransomware.

To learn more about what organisations can do before, during, and after a ransomware attack, see Ransomware: Remove Response Paralysis with a Comprehensive Incident Response Plan.

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.