Ransomware in the Digital Age: Multidisciplinary Legal Strategies for Minimizing Cryptocurrency Ransom Payments

Table of Contents

Executive Summary


2. Regulatory Ambiguities…………………………………………………………….7
3. The Role Of Lawyers In Ransomware Attacks……………………………..9
4. Solutions…………………………………………………………………………………11

 Executive Summary

The year 2023 witnessed an unprecedented escalation in ransomware attacks, affecting users from homeowners to critical infrastructure like healthcare, education, and government. With over 5,200 reported incidents—a 74% increase from the previous year—ransomware has not only intensified in frequency but also sophistication and financial demands, with total payments exceeding $1 billion. This surge highlights the value of data and the increasing likelihood that victims will pay ransoms, often facilitated by cryptocurrencies like Bitcoin. Cryptocurrencies have played a pervasive role in the rise in ransomware attacks due to their anonymity and ability to facilitate cross-border payments. However, using cryptocurrencies to facilitate ransom payments offers complex challenges due to their high transaction costs and regulatory ambiguities that complicate compliance efforts. The pervasive role of cryptocurrencies in ransomware attacks underscores the necessity for multi-disciplinary legal professions that are capable of utilizing blockchain analytic tools, financial hedging techniques, and general knowledge of the evolving cryptocurrency space. Instituting safe harbor provisions would also ensure that victims do not face the threat of prosecution after making ransom payments


In the digital age, ransomware has emerged as one of the most pervasive and damaging forms of cyberattacks, affecting users of all types, from homeowners, businesses of all sizes, healthcare institutions, educational establishments, government agencies, and critical infrastructure. Last year marked a disturbing milestone in the evolution of ransomware attacks, with incidents and ransom payments reaching unprecedented levels. In 2023 alone, approximately 5,200 organizations reported ransomware attacks,[1] indicating a dramatic 74% increase compared to the previous year, and ransom payments surpassed $1 billion. This alarming trend is not just a reflection of the growing number of attacks. It also underscores the growing value of data and the willingness of victims to pay to regain access to it. Consequently, victims increasingly ask themselves, “How much will I pay?” rather than “Will I pay the attackers?” As a result, the challenge has been paying the lowest amount of ransom possible.

Since cryptocurrency payments have become the preferred mode of ransom payment, minimizing the amount that victims pay in ransom has come to include managing the risks associated with making payments in cryptocurrencies. This includes high transaction costs associated with making payments on a congested blockchain and premiums tacked on by attackers for making payments in different cryptocurrencies and purchasing cryptocurrencies. Regulatory ambiguity further complicates these decisions.

Combating these challenges will require lawyers to adopt a multidisciplinary approach that combines legal acumen, technological competence, and financial knowledge. Blockchain analysis tools, financial hedging techniques, and a basic understanding of the current cryptocurrency landscape are essential tools that help victims pay the lowest cost when transferring ransom to the attackers. However, regulatory clarity is required to ensure victims can remain compliant.

a)    Overview of Ransomware Attacks

Ransomware attacks are “a class of malicious software that, when installed on a computer, prevents a user from accessing the device- usually through unbreakable encryption- until a ransom is paid to the attacker.”[2] Bad actors do not profit from the resale of stolen data in black markets “but from the value that victims ascribe to that data and their willingness to pay to regain access to it.”[3]  In recent years, while there has been astronomical growth in the number of new participants (around 538 new ransomware variants in 2023), the persistent theme has been a shift towards a strategy of “big game hunting.” Instead of profiting from a high volume of ransomware attacks, some groups, like CI0P, carry out fewer attacks while collecting large payments with each attack. In fact, an increasing share of all ransomware payment volume is being made up of payments of one million dollars or more.[4]

Moreover, few organizations can refuse hackers’ demands for payment after a ransomware attack. In the United States, 71% of targeted companies paid the ransom.[5] The number of organizations that make ransom payments is considerably high because not paying the ransom may result in financial ruin. Another reason these numbers are so high is that ransomware attackers employ high-frequency strategies to attack more organizations or users but request smaller ransoms. Organizations subjected to these threats might pay attackers in an effort to make the problem go away. For these reasons, organizations faced with ransomware attacks have increasingly shifted their focus towards strategies aimed at reducing the total amount of ransom paid rather than avoiding ransom payments altogether.

b)    The Role of Cryptocurrency in Ransomware Attacks

Cryptocurrencies have featured heavily in the growth of ransomware attacks. Ransomware attackers often demand that victims pay their ransom in cryptocurrency for various reasons. First, many cryptocurrencies offer varying degrees of anonymity, making it harder to trace the transactions back to the attacks. This makes it difficult for law enforcement agencies to identify and prosecute the perpetrators. Second, cryptocurrencies can be transferred across borders quickly and effortlessly, allowing attackers to side-step traditional banking systems, which might block or report suspicious transactions. Thirdly, the decentralized nature of cryptocurrencies allows ransomware attackers to operate outside of regulatory reach and avoid the threat that government authorities might intercept or freeze the funds.

To maintain the benefits offered by cryptocurrency payments, ransomware attackers add premiums for payments made using easily traceable cryptocurrencies like Bitcoin (BTC). When receiving payment in Bitcoin from their victims, ransomware attackers must use a crypto exchange to convert it into fiat currency. An alternative approach would be to launder the crypto they receive from victims through various crypto native apps before eventually converting to fiat currency. Ransomware attackers frequently use crypto exchanges that lack anti-money laundering (AML) controls or operate in high-risk jurisdictions. Such practices draw the attention of compliance officers at regulatory agencies, who are alerted of potential money laundering activities that they can detect. However, since the Bitcoin blockchain is so transparent, simpler detection methods are possible. Anyone can use blockchain analysis tools like “Chainanalysis” to track the attackers’ transactions.

For these reasons, ransomware attackers have preferred cryptocurrencies like Monero (XMR) for their privacy features. Monero is a “privacy-based cryptocurrency that uses a combination of technologies such as mixers, ring signatures, and stealth addresses that obfuscate sending and receiving wallets.”[6] However, because Monero’s privacy features make it difficult to trace transactions back to the attackers, Monero has been delisted by some exchanges in countries such as the United Kingdom and Japan, making it inaccessible as a payment form by victims in those countries.[7] Other victims may refuse to make payments in Monero regardless of the regulatory landscape in their countries.[8] To account for the added risks that attackers are exposed to by tacking on a 20% premium on ransom paid by victims in Bitcoin. Therefore, the inability or the lack of willingness from victims to pay ransom in privacy-based cryptocurrency tacks an additional 20% to the cost of paying ransomware.[9]

The financial burden on victims only increases from there. Once a victim has agreed to pay a ransom in Bitcoin, they must absorb high transaction costs that fluctuate based on blockchain congestion. Transaction costs on the Bitcoin network, referred to as “miner’s fees,” can significantly affect the total amount victims pay in ransomware attacks. These fees are paid to miners for processing and securing transactions on the blockchain. Moreover, these fees are variable and fluctuate based on network congestion. During periods of high demand, fees increase as users compete to have their transactions processed quickly. In other words, a user effectively “bribes” the miners to move their transaction to the top of the priority list.

Attackers might also request that payment be made in multiple transactions through a tumbling service. A crypto tumbler is a tool that “jumbles up an amount of bitcoin in private pools before spitting them out to their intended recipients.”[10] A tumbler effectively works like a black box, making it difficult to figure out that person “A” sent an “X” number of bitcoins to person “B.” All that would be visible on the public ledger is that person “A” sent some bitcoins to a tumbler, as many others did, and that person “B” received some bitcoins from a tumbler just as many others did.[11]

When making multiple transactions, victims are exposed to fluctuations in transaction costs that might change between payments, increasing the total cost for the victim. Moreover, depending on the sensitivity of the data, choosing to wait out congestion to avoid paying higher transaction fees may not be an option. Attackers who have gained access to sensitive data may exercise more leverage and demand quick payments, pushing victims to pay higher costs to expedite processing, leaving victims with little wiggle room to avoid high transaction costs on a congested blockchain.

Victims are more likely to experience and pay ransom during periods of high congestion on the Blockchain network, even when they are not making payments in multiple transactions. A correlation exists between the health of the American economy, the price of Bitcoin, and the volume of ransomware attacks. In 2021, the S&P 500, a collection of the five hundred biggest U.S. companies, rose by nearly 27% but then corrected by nearly 20% in 2022, followed by a giant rally in 2023 of up 26%, taking the U.S. market to all-time highs. During the same period, the number of ransomware payments made surpassed $1 billion in 2023. This number is up from $567 million in 2022 and $983 million in 2021. The price of Bitcoin also experienced similar price fluctuations during the same periods. In 2021, the price of Bitcoin reached all-time highs at $65,000, only to fall to a low of $18,000 in 2022 and then back up to around $25,000, a 161.19% increase from the lows.

The data above suggests that the state of the economy can indirectly affect the frequency of ransomware attacks. During periods of economic uptrends, attackers might perceive that companies in stronger financial positions will be more likely to pay a ransom. The data also suggests that there is a correlation between the price of Bitcoin and the S&P. This means that victims are likely to face an increased number of ransomware attacks during economic uptrends and will be forced to absorb higher transaction costs as the price of Bitcoin increases alongside the price of the S&P leading to more congestion. Put differently, victims are more likely to ransomware attacks and pay higher ransom fees when they are the most profitable.

2. Regulatory Ambiguities

Regulatory ambiguity complicates lawyers’ ability to advise their clients on making ransom payments using cryptocurrency while making it easy for attackers to receive payments through non-compliant exchanges. Under the current guidance, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has stated that at least some ransomware payments are illegal. In 2020, OFAC announced that “ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions” are illegal.[12] OFAC has also stated that a person subject to the U.S. “may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”[13] The issue, however, is that it is not always clear to victims and their insurers whom they are paying ransom to or how OFAC’s statements will apply to their situation. This effectively means that, at times, victims pay ransom blindly, hoping that they did not accidentally transfer the ransom to a sanctioned group or jurisdiction.

In other instances, regulation has failed completely. For instance, cryptocurrency anti-money laundering (AML) and know-your-customer (KYC) regulations have been largely ineffective. Cryptocurrency AML “encompasses the laws, regulations, and practices designed to stop criminals from converting illegally obtained cryptocurrencies into fiat currencies.”[14] Cryptocurrency KYC refers to “the set of identity verification procedures required by law for virtual asset services (VASPs).”[15] Cryptocurrency KYC enables authorities to connect anonymous cryptocurrency addresses to real-world entities or individuals even though that address might not be connected to a crime. To comply with these requirements, cryptocurrency exchanges require customers to submit identification to access their platform. The list of clients and their identification information is then made available to authorities when needed.

The problem is that it is easy to sidestep these requirements for a number of reasons. First, KYC and AML requirements are jurisdiction-specific, so users can get around these requirements by changing their IP address through a VPN. Second, KYC and AML requirements cannot keep up with the speed at which crypto exchanges pop up. It is relatively easy to create a crypto exchange because most source code is open-source and easily accessible. The general gambling nature of the cryptocurrency space means that platform owners can add new users for little to no cost if they can offer marginal improvements over their competitors.

Given the ineffectiveness of KYC and AML requirements, ransomware attackers are not short on alternative crypto exchanges that allow them to receive payment and launder money while remaining anonymous and untraceable. The victim is then left with little choice but to risk sending payment to sanctioned actors or jurisdictions through an unregulated exchange. Lawyers are also faced with the similar risk of advising their clients to make the payments without having assurances that their advice will be compliant with regulations.

3. The Role Of Lawyers In Ransomware Attacks

At a basic level, lawyers must be aware of crypto regulations and making ransomware payments in crypto. This would include being aware of sanctioned tumbler services. For example, Tornado Cash, a virtual currency mixer, was sanctioned in 2022 after being used to launder more than $ 7 billion worth of cryptocurrency.[16] Tornado Cash and similar applications like Blender.io are used by cybercriminals to “obfuscate proceeds from illicit cyber activity and other crimes…including sanctions evasion.”[17] Lawyers must exercise caution when ransomware attackers request payment via sanctioned applications like Tornado Cash. Utilizing such platforms not only violates legal regulations but also raises the risk of inadvertently funneling funds to sanctioned groups or persons. Consequently, clients would face the risk of being held liable for having “reason to know” they were “engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”[18]

            However, regulatory ambiguity over cryptocurrency ransom payments requires lawyers to transform their roles. Rather than acting strictly as regulatory compliance officers who ensure clients do not break laws while making ransom payments, effective lawyering requires contributing and being part of a multi-disciplinary team. As noted above, the regulatory landscape is unclear, making regulation an unreliable reference point for lawyers. Attempting to ensure a client is regulatory compliant is limited to ensuring that payments are made to obvious “sanctioned persons or to comprehensively sanctioned jurisdiction.”[19] Moreover, a significant portion of serving a client’s interest when making ransom payments in cryptocurrency increasingly requires financial and technological competence.

On the one hand, ransom paid in Bitcoin requires an understanding of blockchain technology. Lawyers should at least have a basic understanding of how a congested network might impact ransom payments and what alternative blockchain networks are available. On the other hand, ransom payments require financial risk management to determine when the right to purchase the cryptocurrency required to pay the ransom is required. A lawyer who can wear multiple hats is better positioned to tackle these challenges.

An alternative approach would be to create a multi-disciplinary team consisting of technology, financial, and legal experts. In this arrangement, lawyers might lead a team of experts who provide financial and technological advice. The lawyer’s job might be to lead the team and ensure that the solutions developed stay within the tight regulatory framework that exists at the moment. A multi-disciplinary team would serve ransomware victims better, not only by protecting them from potential legal liability but also by ensuring that their ransom is paid at the lowest cost possible to the victim and client.

4. Solutions

            Since victims are likely to pay ransom during periods of high congestion on the blockchain network, response strategies involve mitigating the costs of paying ransom. Some of these strategies include utilizing blockchain analytics, financial hedging techniques, and policy changes that can help with ransomware response.

a)    Blockchain Analytics

Blockchain analytic tools can help analyze network activity to identify the most cost-effective times to transact on the blockchain. One of the biggest benefits of using cryptocurrency is that its ledger is publicly visible. This allows for comprehensive analytic tools that enable users to monitor network congestion, transaction logs, and transaction fee costs. Many of these sources are free and publicly available. For example, YCharts.com displays charts depicting “Bitcoin Average transaction fees with daily updates that note changes in the current levels of transactions fees on a daily basis.”[20] Users looking for more advanced data analytics can opt for paid services like Nansen.ai, which provides detailed on-chain data for a monthly fee based on the user’s needs.[21] Paid options might be more useful to cybersecurity firms that regularly advise clients on ransomware attacks. Using blockchain analytic tools can enhance victims’ ability to project total ransom costs and allow multi-disciplinary teams to weigh better the risk associated with paying the ransom (reporting to regulatory bodies). Moreover, the use of blockchain analytic tools improves response times.

b)    Financial Hedging Techniques

Considering that transaction fees and the price of the cryptocurrency that ransom is paid in can fluctuate between the time that the cryptocurrency is purchased and paid by the victim, financial hedging techniques can aid in risk management. In an effort to maintain anonymity, ransomware attackers may request payment be made in several transactions to make it more difficult for authorities to trace the transaction back to them. In this scenario, victims will be forced to purchase cryptocurrency and sit on it for an extended period of time, exposing them to downside risk in the cryptocurrency price. As noted earlier, the positive correlation between the health of the U.S. economy, the price of Bitcoin, and the frequency of ransomware attacks suggests that ransomware attacks are more likely to occur when the price of Bitcoin is elevated. Therefore, given the inherent volatility of crypto markets, victims are likely to be exposed to price volatility in the period after they purchase the crypto that will be used to pay the ransom. Volatility might cause indecision over when to purchase the crypto, eventually causing victims to capitulate and buy at higher prices.

To minimize the effects of crypto volatility, lawyers should inform their clients of hedging techniques to protect the crypto that will be used to pay the ransom. Victims often find themselves in a precarious position where they are forced to purchase more Bitcoin to pay the ransom because the price of Bitcoin has declined in U.S. dollar terms. In these scenarios, victims pay more in ransom because they are forced to purchase more Bitcoin and expose themselves to increasing transaction costs once again.

Hedging is a useful practice for getting portfolio protection. Hedging can include the use of financial tools like derivatives or options to take a position in the opposing direction to the position you are currently in. For example, if you buy Bitcoin, you are long Bitcoin, and if the price goes down from your entry price, you lose money by the percentage the price has declined. So, to hedge a long position, you would use derivatives or options to short Bitcoin. If you are “hedged short,” then when the price of Bitcoin goes down, your initial long position will decrease in value, but your hedged short position will cover this loss because it presents a short on Bitcoin. This works the same way if the situation is reversed. The initial position is short, but you are hedged long; if the price goes up, the value of your initial short goes down, but the value of your hedged long goes up. In both situations, the investor is protected from price volatility, neither losing nor making money. It is a perfect strategy for victims to use while paying ransomware since their primary concern is that their Bitcoin retains the U.S. dollar amount that the attacker demands.

By using derivatives, a victim can hedge their cryptocurrency using less collateral. For instance, if the victim purchases one million dollars of Bitcoin to pay a ransom, they can hedge this position with 100 thousand dollars by utilizing 10x leverage. This would allow a victim to hedge, or in other words, to protect their one million dollar position in Bitcoin by shorting Bitcoin with 100 thousand dollars of collateral using 10x leverage so that the victim is both long and short Bitcoin by 1 million dollars. In sum, using derivatives to hedge a position allows a victim to be less price sensitive to the price of Bitcoin as they wait to make the ransom payment.

c)     Evolving Cryptocurrency Landscape

Since ransomware attackers may demand payment in alternative cryptocurrencies, multidisciplinary lawyers must have a foundational understanding of how to transact with and purchase alternative cryptocurrencies, not just Bitcoin. Bitcoin is no longer the only game in town. Several independent blockchains using their own native token have emerged as reliable alternatives to transact and pay ransom on. Considering that wallets of more established coins are the most reliable safe destinations for cryptocurrency, it is best to start off by purchasing Bitcoin or Ethereum and depositing the coins into a trusted hot wallet like Unisat Bitcoin wallet[22] or Metamask Ethereum wallet.[23] Cryptocurrency can be purchased from any regulated exchange like Coinbase and transferred directly to a blockchain wallet.[24] Once the cryptocurrencies are onchain, one can use apps like debridge.finance to bridge any cryptocurrency from the Bitcoin or Ethereum blockchain network to the Blockchain network the attacker demands transactions to be made through.[25] The bridging platform will transfer any asset on any chain to any other asset on any other chain. So, if you hold Bitcoin on the Bitcoin blockchain network, you can swap your Bitcoin for the native asset or any other asset on that chain (bridging fees vary based on the application). Moreover, transfers to Blockchains that utilize and run parallel to dominant chains like Ethereum can be achieved at a lower transaction cost using bridging applications like Oribter.finance.[26]

d)    Policy Changes 

Given the upward trend in ransomware attacks and ransom payments, regulatory clarity is needed. To encourage coordination between regulators and lawyers, regulations should create safe harbor provisions. Like in other areas of the law, safe harbor provisions would reward those who collaborate with regulators. Ransomware victims who report their ransom payments will be immunized from prosecution in the event that they unknowingly transfer funds to sanctioned organizations or jurisdictions. This might include disclosing correspondence with the attackers, the amount to be paid, the cryptocurrency to be used, and the time the transfers will be made. Victims might also gain safe harbor protections for disclosing payments that were accidentally made to sanctioned groups or jurisdictions as defined by the current guidance. A final consideration in deciding whether safe harbors are appropriate would be if payments were made under duress or if they were necessary to ensure the organization maintained financial stability.

This would encourage collaboration between regulators and victims, freeing up victims to make more strategic payment decisions without worrying about regulatory hurdles. It would also give regulators access to more data on ransomware attacks, enabling them to craft regulations that narrowly target ransomware attacks rather than victims.  Current regulations put victims in the difficult position of permanently losing their precious data and facing regulatory prosecution. Introducing safe harbor provisions would enable regulatory bodies to develop robust defensive regulatory strategies through deeper collaboration with victims.


            While ransomware payments surpassed the $1 billion mark in 2023 alone, it is important to note that this number is up from $567 million in 2022 and $983 million in 2021, a 94% and 11.90% increase, respectively. Given this dramatic uptrend, we can only expect the frequency of ransomware attacks and ransom payments to increase in the future. This trend will continue to steepen as we enter the Artificial Intelligence era (AI). AI is set to revolutionize the execution of ransomware attacks by lowering barriers to entry and reducing costs significantly. In a recent assessment titled “The near-term impact of AI on the cyber threat,” The National Cyber Security Centre (NCSC), the UK’s technical authority within the country’s top intelligence agency, predicted that of all the major cyber threats, ransomware will benefit the most from AI over the next two years.

Confronted by these trends and evolutionary changes in ransomware attacks, victims will continue to ask themselves, “How much must I pay?” rather than “Will I pay.” These challenges will increasingly require multidisciplinary lawyers capable of deploying legal, technological, and financial competencies to serve their clients effectively. To do so, lawyers must utilize blockchain analytics tools, financial hedging techniques, and knowledge of the growing crypto space to protect their clients from variable and high transaction costs and manage the risk of making such payments. However, these efforts must also be supported by regulations that bring lawyers and victims into the system through safe harbor provisions. Such measures will lead to the development of effective regulations for the daunting future ahead of us.

[1] Kapko, Matt.“Elevated Ransomware Activity hit nearly 5,200 organizations in 2023.” Accessed March 21, 2024. https://www.cybersecuritydive.com/news/elevated-ransomware-activity-2023-rapid7/704476/.

[2] Paquet-Clouston, Haslhofer, and Dupont. “Ransomware Payments in the Bitcoin Ecosystem.” (2019) accessed: March 10, 2024. https://academic.oup.com/cybersecurity/article/5/1/tyz003/5488907.

[3] Id.

[4] “Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline.” Chainanalysis. Accessed March 10, 2024. https://www.chainalysis.com/blog/ransomware-2024/.

[5] Hiscox, Hiscox Cyber Readiness Report 2021: Don’t let Cyber Be a Game of Chance (2021). Accessed May 5, 2024. https://www.hiscoxgroup.com/sites/group/ files/documents/2021-04/Hiscox%20Cyber%20Readiness%20Report%20 2021.pdf

[6] Young, Martin. “Monero’s crypto of choice as ransomware ‘double extortion’ attacks increase 500%. ”The Cointelegraph. Accessed March 14, 2024. https://cointelegraph.com/news/monero-crypto-of-choice-as-ransomware-double-extortion-attacks-increase-500

[7] Id.

[8] Id.

[9] Id.

[10] Stevens, Roberts. “Bitcoin Mixers: How do they Work and Why are They Used?” Accessed: March 12, 2024. https://www.coindesk.com/learn/bitcoin-mixers-how-do-they-work-and-why-are-they-used/.

[11] Id.

[12] CISOMAG.“Paying Ransom is Now Illegal! U.S. Dept of Treasury Warns. Accessed March 13, 2024. https://cisomag.com/paying-ransom-is-now-illegal-u-s-dept-of-treasury-warns/.

[13] Id.

[14] “What is AML and KYC for Crypto?” Accessed March 10, 2024. https://www.chainalysis.com/blog/what-is-aml-and-kyc-for-crypto/.

[15] Id.

[16] U.S. Treasury Sanctions Notorious Virtual Currency Mixxer Tornado Cash.” Accessed March 14, 2024: https://home.treasury.gov/news/press-releases/jy0916.

[17] Id.

[18] CISOMAG.“Paying Ransom is Now Illegal! U.S. Dept of Treasury Warns. Accessed March 13, 2024. https://cisomag.com/paying-ransom-is-now-illegal-u-s-dept-of-treasury-warns/.

[19] Id.

[20] “Bitcoin Average Transaction Fee.” Accessed March 8, 2024. https://ycharts.com/indicators/bitcoin_average_transaction_fee.

[21] Nansen website: https://www.nansen.ai/plans.

[22] Bitcoin Wallet: https://unisat.io/.

[23] Ethereum Wallet: https://metamask.io/.

[24] Coinbase: https://www.coinbase.com/.

[25] Bridging Cryptocurrency: https://debridge.finance/.

[26] https://www.orbiter.finance/?source=Ethereum&dest=Optimism&token=ETH.

Posted in: Blockchain, Cryptocurrency, Cybercrime, Cybersecurity, Economy, Education, Legal Research