Ransomware Bitcoin transactions in 2021 have surpassed those from the previous year, according to the Treasury Department's findings.

In recent times, the Treasury has taken a proactive stance against ransomware-related activity in digital exchanges, using its existing tools to deter such malicious activities. This move comes as no surprise, given the increasing trend in cybercrime, as indicated by the number of Suspicious Activity Reports (SARs) filed.

Between January and June 2021, financial institutions reported 635 SARs, including 458 actual transactions. This represents a 30% increase from the entirety of 2020, suggesting a growing concern in the realm of digital security.

Ransomware actors primarily favour Bitcoin as the most common payment method, but other cryptocurrencies like Monero are also used. In the first half of 2021, FinCEN found seven payments valued at about $34 million where Bitcoin and Monero wallets were provided. The Financial Crimes Enforcement Network (FinCEN) analysed ransomware-related activity in SARs and found $590 million in the first half of 2021, an increase from $416 million in 2020.

The top-10 ransomware variants identified by FinCEN are operated by various ransomware groups, some known for affiliate programs. The VanHelsing ransomware service, which launched in March 2025, allows affiliates to use the malware in exchange for a fee or revenue sharing, targeting Windows as well as Linux and ESXi systems.

FinCEN found 177 unique convertible virtual currency (CVC) wallet addresses associated with the top 10 ransomware variants, and traced about $5.2 billion in outgoing Bitcoin potentially tied to these variants. The median average payment amount was $102,273.

Security experts suggest that even if cryptocurrency was regulated, cybercriminals would easily pivot to another tool. However, the lack of regulation and oversight in the cryptocurrency sector has, in part, given bad actors anonymity to conduct ransomware activity.

U.S. persons are prohibited from engaging in transactions with individuals or entities on the Specially Designated Nationals (SDNs) and Blocked Persons List. Evil Corp., SamSam, and the Lazarus Group were among the initial sanctioned actors identified by the Treasury's Office of Foreign Assets Control (OFAC).

The most common ransomware variants were REvil, Conti, DarkSide, Avaddon, Phobos. At least 68 ransomware variants were found in SARs data. Katie Nickels, director of intel at Red Canary, suggested that publicly identifying the ransomware variants could have more impact towards the goal of showing the U.S. government's ability to track payments.

The U.S. Treasury has threatened to fine companies that pay sanctioned ransomware actors. The Treasury, with its primary authority over regulating ransomware payment activity, is taking significant steps to combat this growing threat.

As the digital landscape continues to evolve, so too does the need for vigilance and regulation. The Treasury's efforts serve as a reminder that the fight against cybercrime is an ongoing battle, one that requires cooperation and action from all sectors.