When a widely-known service or company is a victim of Ransomware, Bitcoin is blamed as an enabler of these attacks. It is absolutely true that many many Ransomware gangs do receive Bitcoin as ransom payment for their digital kidnapping. Bitcoin makes it easier for Ransomware gangs to receive payment and not get caught. Bitcoiners often then defensively respond that the organizations’ poor security is the cause of the Ransomware attackers' success. I don't think this is a good response.
Almost every organization has at least one security hole that can be compromised. I think citing poor security as the sole enabler of Ransomware, is just as bad as citing Bitcoin as the sole enabler of Ransomware. It is a blame-the-victim or blame-the-tool narrative that does not line up with the context and the circumstances of reality. Also, in 2025, per KnowBe4, a cybersecurity firm, "fewer victims are paying the ransomware than ever before. Payment rates that used to be near 70% of all ransomware victims are now down to 25%, and that is part of a long downward trend." Organizations are getting ransomed, and they just aren't paying, in Bitcoin or any other currency. The timeline of this downward trend in ransomware payments actually corresponds to a greater adoption and wider use of Bitcoin. Let's take a look at what ransomware is, why you shouldn't just blame the organization, why Bitcoin gets used, and some reasons why ransomware payments may be declining.
First, what is ransomware? The actions of a ransomware attack include infiltrating a system, inventorying the digital assets, and encrypting assets so that the business or organization cannot use them, i.e., holding them for ransom. Bitcoin is the means to make the payment so that the Ransomware gang will then decrypt the digital assets that they hold ransom. Bitcoin enables ransomware gangs to receive frictionless, resilient, censorship resistant and timely payment for the ransomed digital assets.
Bitcoin is an enabler of ransomware in the SAME WAY it enables frictionless, resilient, censorship resistant payment to many people under authoritarian rulers or dangerous situations. If you want to be able to permit financial transactions in resistance to authoritarians, dictators, or an abusive domestic situation, there will be others who use Bitcoin to resist financial capture.
So how do we stop the use of Bitcoin for Ransomware? The answer is definitely not more surveillance or pseudo-science chain analysis. Security practices–putting more locks on your organizations' assets–can always help. It makes you a less easy target if you make sure all software is patched and passwords are strong and 2FA'd. However, phishing attacks are one of the most common means of access to a system. Training people to identify phishing emails, phone calls, or texts can help, but you can never stop every employee or guest from clicking on a malicious link. Even expert and experience cybersecurity personnel click on links:
To maintain high and hypervigilant cybersecurity, you can pay for high-end detection and constant auditing of your network. However, if someone wants to get into your system–they will find a way. The only true way to combat and respond to a ransomware attack of your digital assets comes down to stopping them from drastically affecting your operations and refusing to give them a payment. But first, let’s understand some context around organizations and ransomware.
When you think about ransomware, you may think about Colonial Pipelines and you may think ransomware is going to take down your gas, electric, or internet and debilitate some part of your living environment. While it’s true that something this extreme could happen, so many ransomware victims are not the big organizations you see in the news. A large number of ransomware attacks are small to medium businesses, nonprofits, hospitals, schools and local governments.
Ransomware gangs’ largest volume of profit is from smaller organizations with less-robust or little IT, and with a ransom under the $250K minimum that the FBI investigates. These are organizations that are often the local businesses that struggle and that Bitcoiners love. They are also often critical organizations like a hospital or school that must stay online to operate. When these organizations are ransomed, if they have no backup plan, they then often must pay as otherwise it will take down critical medical care or education, their livelihood, their local government and human services. So they pay the ransom.
These attacks are underreported to authorities, and certainly not covered much in the national news. These smaller organizations are the sweet spot to target as they are focused on other services, have small budgets, small IT staffs, and large employee turnover. They literally need to run every day to keep their organizations afloat amidst expenses. They often cannot move quickly to deal with the latest attack security issue manifestation vulnerability. They cannot afford expensive cybersecurity products and personnel. These are the organizations that you interact with on a day to day basis, those whose main expertise and service has nothing to do with computer security. Yet, in this day and age, they must implement the most strict security practices in order to do some minimal protection against attacks.
Besides strict and costly security measures, every single employee be vigilant at all times for something suspicious by phone or email. An errant click on an innocent looking email, can trigger an infiltration into the system-phishing being the largest method of infiltration. Any worker can infiltrate via a device placed on an outlet. Organizations can have excellent security practices and still be brought down because hackers discovered a new zero day in their Microsoft infrastructures (or any cloud or authentication provider). You can also have rogue employees, someone bribed, or even hired to go rogue.
There is ransomware-as-a-service–you hate your job or boss, you can get paid a lot to install a malware agent. When I say everyone in your organization, it’s actually everyone who even gets near your place of operation. Disguised cleaning people, delivery people, contractors, any people–can deliver a command and control malware agent into your system. In high inflation, struggling to feed a family, who wouldn’t be tempted. There was a recent article about out-of-work tech workers turning to crime, as crime does in fact-pay. And of course, as mentioned, you can have people get phished. Sure, if your org can afford it, you can implement anti-phishing email measures and top-notch training with KnowBe4 phishing training. But you will never prevent every person–overconfident, old, young, working fast, multi-tasking–from clicking a professional-looking, social engineered phishing email.
Infiltration points are vast. There is no fail safe security if an attacker wants to get in they can in one way or the other. Worse, If an organization pays ransomware, it is estimated that there is an 80% chance they will be infiltrated and ransomed again.. So here again, Bitcoin enables the payment and Bitcoin enables the repeat attacks.
So is there any solution to Bitcoin’s enablement of ransomware? No, there are no failsafe solutions. But there are more tools. One of the most effective tools against ransomware is to have off-site immutable backups, updated based on your organization’s disaster needs. Immutable so they cannot be encrypted. One of the first things a ransomware agent does is start encrypting the backups so that they are also unusable. Off-site so that Ransomware agents can’t reach them. An off-site shared drive will not suffice–that shared drive is accessible and can be encrypted.
In addition, one of the most important thing organizations can do–which so many just can’t prioritize amidst the millions of demands of daily operation, is disaster planning. An organization should have a plan with roles and responsibilities:
-
Who disconnects routers, computers, etc to contain damage.
-
Who contacts users?
These are just a few pieces of a disaster plan for digital attack. Recovery plan is another requirement. Restoring backups, changing passwords, informing users.
At this point you’re wondering what the h#ll does this have to do with Bitcoin?
In an ideal situation, a ransomware attack has NOTHING to do with Bitcoin, because no-one is using Bitcoin as a medium of exchange to pay the ransomware gang. Why? Because the organization has an off-site backup, disaster and recovery plan that prevents this adverse use of Bitcoin. These continuity of business measures are also necessary to provide failover for any natural disaster or fire or flood situation. Does that again put the onus back on the organization? Yes, it does, but hopefully with a little more understanding of the time and money context and constraints of these organizations. And less of a blame the victim response.
Bitcoin will enable Ransomware gangs to more easily receive payments, if those payments need to be made. Fighting back by having backups and a disaster and recovery plan, is one way to avoid making a ransom payment--whether that's Bitcoin or any other medium of exchange.
Bitcoin gives everyone the freedom to transact--Everyone.
References:
- Ransomware is Back—and Smarter Than Ever in 2025: Trends ttps://blog.knowbe4.com/cyberheistnews-vol-15-30-heads-up-ransomware-is-back-and-smarter-than-ever-in-2025-trends