According to the report by CipherTrace, a crypto intelligence company, demanding ransomware payments in XMR has been a trend among attackers in 2021.
"Most of the groups and strains listed as using XMR are relatively new," the report said. "CipherTrace analysts have observed a trend of increasing use of XMR by darknet markets and ransomware actors."
In total, CipherTrace data revealed that at least 22 ransomware groups, not all of which are currently active, accept only XMR, while another seven accept both BTC and XMR. In total, the analysts found over 50 groups and strains that use XMR, but the list of those using BTC is well over 1,000.
However, with reported ransomware payments totaling USD 590m in the first half of 2021, ransomware payments where the attackers demanded either BTC or XMR made up just 5.7% (USD 34m) of all transactions, per the report. Meanwhile, payments where attackers demanded only XMR made up just 0.4% (USD 2.4m) of all reported ransomware-related transactions at this time.
Also, while some attackers only accept XMR, others also accept BTC but charge an additional fee, which is arguably to cover the expenses of making easily traceable BTC transactions anonymous.
For instance, cybercriminal hacking group DarkSide, which is probably best known for attacking Colonial Pipeline, accepts payments in both BTC and XMR but charges 10% - 20% more for payments in BTC.
Likewise, BlackMatter Ransomware group, a new ransomware group that reportedly has ties to DarkSide, has the same pattern of accepting payments in both BTC and XMR, with BTC ransom payments being 25% more expensive.
However, some criminal groups, like REvil, which attacked business software-maker Kaseya in mid-2021, have been accepting only XMR payments, but would also add a BTC option with a premium.
Monero is a privacy-oriented cryptocurrency that uses obfuscated ledger, which ensures that any user can send and broadcast transactions but an outside observer cannot discern the amount, source, or destination of transactions.