Ransomware attacks use software that infects a target’s computers and encrypts all the files so that the victims lose access. The perpetrators hold onto the key for decrypting the data until they get their demanded payment, or ransom, which victims typically pay using bitcoin or some other cryptocurrency that is difficult or impossible to trace.

The research, conducted by Google, Chainalysis, University of California at San Diego, and New York University’s Tandon School of Engineering, was presented Wednesday at the Black Hat security conference in Las Vegas. Chainalysis is a startup that monitors bitcoin transactions for customers.

Many computer users are very much at risk because Google estimates only 37% of them actually back up the data on their hard drives.

Ransomware has become “a very, very profitable market and is here to stay,” Google researcher Elie Bursztein told the BBC news

Related: How to Protect Yourself Against WannaCry Ransomware

Assessing actual payments is tricky, not only because victims typically use hard-to-track cryptocurrency to make payments, but also because most companies are not eager to disclose they’ve been victimized.

Related: Victims of Petya Ransomware

Thus the researchers relied on reports from victims, but they also found files that were used to infect machines and ran them on their own computers to replicate the process, according to the BBC. Then they monitored network traffic generated by victims to figure out where the money went.

Fortune contacted Google (GOOGL) and NYU requesting access to the report and will update this story as needed.

Victims of fairly recent ransomware attacks include FedEx (FDX), TNT Express service, global shipping giant Maersk. pharmaceutical power Merck (MRK), and San Francisco public radio station KQED.

It is unclear if any of these companies actually paid the ransom.