Ransomware-as-a-Service (RaaS) has become a lucrative enterprise. As per research by Chainalysis, blockchain transactions prove that ransomware attacks are interconnected.
What does the research say?
- Egregor came into prominence right after Maze shut down the shop. Most of its affiliates moved to Egregor, which has made some experts suspect that Maze has rebranded as Egregor. In addition, Maze and Egregor share similarities in codes, ransom notes, and victim payment sites.
- Evidence regarding the connection of a Maze RaaS affiliate with SunCrypt RaaS has been detected. The former had sent 9.55 Bitcoin to an address labeled Suspected SunCryptadmin.
- Similar relationships have been found to exist between Egregor and DoppelPaymer. Egregor had sent approx. $850,000 to an alleged DoppelPaymer admin wallet.
What does this imply?
- Ransomware operators have made at least $350 million in ransom payments last year and most of the funds move to cryptocurrency exchanges.
- While only 199 deposit addresses receive 82% of the funds, a smaller group of 25 addresses receives 46%. Between August and December 2020, the smaller group made more than $63 million worth of Bitcoin.