Understanding the Use of Cryptocurrency by Ransomware Operators
Ransomware-as-a-Service (RaaS) has become a lucrative enterprise. As per research by Chainalysis, blockchain transactions prove that ransomware attacks are interconnected.
What does the research say?
The report connects the four major ransomware families of 2020 – egregor, SunCrypt, DoppelPaymer, and the now-defunct Maze. Blockchain analysis displays overlapping of affiliates, along with other connections, between these four ransomware gangs.
- Egregor came into prominence right after Maze shut down the shop. Most of its affiliates moved to Egregor, which has made some experts suspect that Maze has rebranded as Egregor. In addition, Maze and Egregor share similarities in codes, ransom notes, and victim payment sites.
- Evidence regarding the connection of a Maze RaaS affiliate with SunCrypt RaaS has been detected. The former had sent 9.55 Bitcoin to an address labeled Suspected SunCryptadmin.
- Similar relationships have been found to exist between Egregor and DoppelPaymer. Egregor had sent approx. $850,000 to an alleged DoppelPaymer admin wallet.
What does this imply?
Although these connections do not suggest that the groups have a common admin, it is certain that there are affiliate overlaps. It is also determined that Maze and Egregor have the same OTC brokers that convert cryptocurrency into cash.
- Ransomware operators have made at least $350 million in ransom payments last year and most of the funds move to cryptocurrency exchanges.
- While only 199 deposit addresses receive 82% of the funds, a smaller group of 25 addresses receives 46%. Between August and December 2020, the smaller group made more than $63 million worth of Bitcoin.
The bottom line
These findings bring forth lots of interesting information about the ransomware landscape, including greater fluidity in the RaaS market. Experts believe that the interconnected landscape is a good thing when it comes to law enforcement as the ransomware world is smaller than we are made to believe. Hence, it is expected that this would expedite the process of bringing down ransomware families.