Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:00 PM

Ransomware Payoffs Surge by 311% to Nearly $350 Million

Payments to ransomware gangs using cryptocurrency more than quadrupled in 2020, with less than 200 cryptocurrency wallets receiving 80% of funds.

Ransomware payments using cryptocurrency surged 311% in 2020, nearing a total volume of $350 million, as cybercriminals gravitated to crypto-locking as the easiest way to turn compromised systems into cash, blockchain analysis company Chainalysis stated in an analysis this week.

While ransomware payments through cryptocurrencies are skyrocketing, cybercrime overall is accounting for less volume of digital currency transactions, the company stated. Cybercrime transactions using cryptocoins dropped by more than half to $10 billion, but because overall cryptocurrency transaction volume increased, the share of cybercrime dropped even more precipitously to account for only 0.34% of all cryptocurrency transactions in 2020, down from more than 2% in 2019.

Related Content:

Pay-or-Get-Breached Ransomware Schemes Take Off

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Building Your Personal Privacy Risk Tolerance Profile

The data demonstrates that, while ransomware has become a greater problem, cryptocurrency continues to expand its markets, says Kim Grauer, head of research at Chainalysis.

"Cryptocurrency has a reputation as being driven by cybercrime, speculation and tax-avoidance strategies," she says. "But it's increasingly being used as a store of value both in developed markets where asset managers are entering the space and in emerging markets."

The use of a cryptocurrency money-laundering scheme known as mixing has declined since a spike in the third quarter of 2019, according to Chainalysis data. In the final quarter of 2020, more than 90% of funds leaving ransomware wallets were destined for a cryptocurrency exchange, about half of which were designated "high risk" by Chainalysis. Often, different ransomware groups and strains use the same 

"We can find connections between ransomware strains by examining common deposit addresses to which wallets associated with different strains send funds," Chainalysis stated in its analysis. "We believe that most of the cases of deposit address overlap represent usage of common money laundering services by different ransomware strains."

While public reports have focused on the Maze Team — which appears to have shut down in November 2020 — and Egregor, which appears to have replaced Maze, Chainalysis found that the well-known Ryuk malware appears to be the most prolific ransomware threat to companies, both in the number of ransoms paid and the total profit. Three strains of ransomware — Ryuk, Maze, and Doppelpaymer — accounted for more than half of all the known ransom payments.

However, the company cautioned against drawing too many conclusions, as many strains of ransomware are used to enable ransomware-as-a-service (RaaS) offerings. In other words, different cybercriminals groups may be using the same, or a collection, of ransomware.

"Many RaaS affiliates migrate between strains, suggesting that the ransomware ecosystem is smaller than one might think at first glance," the company stated in the report. "In addition, many cybersecurity researchers believe that some of the biggest strains may even have the same creators and administrators, who publicly shutter operations before simply releasing a different, very similar strain under a new name."

A key component of the ransomware ecosystem is the ability to launder the money paid by victims to foil law enforcement efforts to track funds. While ransomware demands often use one-time wallets for payments, most funds track back to a limited number of accounts. In fact, 199 deposit addresses account for 80% of the monetary value of ransomware, Chainalysis stated. These are deposit addresses are hosted on exchanges, and often amount to an over-the-counter brokerage or other nested service, says Grauer.

"Mixers are still being used by criminals, but right now we are seeing large, organized criminal groups using laundering infrastructure that is based out of a few exchanges, such as OTC brokers who often specialize in laundering illicit funds," says Grauer.

Law enforcement could target the relatively low number of deposit addresses as a way to disrupt ransomware schemes. Chainalysis found that 25 deposit addresses accounted for 46% of all funds, and nine of those addresses were primarily used for ransomware payments.

"These services are incentivized to maintain their deposit addresses in the same way a brick-and-mortar business might not want to move locations. They'd have to tell their customers they are moving," Grauer says. "We don’t know for sure how many total groups are out there, but the fewer deposit addresses that need to be shut down to impact the current money laundering infrastructure, the better for investigation and compliance purposes."

Cryptocurrency markets are rife with speculation, but cryptocurrencies known as stablecoin, which are backed by assets—most often, US dollars, are growing in popularity in an attempt to shake off the volatility in the pure cryptocurrency markets. Stablecoins can be a hedge for international investors, but also have increased value for money laundering and tax avoidance. In December, US financial regulators warned that stablecoins posed significant financial and regulatory risks.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.