Tales from the Dark Web, Part 3: How Criminals Monetize Ransomware

Ransomware is fast becoming a potent way for threat actors to strike it rich. In the first six months of 2021 alone, $590 million in ransomware-related suspicious activity was tracked — more than the total for all of 2020, according to the Financial Crimes Enforcement Network.

For most ransomware operators, money is the end goal and monetization is the last stop in their campaigns. These adversaries are constantly changing their monetization tactics to stay undetected on the dark web.

Here are five points worth noting about monetization and the cash operations that fuel ransomware:

Cryptocurrency is the preferred method of payment. Adversaries who cash out on ransomware want to fly under the radar. To preserve anonymity, they take refuge under various forms of virtual currency such as Bitcoin, Monero, Ethereum, and Litecoin. Because people do not need to share personally identifiable information when creating a cryptocurrency wallet, their identity remains anonymous.

Bitcoin seems to be the main cryptocurrency of choice because it is fairly easy to obtain, provides anonymity, and enables quick payments. It accounts for a whopping 98% of ransomware payments, according to insurance broker and risk advisor Marsh.

Mixing services provides further anonymity. While cryptocurrency such as Bitcoin provides users with anonymity, it is transparent and public. Transactions can be traced and tracked, although there is some difficulty involved in doing so.

Mixing services such as Wasabi are setting up shop to help make it harder to link cryptocurrency transactions with individuals. Mixing, or tumbling, cryptocurrency means multiple transactions are thrown into one large metaphorical bucket and rerouted through an extremely complex web to different wallets. Such sleight of hand helps to launder cryptocurrency, or at least get one step ahead of law enforcement.

Payment amounts greatly vary. The payments demanded from ransomware victims swing wildly depending on the kinds of data shared and the reputation of the access broker selling the information. In general, demands increase in direct proportion to the number of endpoints the threat actors can target, the estimated annual revenue of the company whose information is being shared, and the access broker’s experience.

Threat actors auction data if demands are not met. If a victim organization decides against paying ransom to obtain the decryption key to recover their data, the ransomware operator has an alternative way to monetize the stolen information: auctioning it off to the highest bidder. A successful bidder can use the data to extort the victim or craft other types of cyberattacks using that stolen information.

Alternative methods of payment are not dead…yet. While cryptocurrency, especially Bitcoin, is a popular payment method for ransomware campaigns, there are other avenues of monetization through which payment travels from the victim to the criminals.

One of these is a fraud network, or a group of threat actors looking to commit fraudulent transactions to move money. Another option is using a money mule, or someone who moves money from one account to another on behalf of someone else. In this case, the money mule receives a payment and transfers funds to other accounts, making it harder to track where the money is going.

Alternatively attackers may use a reshipping network such as EcoPanel, for example, which uses intermediaries to send valuable equipment to nefarious actors who then cash out by selling these goods on the black market. Purchased equipment is sent to “drops” in Europe or the US, where it’s reshipped without knowledge of the goods’ origins. The final recipient is able to sell the goods for cash.

Lessons for SecOps Teams
Security and threat intelligence teams can learn a lot from monetization tactics to decode the ransomware trail. By seeking ways to track eCrime and ransomware payment trends, and observing the ways in which monetization is changing, teams can follow the breadcrumbs to the threat actors.

As ransomware threats and attackers’ demands grow in frequency and size, a data-first approach is necessary to secure organizational data so it can't be used as part of an extortion campaign. The threat landscape is always changing, and closely monitoring it will give threat intelligence programs proactive information to effectively ward off emerging ransomware attacks.