Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/29/2021
03:00 PM
50%
50%

Ransomware Payoffs Surge by 311% to Nearly $350 Million

Payments to ransomware gangs using cryptocurrency more than quadrupled in 2020, with less than 200 cryptocurrency wallets receiving 80% of funds.

Ransomware payments using cryptocurrency surged 311% in 2020, nearing a total volume of $350 million, as cybercriminals gravitated to crypto-locking as the easiest way to turn compromised systems into cash, blockchain analysis company Chainalysis stated in an analysis this week.

While ransomware payments through cryptocurrencies are skyrocketing, cybercrime overall is accounting for less volume of digital currency transactions, the company stated. Cybercrime transactions using cryptocoins dropped by more than half to $10 billion, but because overall cryptocurrency transaction volume increased, the share of cybercrime dropped even more precipitously to account for only 0.34% of all cryptocurrency transactions in 2020, down from more than 2% in 2019.

Related Content:

Pay-or-Get-Breached Ransomware Schemes Take Off

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Building Your Personal Privacy Risk Tolerance Profile

The data demonstrates that, while ransomware has become a greater problem, cryptocurrency continues to expand its markets, says Kim Grauer, head of research at Chainalysis.

"Cryptocurrency has a reputation as being driven by cybercrime, speculation and tax-avoidance strategies," she says. "But it's increasingly being used as a store of value both in developed markets where asset managers are entering the space and in emerging markets."

The use of a cryptocurrency money-laundering scheme known as mixing has declined since a spike in the third quarter of 2019, according to Chainalysis data. In the final quarter of 2020, more than 90% of funds leaving ransomware wallets were destined for a cryptocurrency exchange, about half of which were designated "high risk" by Chainalysis. Often, different ransomware groups and strains use the same 

"We can find connections between ransomware strains by examining common deposit addresses to which wallets associated with different strains send funds," Chainalysis stated in its analysis. "We believe that most of the cases of deposit address overlap represent usage of common money laundering services by different ransomware strains."

While public reports have focused on the Maze Team — which appears to have shut down in November 2020 — and Egregor, which appears to have replaced Maze, Chainalysis found that the well-known Ryuk malware appears to be the most prolific ransomware threat to companies, both in the number of ransoms paid and the total profit. Three strains of ransomware — Ryuk, Maze, and Doppelpaymer — accounted for more than half of all the known ransom payments.

However, the company cautioned against drawing too many conclusions, as many strains of ransomware are used to enable ransomware-as-a-service (RaaS) offerings. In other words, different cybercriminals groups may be using the same, or a collection, of ransomware.

"Many RaaS affiliates migrate between strains, suggesting that the ransomware ecosystem is smaller than one might think at first glance," the company stated in the report. "In addition, many cybersecurity researchers believe that some of the biggest strains may even have the same creators and administrators, who publicly shutter operations before simply releasing a different, very similar strain under a new name."

A key component of the ransomware ecosystem is the ability to launder the money paid by victims to foil law enforcement efforts to track funds. While ransomware demands often use one-time wallets for payments, most funds track back to a limited number of accounts. In fact, 199 deposit addresses account for 80% of the monetary value of ransomware, Chainalysis stated. These are deposit addresses are hosted on exchanges, and often amount to an over-the-counter brokerage or other nested service, says Grauer.

"Mixers are still being used by criminals, but right now we are seeing large, organized criminal groups using laundering infrastructure that is based out of a few exchanges, such as OTC brokers who often specialize in laundering illicit funds," says Grauer.

Law enforcement could target the relatively low number of deposit addresses as a way to disrupt ransomware schemes. Chainalysis found that 25 deposit addresses accounted for 46% of all funds, and nine of those addresses were primarily used for ransomware payments.

"These services are incentivized to maintain their deposit addresses in the same way a brick-and-mortar business might not want to move locations. They'd have to tell their customers they are moving," Grauer says. "We don’t know for sure how many total groups are out there, but the fewer deposit addresses that need to be shut down to impact the current money laundering infrastructure, the better for investigation and compliance purposes."

Cryptocurrency markets are rife with speculation, but cryptocurrencies known as stablecoin, which are backed by assets—most often, US dollars, are growing in popularity in an attempt to shake off the volatility in the pure cryptocurrency markets. Stablecoins can be a hedge for international investors, but also have increased value for money laundering and tax avoidance. In December, US financial regulators warned that stablecoins posed significant financial and regulatory risks.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...