Chainalysis acknowledges that 2020 will “forever be known” as the year of COVID-19, but when it comes to cryptocurrency-related crime, it’s also the year that ransomware really began to take off.
Blockchain analysis reveals that the total amount paid by ransomware victims “increased by 311% this year to reach nearly $350 million worth of cryptocurrency,” Chainalysis confirmed in its report. Notably, there’s “no other category of cryptocurrency-based crime” that had a higher growth rate than this segment. Chainalysis also pointed out that this number is actually “a lower bound of the true total, as underreporting means we likely haven’t categorized every victim payment address in our datasets.”
2020’s ransomware increase was mainly “driven by a number of new strains taking in large sums from victims,” and other “pre-existing strains drastically increasing earnings.” Chainalysis’ report also clarified that ransomware strains “don’t operate consistently, even month-to-month.”
The report added that the number of ransomware strains active throughout 2020 may “give the impression that there are several distinct groups carrying out ransomware attacks, but this may not be the case.” As reported by Chainalysis, many of these ransomware strains function on a model that affiliates “rent” usage of a strain “from its creators or administrators, in exchange for a cut of the money from each successful attack.”
Many ransomware-as-a-service or RaaS affiliates tend to “migrate between strains,” indicating that the entire ransomware ecosystem is significantly smaller than one might expect or think “at first glance.” Cybersecurity researchers also “believe that some of the biggest strains may even have the same creators and administrators, who publicly shutter operations before simply releasing a different, very similar strain under a new name,” the Chainalysis report noted.
The report also mentioned that “with blockchain analysis, we can shed light on some of these connections by analyzing how addresses associated with different ransomware strains transact with one another.”
Chainalysis’ report continued:
“Ransomware attackers move most of the funds taken from their victims to mainstream exchanges, high-risk exchanges (meaning those with loose to non-existent compliance standards), and mixers. However, the money laundering infrastructure ransomware attackers may be controlled by just a few key players, similar to the ransomware strains themselves.”
According to Chainalysis’ research study, they’ve managed to identify certain connections between ransomware strains by looking closely at common deposit addresses to which crypto wallets associated with different strains have transferred funds.
Chainalysis says that they believe that “most of the cases of deposit address overlap represent usage of common money laundering services by different ransomware strains.” They also noted that the “overlap in money laundering services is important information for law enforcement, as it suggests they can disrupt the activity of multiple strains — in particular, their ability to liquidate and spend the cryptocurrency — by taking one money laundering operation offline.”
Chainalysis clarified that money launderers are not the only ones ransomware addresses are sending virtual currencies to. Ransomware operators “rely on several types of third party providers to conduct attacks,” the report added.
These include penetration testing services, which ransomware operators regularly use to “probe potential victims’ networks for weaknesses.” These third-party providers also include exploit sellers, who “sell access to vulnerabilities in various types of software that ransomware operators and other cybercriminals can use to inject victims’ networks with malware.”
These third-party providers might also include Bulletproof hosting providers, who “provide web hosting customers can purchase anonymously and are generally lenient on the types of sites customers are allowed to host,” the report from Chainalysis added. It also mentioned that ransomware operators “often need web hosting to set up command-and-control (C2) domains, which allow hackers’ computers to send commands to victims’ machines infected with malware.”
The report continued:
“Similar to money laundering services, law enforcement could theoretically disrupt several ransomware strains if agents were able to identify and act against service providers ransomware operators rely on to carry out attacks.”
The report also noted that most of the ransomware funds move to digital currency exchanges. This activity is “relatively concentrated to just a few services — a group of just five receives 82% of all ransomware funds.”
The data from Chainalysis further reveals that ransomware money laundering is “even more concentrated at the deposit address level.” Only 199 deposit addresses “receive 80% of all funds sent by ransomware addresses in 2020” and “an even smaller group of 25 addresses accounts for 46%.”
After an extensive analysis, the report concluded that ransomware “makes up a relatively small percentage of all funds received by these deposit addresses.”
One particular deposit address “belongs to a nested service hosted at a large, international cryptocurrency exchange and has been active since August 3, 2020,” the report revealed. It added that “between that date and the end of 2020, it received over $63 million worth of Bitcoin in total.” As confirmed in the report, “most of it appears to be non-illicit activity — nearly half of those funds come from other mainstream exchanges, though a quarter comes from unknown services that may be identified as linked to criminal activity at a later date.”
But while the share might be relatively low, the address has “still received over $1 million worth of Bitcoin from ransomware addresses, as well as $2.4 million from multiple scams.”
The report also noted:
“Overall, criminal activity accounts for 10% of the address’ total cryptocurrency received.”