On January 27, 2021, the US Department of Justice (DOJ) revealed that there had been a significant disruption of the NetWalker ransomware strain. FBI agents assigned to the case had taken down a website NetWalker attackers had allegedly used to communicate with the unsuspecting victims.
FBI officials also managed to arrest one of the strain’s “most prolific affiliates” — a Canadian citizen named Sebastien Vachon-Desjardins — and seized almost $500,000 worth of virtual currency.
During that arrest, FBI agents found a list of 1,230 “previously unseen addresses” associated with NetWalker ransomware payments, which they reportedly shared with blockchain analysis firm Chainalysis.
The latest analysis of the addresses has found another $21 million worth of ransomware payments made by victims last year – which is a 6% increase “over the total ransomware estimates” that Chainalysis had reported in late January 2021.
This increase in data from the takedown indicates one of the main challenges in dealing with ransomware: being able to effectively report and reliably share information, Chainalysis noted.
The blockchain firm added:
“Without increased reporting and improved information sharing, it is impossible to know the true scale and cost of ransomware, making it difficult for law enforcement to get the resources and data they need to tackle this growing problem.”
Chainalysis’ 2021 Crypto Crime Report notes that ransomware attacks increased dramatically last year. The research firm’s initial estimates from blockchain analysis “put the total amount extorted from victims at just under $350 million worth of cryptocurrency, which represents a 311% increase over 2019 totals.” But the discovery of these 1,230 new ransomware addresses “changes” that, Chainalysis revealed.
The addresses in question received around $21 million in victim payments last year, “bringing the year’s new ransomware revenue estimate to a total of just under $370 million,” the report added. It also mentioned that this “represents a 10% increase over our previous estimate, and a 336% increase over the 2019 total.”
That $21 million also “represents a 70% increase in 2020 ransomware victim payments to NetWalker specifically, bringing the strain’s total for that year to $51 million, and its all-time total since becoming active in August 2019 to just under $78 million,” Chainalysis’ report revealed.
Before the addition of victim payments from these new addresses, Chainalysis’ analysis found NetWalker was “the fourth-most prolific ransomware strain of 2020.” With the new addresses, it now “ranks second for the year behind Ryuk.”
Chainalysis noted that they’ll keep monitoring the situation and post an update if the new addresses are “definitively attributed” to NetWalker or to “any other strains.”
“The discovery of these new addresses is a perfect example of why we must always assume the true cost of ransomware is higher than any given calculation would indicate. Due to underreporting, it’s nearly impossible to know the true amount extorted from victims in any given time period, so all estimates must be treated as lower bounds of the true number.”
Chainalsysis further noted that whether these people pay or not, it’s “crucial” that more ransomware victims report such attacks to the law enforcement officials. Chainalysis explained that this helps with ensuring that estimates like theirs are “more accurate.” And giving ransomware attackers’ crypto addresses to authorities increases their chances of finding “actionable leads,” which may help them “disrupt the strain in question.”