Saturday, July 20, 2024

$400 million of ransomware revenue went to Russia-linked groups in 2021

Blockchain analysis shows that funds paid in extortion are laundered through services primarily catering to Russian users.

Recently published research by Chainalysis shows that a staggering 74% of all ransomware revenue went to threat actors affiliated with Russia last year.

In other words, around $400 million worth of cryptocurrency ended up filling the pockets of cyber criminals connected to Russia in some form.

Unsurprisingly, researchers claim that Moscow’s financial district plays a critical role in soliciting money laundering activities for cybercriminals.

How do they know?

Researchers tie specific ransomware strains to Russia based on several criteria. One of the most obvious criteria is affiliations with EvilCorp, a Russia-based gang of cybercriminals with suspected ties to the Russian government.

Another indication of links to Russia is restraint from attacking countries that belong to the Commonwealth of Independent States (CIS), a block that unites nine former members of the Soviet Union.

“Many ransomware strains contain code that prevents the encryption of files if it detects the victim’s operating system is located in a CIS country,” reads the report.

In other cases, cybercriminals provided CIS-based organizations with decryptors instead of taking the ransom.

The third indicator of Russian affiliation is the language of a ransomware strain, location-specific settings, and other indicators linking beneficiary groups to Russia.

Three quarters

According to the researchers, blockchain analysis combined with web traffic data points to ransom revenue going to Russian users.

“Overall, roughly 74% of ransomware revenue in 2021 — over $400 million worth of cryptocurrency — went to strains we can say are highly likely to be affiliated with Russia in some way,” Chainalysis researchers claim.

Recommended:  5 British businesses were penalised for making 500,000 unwanted calls

26.4% of ransomware revenue is affiliated to Russia by CIS-avoiding criteria, while 9.9% went to EvilCorp, and 36.4% are affiliated via other Russian connections.

It is estimated that 13% of total ransomware revenue went to users directly in Russia, more than any other region.

Moscow City

An analysis of cryptocurrency businesses based in Moscow’s financial district, also known as Moscow City, points to companies partaking in money laundering activities.

According to Chainalysis, these businesses receive hundreds of millions of dollars worth of cryptocurrency per quarter, with totals peaking at nearly $1.2 billion in the second quarter of 2021.

It is estimated that illicit and risky addresses make up between 29% and 48% of all funds received by Moscow City crypto businesses.

“In total, across the three-year period studied, these businesses have received nearly $700 million worth of cryptocurrency from illicit addresses, which represents 13% of all value they’ve received in that time,” reads the report.

The majority of the illicit funds in Moscow City, $313 million, are linked to scams, while an additional $296 are attributed to darknet markets. Ransomware is estimated to add another $38 million to the mix.

The report claims that while some Moscow City-based crypto businesses are large enough to ‘miss’ the illicit funds due to large overall revenues, others can hardly be given the benefit of the doubt.

“But for other Moscow City cryptocurrency businesses, illicit funds make up as much as 30% or more of all cryptocurrency received, which suggests those businesses may be making a concerted effort to serve a cybercriminal clientele,” reads the report.

Moscow City towers. Image by Nikita Karimov,

It’s worth noting that more than half of crypto businesses suspected to be compliant in money laundering activities are based in the same building – the Federation Tower.

Recommended:  US Offers $10M Reward For Information Linking Clop To Foreign Government

Golden age

Cyberattacks are increasing in scale, sophistication, and scope. The last 18 months were ripe with major high-profile cyberattacks, such as the SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya.

Pundits talk of a ransomware gold rush, with the number of attacks increasing over 90% in the first half of 2021 alone.

The prevalence of ransomware has forced governments to take multilateral action against the threat. It’s likely a combined effort allowed to push the infamous REvil and BlackMatter cartels offline and arrest the Cl0p ransomware cartel members.

Recent arrests of Revil ransomware affiliates in Russia caused shockwaves in the criminal underground. The arrests made many threat actors uneasy since many felt local authorities would turn a blind eye if victims of ransomware attacks were outside Russia.

A recent report by Digital Shadows’ Photon Research Team shows concerns about possible arrests and confiscation of property became a lot more common.

Gangs, however, either rebrand or form new groups. Most recently, LockBit 2.0 was the most active ransomware group with a whopping list of 203 victims in Q3 of 2021 alone.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Recommended:  16M COVID-19 Patients’ Records Exposed Online via Brazil’s Health Ministry
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates