Threat actors are increasingly using advanced tactics to obfuscate and launder their illicit gains, a report by the US Government finds
As much as US$5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants alone, according to a report by the Financial Crimes Enforcement Network (FinCEN) of the United States Department of the Treasury.
The report also looked at ransomware-related Suspicious Activity Reports (SARs), i.e. reports made by financial institutions about suspected ransomware payments, in the first half of this year. “The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million),” said the agency. Not surprisingly, the analysis found that ransomware is an increasing threat to the government, businesses, and the public.
The mean average total amount of suspicious transactions related to ransomware was US$66 million monthly; meanwhile, the median average was US$45 million per month. According to data obtained from these transactions, Bitcoin was the cybercriminals’ preferred payment method. It’s not the only one, however, as FinCEN noted that criminals increasingly demand ransom payments in Monero, an anonymity-enhanced cryptocurrency (AEC).
In total, 17 ransomware-related SARs involved ransom demands in Monero. In some cases, the cybercriminals provided both a Bitcoin and Monero address, however, they demanded an additional fee if the payment was made using Bitcoin. In other cases, the attackers would initially demand ransom fees solely in Monero, but accepted Bitcoin after some negotiation.
Cybercriminals utilize various money-laundering tactics, including increasingly demanding payments in privacy-oriented cryptocurrencies, avoiding reusing wallet addresses for new attacks, and laundering the proceeds from each ransomware attack separately. The report also found that foreign centralized Convertible Virtual Currency (CVC) exchanges are the preferred way for attackers to cash out their ill-gotten gains.
To obscure the provenance of the digital coins, cybercriminals also use “chain hopping”, a procedure that involves exchanging one CVC for another at least once before they transfer their earnings entirely to other services. 2021 has also seen a rise in the use of mixing services – platforms that are used to hide or obscure the origin or owner of the CVC. Interestingly, FinCEN observed that the use of mixer services varies depending on the ransomware variant.
Illicit gains from ransomware are also laundered through decentralized exchanges and various other decentralized finance applications, by payments being converted to other forms of CVCs.
“Some Defi applications allow for automated peer-to-peer transactions without the need for an account or custodial relationship. FinCEN analysis of transactions on the BTC blockchain identified ransomware-related funds sent indirectly to addresses associated with open protocols for use on DeFi applications,” FinCEN said when describing the process.