Almost $1.3bn Paid to Ransomware Actors Since 2020

Cryptocurrency experts have identified $602m of ransomware payments made in 2021, but warned the real figure will likely surpass the $692m paid to cybercrime groups in 2020.

The findings come from the Ransomware Crypto Crime Report produced by blockchain investigations and analytics company Chainalysis. It reveals some fascinating insight into current industry trends.

Average payment size has soared over recent years, from $25,000 in 2019 to $88,000 a year later and $118,000 in 2021. That’s due in part to a surge in targeted attacks on major organizations, known as “big-game hunting,” which can net threat actors tens of millions in a single compromise.

“This big-game hunting strategy is enabled in part by ransomware attackers’ usage of tools provided by third-party providers to make their attacks more effective,” the report explained. “Usage of these services by ransomware operators spiked to its highest ever levels in 2021.”

Chainalysis observed the share of ransomware funds being transferred to third parties jumping from just 6% in 2020 to 16% last year. These third parties may be initial access brokers, providers of stolen data such as remote desktop protocol (RDP) log-ins, or underground businesses running bulletproof hosting operations and proxy services.

Conti was by far the most successful group in 2021 in terms of revenue, extorting at least $180m from victims. However, such groups have an increasingly short lifespan, as they rebrand frequently to avoid sanctions and throw law enforcement off the scent, the report explained.

Chainalysis claimed the average lifespan for new variants is around two months. Thus, although 140 strains took payments in 2021, up from 119 in 2020, the number of core ransomware developers may not actually be increasing.

By tracking these groups’ cryptocurrency transaction histories, Chainalysis was able to link many of them together. For example, Hades, WastedLocker, DoppelPaymer, Phoenix and Macaw Locker all sent funds to the same group of intermediary wallets, linked to Evil Corp.

The good news is that if the market is smaller than first thought, it may be easier to disrupt. On the same note, over half (56%) of funds tracked in 2020 and 2021 were sent to just six cryptocurrency businesses.

“That’s good news, as it means the strategy for fighting ransomware is likely simpler than it appears at first glance,” noted the report.

“By cracking down on the small number of services that facilitate this money laundering activity, law enforcement can significantly reduce attackers’ options for cashing out, reducing the financial incentive to carry out ransomware attacks and hampering ransomware organizations’ ability to operate.”

Cryptocurrency experts have identified $602m of ransomware payments made in 2021, but warned the real figure will likely surpass the $692m paid to cybercrime groups in 2020.

The findings come from the Ransomware Crypto Crime Report produced by blockchain investigations and analytics company Chainalysis. It reveals some fascinating insight into current industry trends.

Average payment size has soared over recent years, from $25,000 in 2019 to $88,000 a year later and $118,000 in 2021. That’s due in part to a surge in targeted attacks on major organizations, known as “big-game hunting,” which can net threat actors tens of millions in a single compromise.

“This big-game hunting strategy is enabled in part by ransomware attackers’ usage of tools provided by third-party providers to make their attacks more effective,” the report explained. “Usage of these services by ransomware operators spiked to its highest ever levels in 2021.”

Chainalysis observed the share of ransomware funds being transferred to third parties jumping from just 6% in 2020 to 16% last year. These third parties may be initial access brokers, providers of stolen data such as remote desktop protocol (RDP) log-ins, or underground businesses running bulletproof hosting operations and proxy services.

Conti was by far the most successful group in 2021 in terms of revenue, extorting at least $180m from victims. However, such groups have an increasingly short lifespan, as they rebrand frequently to avoid sanctions and throw law enforcement off the scent, the report explained.

Chainalysis claimed the average lifespan for new variants is around two months. Thus, although 140 strains took payments in 2021, up from 119 in 2020, the number of core ransomware developers may not actually be increasing.

By tracking these groups’ cryptocurrency transaction histories, Chainalysis was able to link many of them together. For example, Hades, WastedLocker, DoppelPaymer, Phoenix and Macaw Locker all sent funds to the same group of intermediary wallets, linked to Evil Corp.

The good news is that if the market is smaller than first thought, it may be easier to disrupt. On the same note, over half (56%) of funds tracked in 2020 and 2021 were sent to just six cryptocurrency businesses.

“That’s good news, as it means the strategy for fighting ransomware is likely simpler than it appears at first glance,” noted the report.

“By cracking down on the small number of services that facilitate this money laundering activity, law enforcement can significantly reduce attackers’ options for cashing out, reducing the financial incentive to carry out ransomware attacks and hampering ransomware organizations’ ability to operate.”

Another interesting feature of the current ransomware market is state-sponsored activity, which uses attacks for geopolitical and financial ends. Iran was out in front, linked to 21 such groups, followed by Russia (16), China (4) and North Korean (2).

In the case of China and Russia the goals are many geopolitical, whilst Iranian and North Korean state hackers are often seeking to enrich the state.

What’s Hot on Infosecurity Magazine?