Three-Quarters of Ransomware Payments Linked to Russia

Around three-quarters (74%) of ransomware revenue resulted from attacks associated with Russia in 2021, according to a new report by blockchain investigations and analytics company Chainalysis.

The researchers found that more than $400m worth of cryptocurrency went to ransomware strains “highly likely” to be affiliated with Russia in some way last year. These connections were made based on three criteria:

  1. The attack was conducted by the notorious Russian-based Evil Corp gang, whose leadership is believed to have ties to the Russian government.
  2. The ransomware strain avoided countries in the Commonwealth of Independent States (CIS), an intergovernmental organization of Russian-speaking, former Soviet countries. These ransomware strains contain code that prevents the encryption of files if it detects the victim’s operating system is located in a CIS country.
  3. Others characteristics that indicated the strain was based in Russia. These include strains that share documents and announcements in the Russian language or whose affiliates are located in Russia.

In addition, Chainalysis revealed that most of the extorted funds arising from ransomware attacks are laundered through services primarily catering to Russian users. For example, it estimated that 13% of funds sent from ransomware addresses to services went to users thought to be located in Russia. This is more than any other region.

The researchers also provided an analysis of several dozen cryptocurrency businesses operating in Moscow City, Russia’s financial district. They claimed these businesses are heavily involved in laundering digital currencies, with illicit and risky addresses accounting for between 29% and 48% of all funds they received in any given quarter.

In the three years from 2019-2021, these firms received nearly $700m from illicit and risky addresses. This was primarily comprised of scams ($313m) and darknet markets ($296m), with ransomware extortion payments making up $38m.

The researchers noted that illicit funds make up as much as 30% of all cryptocurrency received by some of these companies, “which suggests those businesses may be making a concerted effort to serve a cyber-criminal clientele.” Interestingly, over half of the cryptocurrency businesses analyzed reportedly operate in the same Moscow City skyscraper, Federation Tower.

The report acknowledged that Russian authorities arrested 14 affiliates of the REvil ransomware gang last month, suggesting that “change may be on the way for Russia’s cryptocurrency ecosystem.”

Chainalysis stated: “Regardless of what the future holds, it’s important to understand where things stand now: Russian cyber-criminal organizations are some of the biggest perpetrators of cryptocurrency-based crime – especially ransomware – and local cryptocurrency businesses provide money laundering services that enable this activity. 2021 saw positive momentum against this issue, from the seizure of funds from ransomware organization DarkSide to the sanctioning of Suex and Chatex.”

Last week, Chainalysis revealed it had observed the average ransomware payment size to have surged in recent years, from $25,000 in 2019 to $88,000 a year later and $118,000 in 2021.

What’s Hot on Infosecurity Magazine?