A United States-based blockchain intelligence firm, Chainalysis, has reported in a webinar held on 30th May that almost 64% of ransomware attackers cash out using cryptocurrency exchanges.
Chainalysis is blockchain analytics and intelligence company that provides governments, firms and law enforcement information to monitor illegal transactions on the blockchain. The firm has identified more than 52,000 victims of ransomware attacks between 2015 to 2019. The report by Chainalysis identifies 38 exchanges without naming them explicitly who have had connections with accounts of these ransomware attackers. The report also highlights the fact that ransomware attacks involve fewer complex cash-out networks as compared to crypto exchange hacks. This is because in a crypto exchange hack large sums of money are being moved and due to the ensuing media publicity, it becomes necessary for the hackers to conceal the flow of the funds. In a previous report by the firm, the company states:
In recent years, ransomware perpetrators have become more sophisticated, resulting in a more targeted approach and higher costs for individual victims. The average amount sent to ransomware addresses increased by more than tenfold between 2015 and 2019.
In addition to strategies used for cash-outs, the webinar also discussed the shift in the threat levels for ransomware attacks. There has been a shift in the trends of these attacks, and recently, ransomware attacks are more targeted towards politically and legally sensitive data that is then leveraged for ransom. However, previously, the attacks were shallower, meaning they were aimed at a large number of victims who were then asked for ransom to decrypt files.
A recent Global Ransomware Marketplace report by Coveware also revealed that more than 98% of the ransom payments were made through bitcoin and only 2% through other cryptocurrencies.
What is a Ransomware Attack?
A ransomware attack involves a sizeable infectious malware targeted at the user and steals or conceals the target’s information. The attacker then demands ransom in exchange for the sensitive information, or in exchange for a decrypting tool that is used to recover that encrypted data. The anonymity of cryptocurrency has made it the primary choice for ransomware recently. Chainalysis has been using proprietary heuristics to gain insights on ransomware attackers and track their methods and their funds.
Chainalysis’s report on ransomware reveals that almost all of the attackers can be separated into two categories: organized criminal groups and state actors. Organized ransomware groups use spam kits to spread malware on people’s computers and affect hundreds of thousands of people in a single attack. These people run a network thus making the operation more successful. The other category is state actors from highly sanctioned countries to generate funds and also create unrest. NotPetya was one such malware spread by GRU, an intelligence arm of the Russian military. The malware was directed at Ukrainians to destabilize the region and cause geopolitical disruption.
Other Cash-Out Techniques Used by Hackers
In the webinar, another thing that was discussed was that the exchanges are not the only cash-out strategy that these attackers have. According to data by Chainalysis, around 12% of attackers cashed out using mixing services. Mixing service is a technique used to mix potentially unidentifiable cryptocurrency so that the trail of the cryptocurrency becomes unclear. 9% of the attackers used peer to peer networks to cash out ransom while the rest used the tokens on the black market and the dark web via merchant service providers. The report also claims that more than 9% of the ransomware funds remained unspent.