Russian hackers profited the most from ransomware payments

About 74% of payments made from ransomware attacks in 2021 went towards Russia-linked hackers.
15 February 2022

Russian hackers are in the spotlight again as the tension between Russia and the Ukraine mounts. Both countries are at the brink of war as nations around the world including the US and UK voice their concerns over the matter.

Cyberwarfare is expected to be one of the methods used by the Russians in Ukraine with reports showing several Ukrainian sites being targeted by Russian hackers. Last month, the FBI, CISA, and NSA released a joint cybersecurity advisory that provided an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. The CSA also provided detection actions, incident response guidance, and mitigations.

In a report from Chainanalysis, about 74% of payments made from ransomware attacks in 2021 went towards Russia-linked hackers. According to the research report, more than US$ 400 million worth of crypto-currency payments went to groups highly likely to be affiliated with Russia.

Russia has since denied accusations that it is harboring cyber-criminals. However, the researchers also claim a huge amount of crypto-currency-based money laundering goes through Russian crypto-companies.

Chainanalysis report showed that Conti was the biggest ransomware strain by revenue in 2021, extorting at least US$180 million from victims.

“Believed to be based in Russia, Conti operates using the ransomware-as-a-service (RaaS) model, meaning Conti’s operators allow affiliates to launch attacks using its ransomware program in exchange for a fee,” stated the report.

Apart from Conti, DarkSide ranked second in 2021 in funds extorted from victims, including for its role in the attack on oil pipeline Colonial Pipeline, one of the year’s most notable ransomware attacks. The report also stated that over the last few years, most ransomware strains have laundered their stolen funds by sending them to centralized exchanges.

“Some are in the high-risk category, meaning that they tend to have relaxed compliance procedures, but mostly to mainstream exchanges with more established compliance programs. We also see substantial funds sent to both mixers and addresses associated with other forms of illicit activity.”

56% of funds sent from ransomware addresses since 2020 have wound up at one of six cryptocurrency businesses. They include:

  • Three large, international exchanges
  • One high-risk exchange based in Russia
  • Two mixing services

At the same time, ransomware attacks have also evolved and been rebranded over time. For example, Evil Corp, a Russia-based cybercriminal gang behind several ransomware attacks in recent years, has launched several rebranded strains throughout its history. Evil Corp, whose leaders are suspected to have ties to the Russian government, has been sanctioned by the United States since December 2019.

Russian hackers are not the only problem

While there are greater concerns over Russian hackers and their capabilities of wrecking havoc on organizations, they are not the only concern for most governments. Chainanlysis reported that cybersecurity analysts at Crowdstrike and Microsoft have concluded that many attacks by ransomware strains affiliated with Iran, mostly targeting organizations in the U.S., the E.U., and Israel, are geared more toward causing disruption or serving as a ruse to conceal espionage activity.

Other analysts have previously identified instances of strains affiliated with China, such as ColdLock, carrying out similar geopolitical attacks on Taiwanese organizations.

As such, Chainanalysis believes that ransomware is a useful cover for strategic denial and deception against enemy states because attacks can be carried out cheaply. It also gives the attacking nation some measure of plausible deniability, as they can always claim the attack was carried out by mere cybercriminals or another nation-state. But even ransomware attacks carried out for non-financial reasons leave a trail on the blockchain.

“For that reason, agencies focused on national security must understand how to trace funds using blockchain analysis, as this is the key to identifying the individuals involved in the attacks themselves, the tools they use, and how they launder any funds obtained from victims,” the Chainalysis team stated.