
How cryptocurrency is part of the ransomware solution
Ransomware exploded in 2020 and shows no signs of slowing down in 2021.
Based on our analysis of blockchain data, ransomware victims paid over $416 million worth of cryptocurrency to attackers in 2020, more than quadrupling 2019 totals. As of July 2021, we know that ransomware attackers have taken in at least $210 million worth of cryptocurrency from victims. And the true cost of ransoms is likely much higher given underreporting for such crimes, not to mention the cost of rebuilding after attacks.
I've been getting a lot of questions recently about the damage that ransomware is doing to cryptocurrency's reputation. After all, it is the preferred payment rail for these extortionists who threaten everything from our critical infrastructure to small businesses. Shouldn't we just ban crypto?
The answer is no. Cryptocurrency is actually instrumental in fighting ransomware.
Let me explain.
First, the act of threatening and extorting others for illicit gain is not new. In fact, ransomware existed before cryptocurrency. What has emerged more recently is that ransomware organizations function on a Ransomware as a Service model (RaaS), in which attackers known as affiliates "rent" usage of a particular ransomware strain from its creators or administrators, who in exchange get a cut of the money from each successful attack affiliates carry out. These organizations also depend on illicit third-party services that can help cybercriminals carry out larger, more effective attacks. These tools, many of which are available on darknet markets, include:
- Infrastructure as a Service providers such as bulletproof web-hosting, domain registration services, botnets, proxy services and email services to carry out attacks.
- Hacking tools and access providers to gain access to victims who have already been compromised.
- Fraud shops that sell stolen data, including passwords and personally identifying information for many individuals, and even compromised credentials used to gain access to a victim's network.
- Post-attack services such as underground call centers to call victims directly.
Because ransomware organizations have become more sophisticated with RaaS models and a supply chain of enablers, they're able to more effectively target larger victims and command higher ransoms.
Chainalysis data shows the average of known ransomware payments has more than quadrupled from $12,000 in Q4 2019 to $54,000 in Q1 2021. News stories have also highlighted much larger outlier ransoms, such as the $50 million ransom payment that REvil demanded from computer parts manufacturer Acer earlier this year, though it's unclear if Acer paid.
Prior to 2020, illicit third-party services rarely accounted for more than 3% of funds sent from ransomware addresses. Since then, they've accounted for as much as 9% of spending.
Keep in mind too that from 2020 on, the raw total of funds sent from ransomware addresses has increased significantly, meaning these figures represent substantial increases in dollars spent on illicit services by ransomware attackers.
Blockchain analysis reveals that these illicit service providers have become the connective tissue of the ransomware ecosystem. In the network chart below, for instance, we show how different types of providers in the aggregate connect many of the most prolific ransomware strains based on cryptocurrency transaction history.
Red bubbles represent individual ransomware strains, while orange bubbles represent aggregated groups of services in the labeled category.
The key to tackling ransomware is disrupting the ransomware supply chain — developers, affiliates, infrastructure services providers, launderers and cashout points — and the blockchain is the only data source that ties these actors together.
So while it may seem counterintuitive at first, ransomware groups' use of cryptocurrency for ransom payments is actually beneficial to ransomware investigations. Cryptocurrency blockchains are transparent, and with the right tools, law enforcement can follow the money on the blockchain to better understand and disrupt an organization's operations and supply chain.
This is a proven successful approach, as we saw in January's takedown of NetWalker. NetWalker was a prolific ransomware operation that impacted at least 305 victims from 27 different countries, earning $78 million, and is now defunct. The NetWalker action included charges against a Canadian national in relation to NetWalker ransomware attacks in which tens of millions of dollars were allegedly obtained, the seizure of cryptocurrency from ransom payments, and the disablement of a dark web hidden resource used to communicate with NetWalker ransomware victims. Chainalysis investigative tools helped law enforcement track down ransomware funds.
This example also demonstrates that the ransomware supply chain is global. While many ransomware actors and facilitators operate out of countries like Russia, where they hope to avoid prosecution, international efforts to share information on this supply chain can lead to arrests in more cooperative jurisdictions.
A shift away from cryptocurrency to less transparent options could make investigating ransomware — and shutting down these operations — more difficult. Over the years, we have seen the preferred payment methods for ransomware ransoms evolve from wire services like Western Union to prepaid gift cards, and more recently to cryptocurrency. The good news is that cryptocurrency is far more transparent than most other forms of value transfer.
In summary, it is important to remember that analysis of the blockchain permits law enforcement to trace in real time how these actors are monetizing ransomware. Armed with this knowledge, authorities can apply pressure on those key nodes identified in the crypto-to-fiat off-ramps. This makes it far more challenging for criminals to then liquidate their illicit gains (which is their primary goal) and prevent future participation and recruitment.
Further, the transparency and persistence of the blockchain provides unique insights into the larger infrastructure supporting ransomware. Mapping how these actors interact, how crypto moves between affiliates and ransomware administrators, and what service providers support the various aspects of the ransomware supply chain provides valuable and actionable intelligence for both enforcement and prevention. Even a single payment history or transaction could be the data point needed to uncover, target, stop and dismantle an entire ransomware campaign.
There is no silver bullet solution to ransomware, and it is important to enact a mix of meaningful policies and enforcement actions to deter, detect and disrupt these bad actors. But one proven tactic is to disrupt the global ransomware supply chain, using the blockchain as the transparent and immutable source of truth.