Ransomware gangs made at least $350 million in ransom payments last year, in 2020, blockchain analysis firm Chainalysis said in a report last week.
The figure was compiled by tracking transactions to blockchain addresses linked to ransomware attacks.
Although Chainalysis possesses one of the most complete sets of data on cryptocurrency-related cybercrime, the company said its estimate was only a lower bound of the true total due.
The company blamed this on the fact that not all victims disclosed their ransomware attacks and subsequent payments last year, with the real total being many times larger than what the company was able to view.
Ransomware was 7% of all cryptocurrency-based crime
But despite the low figure, Chainalysis says that ransomware was actually on the rise.
According to numbers released in a previous report, ransomware payments accounted for 7% of all funds received by “criminal” cryptocurrency addresses in 2020.
The number rose 311% compared to 2019, Chainalysis said, blaming this sudden increase on “a number of new strains taking in large sums from victims” and “a few pre-existing strains drastically increasing earnings.”
Based on the company’s data, among last year’s top earners, there were groups like Ryuk, Maze (now-defunct), Doppelpaymer, Netwalker (disrupted by authorities), Conti, and REvil (aka Sodinokibi).
Nonetheless, other strains like Snatch, Defray777 (RansomExx), and Dharma, also pulled profits estimated in the range of millions of US dollars.
Chainalysis said that based on how victims paid their ransoms, and how certain RaaS profits spiked and fell, there is also evidence to suggest that the ransomware scene is also formed of far fewer threat actors than initially believed, with many of these groups constantly switching from one RaaS (ransomware-as-a-service) to another as they’re lured by better deals.
Few exit points open the door for law enforcement disruption
Furthermore, Chainalysis said it also tracked how crooks moved the ransom payments through the blockchain.
Their findings weren’t too different from previous years, noting that criminals usually laundered funds through “Bitcoin mixing” services and then sent the funds to both legitimate and high-risk cryptocurrency exchange portals to convert the funds into fiat, real-world currency.
But the Chainalysis team also confirmed a report from Advance Intelligence published last month that found out that ransomware gangs often use these same funds to pay for other cybercrime services.
Chainalysis says it, too, saw payments being made to bulletproof hosting providers, exploit sellers, and penetration testing services (also known as initial access brokers), as ransomware operations dealt with their “suppliers.”
However, the primary finding of this report was that many of these cybercrime operations, and not only ransomware, often reused the same intermediary money laundering services.
“Instances of overlap in money laundering services is important information for law enforcement, as it suggests they can disrupt the activity of multiple strains — in particular, their ability to liquidate and spend the cryptocurrency — by taking one money laundering operation offline,” the Chainalysis team said.
Furthermore, the same tactic could be applied to crypto-exchanges, the points where most of the ransomed funds exit the blockchain.
Chainalysis said that a group of only five exchange portals received 82% of all ransomware funds in 2020, exchanges where law enforcement could apply pressure in the future to disrupt the crucial cash flow of ransomware operations.