Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Ransomware continued to represent arguably the biggest headache for incident responders and blue teams in 2021, and the upcoming year will almost certainly continue in the same vein. Digital Shadows (now ReliaQuest) observed a persistent rise in both the numbers of attacks being committed, price of ransom fee being charged, and the numbers of groups joining an increasingly lucrative criminal business model. If you’re interested about the latest key events and metrics in the threat landscape, check our Q3 ransomware roll up blog, and stay tuned for a future ShadowTalk episode detailing our predictions on ransomware activity for the coming year.
One key factor that enabled the escalation of ransomware activity in 2021 was the threat actors’ ability to obtain ransom payments from victims and launder them into usable currency. Money laundering refers to the process of changing large amounts of cash obtained from criminal activity and making it appear to have come from a legitimate source, or otherwise obfuscating where it has been obtained. In other words, turning “dirty” money solicited through crime and making it clean. If you’re having trouble understanding exactly how this process works, we’ve got you covered; here’s the infamous explanation that Breaking Bad’s Saul Goodman gives to Jesse Pinkman about what money laundering is.
Whether you like it or not, money makes the world go round, and the primary motivation for ransomware continues to be the financial reward these attacks can produce. This blog will explore the methods used by ransomware groups—and of course other cybercriminals—to launder money and facilitate financial payments gained through illicit means.
We previously published a blog in May 2021 exploring the relationship between the cryptocurrency industry and ransomware. Cybercrime has long been synonymous with cryptocurrency. This decentralized technology serves multiple purposes in the cybercriminal world, including dark web transactions, extortion, money-laundering, and processing fraudulent payments. While Bitcoin remains the most popular cryptocurrency in general circulation, the cybercriminal community has since moved to alternate cryptocurrencies due to concerns surrounding anonymity. One of the core tenets of Bitcoin is that its public ledger, which stores all token transactions in its history, is visible to everyone; as you can imagine, this feature is not ideal for cybercriminals concerned about staying concealed from law enforcement. The price associated with Bitcoin is also increasingly volatile (including my own portfolio, which doesn’t look half as healthy as it should), which makes establishing a consistent ransom price increasingly difficult.
Many ransomware groups have moved to primarily use a Monero-based payment model due to its greater level of protection for its adopters; the requirement for privacy and anonymity were named as the most important aspect within Monero’s whitepaper. Monero—which is commonly referred to as a “privacy coin”, aiming to keep users’ identities and activities concealed—operates on its own blockchain, which hides virtually all transaction details. The identity of the sender and recipient, as well as the transaction amount itself, are disguised. While there are several additional privacy coins that are used for cybercriminal purposes—including Dash, ZCash, and Verge—Monero aligns perfectly as a medium for processing ransom payments.
Other than utilizing privacy coins, ransomware groups use a couple of tried-and-tested techniques to launder ransom fees. Cryptocurrency mixers or tumblers involve the use of a third-party service, whereby a service provider pools several users coin deposits (in return for a small fee) and holds the funds for an indeterminate period of time. The coins are then returned to the participants at a random time and at random values. This makes it much more difficult to trace the original transactions and obfuscates the users’ “dirty” funds. While this feature does assist in enabling anonymity, there is some risk for users of such services, in that the coins returned by cryptomixers could be tainted alongside other criminal activity that they may not wish to be associated with. This probably isn’t of concern to your average ransomware operator, however, it may represent a serious drawback for most users of this service.
Users of cryptomixers also need to consider that their IP address or cryptocurrency addresses may be logged by the third party, which could raise the risk of their personal and operational security being breached. The biggest risk from cryptomixers however appears to be from users simply getting scammed out of their payments. Afterall, these are career criminals, can you realistically trust their word? This sentiment is emphasized in the redacted thread detailed below, in which a user highlights a potentially fraudulent service to which they lost a payment.
CoinJoins are an additional strategy ransomware actors can employ in order to protect the privacy of their payments when conducting transactions. This requires multiple parties to sign a digital smart contract which mixes their coins in a new Bitcoin transaction, where the output of the transaction leaves the participants with the same number of coins, but the addresses have been mixed to make external tracking more difficult. It’s similar to cryptomixing but requires a large group of users to cooperate and act simultaneously, with the service typically conducted through dedicated services which require some coding expertise. CoinJoins also require a certain element of trust and legitimacy between users, which again, in this line of work can be found in short supply.
Another method commonly used by ransomware actors to enhance the anonymity of their transactions is to use cryptocurrency “chain hopping”. This process moves different cryptocurrencies in rapid succession and reportedly assists in losing attention from those who may wish to track transactions. Threat actors may often use this service in conjunction with several of the privacy coins we touched upon before. It’s debatable just how effective chain hopping is; using this technique relies on the assumption that investigators can only track transactions within certain cryptocurrencies and are otherwise unable to track across multiple blockchains; reporting has identified that researchers can achieve that. It’s difficult, but certainly appears within the realms of possibility for a law enforcement or intelligence agency.
The European Union Agency for Cybersecurity (ENISA) recently issued their annual cyber threat landscape report for 2021. One of the key takeaways covered money laundering services used by ransomware actors, identifying that only a small number of money launderers controlled the process for cleaning ransom payments across multiple ransomware groups. According to the report, 199 crypto addresses received 80% of all funds sent by ransomware addresses in 2020, and an even smaller group of 25 addresses accounted for approximately 46%. We briefly touched upon these findings on our previous blog on ENISAs findings, however a couple of key points can be ascertained from these findings.
Beyond their geography, motivations, and techniques, ransomware groups are undoubtedly more intertwined than current research efforts have demonstrated; many operators have likely worked across multiple ransomware programs. A compromise of just a handful of money launderers could produce leads for law enforcement operations against multiple groups, which in turn, could result in a significant impact against the ransomware landscape as a whole. Law enforcement efforts in 2021 have made considerable gains in soliciting arrests, seizing ransom payments, and removing infrastructure associated with ransomware; this has not however produced a knockout blow that could put ransomware activity on the backfoot. The best option for law enforcement in 2022 appears to be targeting money launderers and the financiers of this pernicious activity. When combined with policy making advancements and international cooperation, this will likely yield the greatest results going forward.
Do you have a curiosity for the intricacies of the cybercriminal world? Do you have a passion for everything ongoing in the world of cyber threat intelligence? If so, Digital Shadows (now ReliaQuest) is the best place for you to keep abreast of the latest developments, why not take a seven day test drive of our SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service, or sign up for a live demo.