Ransomware continued to represent arguably the biggest headache for incident responders and blue teams in 2021, and the upcoming year will almost certainly continue in the same vein. Digital Shadows (now ReliaQuest) observed a persistent rise in both the numbers of attacks being committed, price of ransom fee being charged, and the numbers of groups joining an increasingly lucrative criminal business model. If you’re interested about the latest key events and metrics in the threat landscape, check our Q3 ransomware roll up blog, and stay tuned for a future ShadowTalk episode detailing our predictions on ransomware activity for the coming year.
One key factor that enabled the escalation of ransomware activity in 2021 was the threat actors’ ability to obtain ransom payments from victims and launder them into usable currency. Money laundering refers to the process of changing large amounts of cash obtained from criminal activity and making it appear to have come from a legitimate source, or otherwise obfuscating where it has been obtained. In other words, turning “dirty” money solicited through crime and making it clean. If you’re having trouble understanding exactly how this process works, we’ve got you covered; here’s the infamous explanation that Breaking Bad’s Saul Goodman gives to Jesse Pinkman about what money laundering is.
Whether you like it or not, money makes the world go round, and the primary motivation for ransomware continues to be the financial reward these attacks can produce. This blog will explore the methods used by ransomware groups—and of course other cybercriminals—to launder money and facilitate financial payments gained through illicit means.
Cybercriminal activity and Privacy Coins
We previously published a blog in May 2021 exploring the relationship between the cryptocurrency industry and ransomware. Cybercrime has long been synonymous with cryptocurrency. This decentralized technology serves multiple purposes in the cybercriminal world, including dark web transactions, extortion, money-laundering, and processing fraudulent payments. While Bitcoin remains the most popular cryptocurrency in general circulation, the cybercriminal community has since moved to alternate cryptocurrencies due to concerns surrounding anonymity. One of the core tenets of Bitcoin is that its public ledger, which stores all token transactions in its history, is visible to everyone; as you can imagine, this feature is not ideal for cybercriminals concerned about staying concealed from law enforcement. The price associated with Bitcoin is also increasingly volatile (including my own portfolio, which doesn’t look half as healthy as it should), which makes establishing a consistent ransom price increasingly difficult.
Many ransomware groups have moved to primarily use a Monero-based payment model due to its greater level of protection for its adopters; the requirement for privacy and anonymity were named as the most important aspect within Monero’s whitepaper. Monero—which is commonly referred to as a “privacy coin”, aiming to keep users’ identities and activities concealed—operates on its own blockchain, which hides virtually all transaction details. The identity of the sender and recipient, as well as the transaction amount itself, are disguised. While there are several additional privacy coins that are used for cybercriminal purposes—including Dash, ZCash, and Verge—Monero aligns perfectly as a medium for processing ransom payments.
Cryptomixing and CoinJoins
Other than utilizing privacy coins, ransomware groups use a couple of tried-and-tested techniques to launder ransom fees. Cryptocurrency mixers or tumblers involve the use of a third-party service, whereby a service provider pools several users coin deposits (in return for a small fee) and holds the funds for an indeterminate period of time. The coins are then returned to the participants at a random time and at random values. This makes it much more difficult to trace the original transactions and obfuscates the users’ “dirty” funds. While this feature does assist in enabling anonymity, there is some risk for users of such services, in that the coins returned by cryptomixers could be tainted alongside other criminal activity that they may not wish to be associated with. This probably isn’t of concern to your average ransomware operator, however, it may represent a serious drawback for most users of this service.
Users of cryptomixers also need to consider that their IP address or cryptocurrency addresses may be logged by the third party, which could raise the risk of their personal and operational security being breached. The biggest risk from cryptomixers however appears to be from users simply getting scammed out of their payments. Afterall, these are career criminals, can you realistically trust their word? This sentiment is emphasized in the redacted thread detailed below, in which a user highlights a potentially fraudulent service to which they lost a payment.
CoinJoins are an additional strategy ransomware actors can employ in order to protect the privacy of their payments when conducting transactions. This requires multiple parties to sign a digital smart contract which mixes their coins in a new Bitcoin transaction, where the output of the transaction leaves the participants with the same number of coins, but the addresses have been mixed to make external tracking more difficult. It’s similar to cryptomixing but requires a large group of users to cooperate and act simultaneously, with the service typically conducted through dedicated services which require some coding expertise. CoinJoins also require a certain element of trust and legitimacy between users, which again, in this line of work can be found in short supply.
Cryptocurrency chain hopping
Another method commonly used by ransomware actors to enhance the anonymity of their transactions is to use cryptocurrency “chain hopping”. This process moves different cryptocurrencies in rapid succession and reportedly assists in losing attention from those who may wish to track transactions. Threat actors may often use this service in conjunction with several of the privacy coins we touched upon before. It’s debatable just how effective chain hopping is; using this technique relies on the assumption that investigators can only track transactions within certain cryptocurrencies and are otherwise unable to track across multiple blockchains; reporting has identified that researchers can achieve that. It’s difficult, but certainly appears within the realms of possibility for a law enforcement or intelligence agency.
Money launderers represents the weak link in ransomware operations
The European Union Agency for Cybersecurity (ENISA) recently issued their annual cyber threat landscape report for 2021. One of the key takeaways covered money laundering services used by ransomware actors, identifying that only a small number of money launderers controlled the process for cleaning ransom payments across multiple ransomware groups. According to the report, 199 crypto addresses received 80% of all funds sent by ransomware addresses in 2020, and an even smaller group of 25 addresses accounted for approximately 46%. We briefly touched upon these findings on our previous blog on ENISAs findings, however a couple of key points can be ascertained from these findings.
Beyond their geography, motivations, and techniques, ransomware groups are undoubtedly more intertwined than current research efforts have demonstrated; many operators have likely worked across multiple ransomware programs. A compromise of just a handful of money launderers could produce leads for law enforcement operations against multiple groups, which in turn, could result in a significant impact against the ransomware landscape as a whole. Law enforcement efforts in 2021 have made considerable gains in soliciting arrests, seizing ransom payments, and removing infrastructure associated with ransomware; this has not however produced a knockout blow that could put ransomware activity on the backfoot. The best option for law enforcement in 2022 appears to be targeting money launderers and the financiers of this pernicious activity. When combined with policy making advancements and international cooperation, this will likely yield the greatest results going forward.
Do you have a curiosity for the intricacies of the cybercriminal world? Do you have a passion for everything ongoing in the world of cyber threat intelligence? If so, Digital Shadows (now ReliaQuest) is the best place for you to keep abreast of the latest developments, why not take a seven day test drive of our SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service, or sign up for a live demo.