Ransomware attackers are growing more dangerous, more sophisticated and sharply more profitable in extracting crypto from their victims, according to on-chain data reviewed by Chainalysis.
In a new report, the blockchain analytics firm said ransomware-linked addresses have banked at least $81 million in crypto this year after amassing a record $406 million in 2020. Chainalysis suspects the true toll is far higher. New addresses frequently pop up, and victim corporations often keep their ransomware run-ins under wraps.
Just last week Colonial Pipeline suffered a debilitating ransomware attack that forced it to freeze a critical oil and gas artery for the U.S. eastern seaboard. Colonial ultimately paid the group, which was using DarkSide ransomware, $5 million in crypto to unlock its network, according to reports.
Chainalysis said the prevalence of ransomware-as-a-service (RaaS) is contributing to the blistering spread of corporate cyber attacks. Under RaaS, ransomware developers essentially license out their software strains and share in their affiliates’ profits. DarkSide generated the vast majority of RaaS revenue through Q1, the report said.
Ransomware payouts are also steadily growing. Victims paid an average of $54,000 in Q1, compared to $46,000 in Q4 2020 and just $12,000 average in Q4 2019. There tends to be at least one $10 million ransom paid a quarter, but groups have demanded as much as $50 million.
Cryptocurrencies, especially bitcoin, the top ransomware payout, is inherently traceable because of its public blockchain, allowing Chainalysis to follow the money. It said ransomware addresses spread over 9% of victim funds across fraud shops, hacking tool service providers and even professional negotiator services last quarter to support their extortion efforts. Just 3% of the crypto flowed that way in Q1 2020.
But the vast majority of last quarter’s ransomware payouts, over 75%, ended up on crypto exchanges, Chainalysis said.
Likewise, the vast majority of ransomware strains appear to emanate from Russia’s sphere of influence. Russian-affiliated cybercriminals “have been among the most prolific in the world,” Chainalysis said, especially in crypto crime. They account for a “larger share” of ransomware activity in 2021.
The most profitable ransomware strains of 2021 are hard coded to avoid Russian-speaking victims, Chainalysis said. It estimated Russia-linked strains have taken in 92% of this year’s ransomware proceeds, compared to 86% last year.
Law enforcement entities may be targeting ransomware proprietors. On Friday, BleepingComputer reported that federal officials had seized the servers belonging to DarkSide, and the group's crypto appears to have been sent to another wallet.