Where do the billions of dollars extorted by ransomware criminals end up?
Obviously, that cryptocurrency ends up in someone’s bank account before reappearing in the tills of luxury watch shops, sports car dealerships, and five-star resorts around the globe, as criminals spend the proceeds.
To make that jump from the virtual to the physical, the funds must first be laundered. So where is this happening?
It’s the sort of question that rarely gets asked, let alone answered, largely because it’s not easy to track the cryptocurrencies involved in these transactions.
Following the trail involves a lot of expertise in how the blockchains that underpin digital currencies operate. One such company is blockchain data analysis firm Chainalysis, which correlated 2021 transactions to three key indicators: connections to known criminal groups, the language used by malware developers, and whether malware conspicuously avoids attacking certain countries.
Joining the dots, one country jumped out: Russia. Not a huge surprise perhaps, but some of the numbers Chainalysis has crunched offer the sort of interesting detail we rarely get to see.
By analyzing the volume of suspect transactions moving through cryptocurrency exchanges during the year, Chainalysis estimates that ransomware transactions accounted for at least $540 million worth of cryptocurrency funds. Of this, 74%–around $400 million–involved ransomware likely connected to Russia.
Analyzing several dozen cryptocurrency businesses based in Moscow for illustration, the company estimates that between 29% - 48% of funds received by them came from illicit addresses–a calculation which includes all types of cybercrime, and not only ransomware.
And you don’t have to travel down a dark back alley to find some of these allegedly dubious exchanges. Many operate from Moscow’s tallest and most expensive address, the 1,227 foot Federation Tower.
“Nothing is more emblematic of the growth of Russia’s crypto crime ecosystem, and of cybercriminals’ ability to operate with apparent impunity, than the presence of so many cryptocurrency businesses linked to money laundering in one of the capital city’s most notable landmarks,” the Chainalysis report states.
Some of this is blatant enough that Chainalysis feels able to name several suspect businesses after documenting their alleged habit of laundering funds extorted by known ransomware strains.
A separate Chainalysis estimate puts the total value of ransomware payments identified during 2021 as $602 million, a number likely to rise significantly as more is traced.
That exceeds the sums extorted in 2020, itself a record year. The biggest ransomware strain was the Conti ransomware-as-a-service (RaaS) platform, which, no surprise, also hails from Russia.
Able to remain active throughout the year, Conti was the exception to the norm; most ransomware groups have a short window of success before fading.
Ransoms rose sharply during the year to an average of $118,000, up from $88,000 in 2020 and $25,000 in 2019.
More positively, 2021 was also the first year the authorities (as far as we know) managed to retrieve a ransom payment, when the United States retrieved $2.3 million of the money paid to the DarkSide group responsible for the Colonial Pipeline attack.
As discussed in an earlier Ransomware.org story, a clutch of highly unusual arrests in Russia connected to the REvil ransomware group in January could signal a change in the environment for ransomware criminals and their enablers. A more cautious interpretation of that event is that while the Russian ransomware is a long way from being put on notice, its fortunes might now be part of a larger bargaining strategy by the Russian Government.