15% of all ransomware payments made in 2020 carried a risk of sanctions violations
Total ransomware payments increased by 311% which reached around $350 million worth of cryptocurrency for 2020, as stated in a Chainalysis crime report. The report stated that 2020’s ransomware increase was driven by new strains taking in large sums of money from victims, as well as pre-existing strains increasing their earnings.
Insights from the report stated that a number of ransomware strains functioned on the RaaS model, where attackers, also known as affiliates, would rent usage of a particular ransomware strain from its creators for getting monetised at every successful attack. Ransomware attackers moved most of their stolen funds to mainstream exchanges, high-risk exchanges, and mixers. 15% of all ransomware payments made in 2020 carried a risk of sanctions violations. The amount for ransomware payments with sanctions risk went up in 2020, due to the ransomware payments’ overall increase, as per the report.
Overall, more than $50 million of cryptocurrency that victims paid out to ransomware addresses carried sanctions risk in 2020. Mainstream exchanges received more than $32 million from ransomware strains associated with sanctions risk. The four active ransomware strains were Maze, Egregor, SunCrypt, and Doppelpaymer, which attacked companies such as Barnes & Noble, LG, Pemex, and University Hospital New Jersey, among others. The ransomware strains used the double extortion strategy which didn’t just withhold the victims’ data but also published parts of it online as an incentive to get the payment.
According to the report, ransomware affiliate Maze sent funds, around 9.55 bitcoins worth over $90,000, through an intermediary wallet to an address labelled ‘Suspected SunCrypt admin’. The wallet of Egregor ransomware strain sent 78.9 bitcoins, worth around $850,000, to the administrator wallet of Doppelpaymer ransomware strain. A suspected laundering service received funds around $2.9 million worth of cryptocurrency from ransomware strains Doppelpaymer, WastedLocker, and Netwalker. It also received around $650,000 worth of cryptocurrency from darknet markets such as Hydra and FEShop. 199 deposit addresses accounted for 80% of funds sent by ransomware addresses in 2020, while 25 addresses accounted for 46%.
To be noted, the deposit address of a nested service by an international cryptocurrency exchange received $63 billion worth of bitcoin between August 3, 2020, and the end of 2020. The report’s data stated that it received over $1 million worth of Bitcoin from ransomware addresses and $2.4 million from multiple scams.
(With insights from the Chainalysis Crypto Crime Report, 2021)