CYBERCRIME

74% of ransomware revenue goes to Russia-linked hackers

A major international operation was launched last year to stop hackers

In Summary
  • Researchers say more than $400 million worth of crypto-currency payments went to groups
  • For years Russia has denied that it was harbouring hackers.
Most users do not understand the risks of falling into the hands of hackers.
Most users do not understand the risks of falling into the hands of hackers.
Image: COURTESY

New analysis suggests that 74 per cent of all money made through ransomware attacks in 2021 went to Russia-linked hackers.

Researchers say more than $400 million worth of crypto-currency payments went to groups "highly likely to be affiliated with Russia".

Russia has denied accusations that it is harbouring cyber-criminals.

Researchers also claim "a huge amount of crypto-currency-based money laundering" goes through Russian crypto-companies.

Chainalysis, which carried out the research, said it was able to follow the flow of money to and from the digital wallets of known hacking groups using public blockchain transaction records.

Analysts say they know which hacking groups are Russian because they display various characteristics, for example, their ransomware code is written to prevent it from damaging files if it detects the victim's computers are located in Russia or a CIS country.

The gang operates in Russian on Russian-speaking forums and is inked to Evil Corp - an alleged cyber-crime group wanted by the US.

The research is further evidence that many cyber-criminal groups operate either in Russia or in the surrounding Commonwealth of Independent States (CIS) - an intergovernmental organization of Russian-speaking, former Soviet countries.

However, the report only looks at the flow of money to cyber-criminal gang leaders, and many run affiliate operations - essentially renting out the tools needed to launch attacks to others - so it's not known where the individual hackers who work for the big gangs are from.

A major international operation was launched in 2021 to stop ransomware hackers, after many high-profile and disruptive attacks - for example on Ireland's health service and an oil pipeline in the US.

Alleged hackers were arrested in Romania, Ukraine, South Korea and Kuwait.

The US has also successfully retrieved millions of dollars from the digital wallets of multiple ransomware criminals.

For years Russia has denied that it was harbouring hackers.

Russian President Vladimir Putin told reporters at his 2021 summit with US President Joe Biden that his own intelligence shows "Russia is not listed in this ranking of countries that see the most significant number of cyber-attacks from their territory."

However, last month Russian authorities announced they'd dismantled ransomware group REvil at the request of the United States.

The operation is an extremely rare case of the US and Russia collaborating on cyber-crime.

In the Chainalysis report, it's highlighted that 9.9 per cent of all known ransomware revenue is going to Evil Corp - an alleged cyber-crime group against which the US has issued sanctions and indictments, but who are operating in Russia with apparent impunity.

A BBC investigation in November found that Igor Turashev, one of the accused leaders of Evil Corp, is operating several businesses out of Moscow City's Federation Tower.

The tower is one of Russia's most prestigious addresses, home to prominent businesses and with apartments going for millions of dollars.

Chainalysis claims several crypto-currency companies based in the tower were used by hackers to launder illicit funds, turning crypto-currency from digital wallet addresses to mainstream money.

"In any given quarter, the illicit and risky addresses account for between 29 percent and 48 per cent of all funds received by Moscow City crypto-currency businesses", researchers allege.

The latest report shows the Covid-19 pandemic has allowed cybercriminal gangs to expand and grow their own networks by leveraging many businesses’ hybrid work-from-home model, plus migrations to the cloud.

This has greatly expanded the health care industry footprint, in turn increasing the attack surface for these cybercriminals, creating a target-rich environment.

It adds that the sense of urgency to recover quickly from a cyberattack, and health care organisations typically will pay ransoms quickly in order to get back online and limit client impact.

This also has resulted in cybercriminals increasingly attacking health care more [often], due to the rapid ransom payday.

It adds that cybercriminals already are using new, complicated code to impede analysis, and are spoofing modern anti-virus and security solutions, Everette said.

These tools began with nation-state hackers, Everette said, but now are becoming readily available to common cybercriminal gangs.

As this new sophisticated technology gets in the hands of these cybercriminals, the list of victims will continue to grow at an exponential rate,” he said. “It is a constant cat-and-mouse game that cybersecurity professionals cannot lose.

Rebecca Herold, president of SIMBUS360 and CEO of The Privacy Professor, agrees that ransomware techniques will become even more numerous and sophisticated.

“What will be different are the increased ways in which the ransomware will be planted within the networks,” she explained.

“Besides using phishing messages and malicious sites, the ransomware crooks will utilize IoT devices, which are largely unsecured, as pathways into networks, where they will then plant the ransomware.