Report: Russian Operators Collect 74% of Ransomware Revenue

Date:

March 13, 2024

World map

New research by crypto-fraud tracker Chainalysis suggests that 74% of all revenue realized through ransomware attacks in 2021 - more than $400 million worth of crypto-currency payments - went to attackers "highly likely to be affiliated with Russia.”

The researchers also assess that "a huge amount of crypto-currency-based money laundering" leverages Russian-based crypto-companies based on analysis of public blockchain transaction records of digital wallets associated with threat actors.

“The research is further evidence that many cyber-criminal groups operate either in Russia or in the surrounding Commonwealth of Independent States (CIS) - an intergovernmental organization of Russian-speaking, former Soviet countries,” BBC reports.

“However, the report only looks at the flow of money to cyber-criminal gang leaders, and many run affiliate operations - essentially renting out the tools needed to launch attacks to others - so it's not known where the individual hackers who work for the big gangs are from.”

Takeaway: There is mounting evidence that not all ransomware operations are conducted by cybercriminals out to make a buck but are in many cases the same threat actors who are conducting nation-state operations and are potentially acting as proxies in the larger geopolitical sphere.

We know rogue nations like Russia, China, Iran, and North Korea directly support and/or influence ransomware operations.

The overlap of cybercriminal activity with nation-state-supported operations conveniently allows for plausible deniability by the aggressor nation, and they are leveraging ransomware gangs or other seemingly independent threat actors as proxies to conduct the attacks that are part of a larger geopolitical strategy.

But there is so much ambiguity in determining root attribution for these attacks, it makes it difficult to determine the best course of action against the offending nations.

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible.  

But if an attack is regarded as a national security event, a different set of rules for engagement come into play, and they can include offensive action deemed appropriate and proportional.

Ultimately, it's rogue governments that are both providing safe harbor threat actors conducting ransomware attacks and influencing some of their targeting.  

Until the U.S. government severely sanctions these regimes for their direct or tacit support of ransomware operations, we will not see this spate of attacks abate any time soon.  

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.