Cryptocurrency experts have recently uncovered a staggering $602 million in ransomware payments made in 2021, raising concerns that this figure may surpass the $692 million paid to cybercrime groups in the previous year. These findings were detailed in the Ransomware Crypto Crime Report, a comprehensive analysis conducted by Chainalysis, a leading blockchain investigations and analytics company. The report sheds light on the evolving trends within the industry and offers valuable insights into the current landscape of cybercrime.
One significant trend highlighted in the report is the exponential increase in the average payment size over the past few years. In 2019, the average ransomware payment stood at $25,000, which escalated to $88,000 in 2020 and reached $118,000 in 2021. This surge can be attributed to the rise of targeted attacks on major organizations, commonly referred to as “big-game hunting,” where threat actors can potentially earn millions of dollars from a single breach.
The report also delves into the tactics employed by ransomware operators to enhance the effectiveness of their attacks. A notable strategy involves leveraging tools provided by third-party providers to streamline their operations. The utilization of these services reached unprecedented levels in 2021, enabling attackers to execute large-scale ransomware campaigns with greater efficiency.
Furthermore, Chainalysis observed a significant increase in the percentage of ransomware funds being channeled to third parties, jumping from 6% in 2020 to 16% in 2021. These third parties may include initial access brokers, providers of stolen data such as remote desktop protocol (RDP) log-ins, or underground businesses offering bulletproof hosting and proxy services.
Among the various ransomware groups, Conti emerged as the most lucrative player in 2021, extorting a staggering $180 million from victims. However, these groups have a short lifespan as they frequently rebrand to evade detection and law enforcement scrutiny. Chainalysis reported that the average lifespan of new ransomware variants is approximately two months, indicating a high turnover rate within the cybercriminal ecosystem.
By analyzing the cryptocurrency transaction histories of these groups, Chainalysis was able to establish connections between them. For instance, Hades, WastedLocker, DoppelPaymer, Phoenix, and Macaw Locker were identified to have sent funds to a common group of intermediary wallets associated with Evil Corp.
Despite the alarming figures, there is a glimmer of hope in combating ransomware attacks. The report suggests that by targeting a small number of cryptocurrency businesses that facilitate money laundering activities, law enforcement agencies can disrupt the financial incentives driving ransomware operations. In fact, over half (56%) of the funds tracked in 2020 and 2021 were funneled to just six cryptocurrency businesses, indicating a concentrated effort could yield significant results.
In addition to non-state actors, the report also highlights the involvement of state-sponsored entities in ransomware activities. Iran leads the pack with ties to 21 such groups, followed by Russia (16), China (4), and North Korea (2). While China and Russia often pursue geopolitical objectives through ransomware attacks, Iranian and North Korean state hackers are typically driven by financial motives to enrich their respective governments.
The insights provided in the Ransomware Crypto Crime Report underscore the urgency of addressing the escalating threat posed by ransomware attacks. By adopting targeted strategies to disrupt the financial infrastructure supporting these operations, law enforcement agencies can mitigate the impact of ransomware and safeguard organizations against cyber threats.