Russian Affiliated Ransomware Attacks Accounted for 74% of Revenue in 2021
A recent report by Chainalysis, a blockchain investigations and analytics company, revealed that around three-quarters (74%) of ransomware revenue in 2021 was linked to attacks associated with Russia. The researchers identified more than $400 million worth of cryptocurrency that went to ransomware strains believed to have Russian affiliations based on specific criteria.
Criteria for Russian Affiliation
- Evil Corp Gang: The report highlighted that attacks conducted by the notorious Russian-based Evil Corp gang, whose leadership is suspected to have ties to the Russian government, played a significant role in the ransomware revenue.
- Avoidance of CIS Countries: Ransomware strains that deliberately avoided targeting countries in the Commonwealth of Independent States (CIS) were also considered to have Russian affiliations. These strains contained code that prevented file encryption if the victim’s operating system was located in a CIS country.
- Other Characteristics: Additional characteristics indicating a Russian connection included strains that communicated in Russian language, or had affiliates based in Russia.
The report also highlighted that most of the extorted funds from ransomware attacks were laundered through services that primarily catered to Russian users. Chainalysis estimated that 13% of funds sent from ransomware addresses to services were received by users believed to be in Russia, surpassing any other region.
Money Laundering Through Moscow Cryptocurrency Businesses
Chainalysis conducted an analysis of cryptocurrency businesses operating in Moscow City, Russia’s financial district, revealing that these businesses were heavily involved in laundering digital currencies. Illicit and risky addresses accounted for a significant portion of the funds received by these businesses, with scams, darknet markets, and ransomware extortion payments contributing to nearly $700 million over a three-year period.
Some of these businesses reportedly received up to 30% of their cryptocurrency from illicit sources, indicating a focus on serving cyber-criminal clientele. Interestingly, over half of the cryptocurrency businesses analyzed were located in the same Moscow City skyscraper, Federation Tower.
Positive Developments and Future Outlook
The report acknowledged recent efforts by Russian authorities to combat cybercrime, including the arrest of 14 affiliates of the REvil ransomware gang. Chainalysis emphasized the importance of understanding the current state of Russian cyber-criminal organizations and the role of local cryptocurrency businesses in facilitating money laundering for illicit activities.
Despite ongoing challenges, the report noted positive momentum in addressing cryptocurrency-based crime, citing recent actions against ransomware organizations like DarkSide and sanctions imposed on platforms like Suex and Chatex. Chainalysis also highlighted the significant increase in average ransomware payment sizes over the years, underscoring the evolving nature of cyber threats.