Ryuk ransomware operators have been inflicting major damage on organizations worldwide. Cybersecurity firms HYAS and Advanced Intel found the operators raked in more than $150 million in ransom payments, making it the most profitable ransomware gang.
An analysis of the Bitcoin transactions of Ryuk ransomware revealed that the ransomware operators made more than $150 million through ransom payments. Threat prevention firm Advanced Intel and U.K.’s HYAS identified and tracedOpens a new window Bitcoin transactions for 61 bitcoin cryptocurrency deposit addresses for Ryuk ransomware-related payments.
Ryuk operators, the world’s most fearsome ransomware gang, used two exchanges to convert Bitcoin into real fiat currency. Unlike other ransomware groups that stay away from prominent cryptocurrency exchanges such as Huobi and Binancehe, Ryuk prefers these platforms for ransomware cash flows. Both require documents as an identity-proof for such cryptocurrency to fiat transactions, and make transfers to banks.
“However it isn’t clear if the documents they accept are scrutinized in any meaningful way,†wrote Brian CarterOpens a new window , Principal Researcher at HYAS, and Vitali KremezOpens a new window , CEO and Chairman of Advanced Intelligence in a joint blog post. “They claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply.â€
Huobi is based out of Seychelles Huobi and also maintains offices in Asian countries, while Binance operates out of the Cayman Islands. Both the exchanges were founded in China by Chinese nationals but moved out to more crypto-friendly countries. Put together, both Huobi and Binance handled just over 50% of all illicit Bitcoin transactionsOpens a new window in 2019.
See Also: Average Ransomware Payout Up 178% in Q3 2020
The process starts when a ransomware victim pays Bitcoin to a broker, who in turn delivers it to the ransomware operator, Ryuk in this case. The Bitcoin is then sent to a money laundering service that:
- Converts to fiat currency at the behest of the ransomware gang
- Channels funds back into the market for further criminal activities
Source: AdvIntel, HYAS
“Bitcoin is a logical choice for a variety of reasons including the ability to remit payments without supervision or oversight of government authorities,†added Carter and Kremex.
“Although the bitcoin blockchain is a public ledger that anyone can review, the addresses associated with payments aren’t necessarily known unless the individual using them is revealed somehow through a legal request or because the user intentionally associated their identity with one of their Bitcoin addresses.â€
Besides Huobi and Binance, the analysis of transactions also reveals Ryuk transferred Bitcoin to other deposit addresses too small to be deemed as exchanges.
The Ryuk ransomware also topped the FBI’s list of ransomware gangs that netted the most amount of Bitcoin as ransom between 2013 and 2019. Undeniably, Ryuk was most profitable, pocketing $61.26 millionOpens a new window , with the next in line CrySIS/Dharma ransomware making less than half of what Ryuk did ($24.48 million).
The success of Ryuk and other ransomware families underscores the lack of security safeguards to deal with malware droppers such as Emotet, Zloader, and Qakbot. “They [organizations] are encounting ransomware because they haven’t considered developing countermeasures that will prevent the initial foothold that is obtained by precursor malware,†explained the duo.
Carter and Kremez recommend the use of two-factor authentication (2FA) and advised restricted use of Citrix and Microsoft Remote Desktop Protocol (RDP) to certain IP addresses that are deemed safe, and execute Microsoft Office macros in limited capacity.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!