Ryuk ransomware Bitcoin wallets point to $150 million operation

Posted by & filed under Security Alerts.

Security researchers following the money circuit from Ryuk ransomware victims into the threat actor’s pockets estimate that the criminal organization made at least $150 million.

They found that Ryuk operators primarily use two legitimate cryptocurrency exchanges to cash out the Bitcoin from paying victims as fiat money.

Ryuk’s money circuit

Threat intelligence companies Advanced Intelligence and HYAS tracked 61 Bitcoin wallets attributed to the Ryuk malware enterprise and discovered that the cryptocurrency moves from an intermediary to Huobi and Binance exchanges.

When a Ryuk victim pays the ransom, the money reaches a broker that passes it to the malware operators. The money then goes through a laundering service before getting to legitimate cryptocurrency exchanges or being used to pay for criminal services on underground markets.

“In addition to Huobi and Binance, which are large and well-established exchanges, there are significant flows of crypto currency to a collection of addresses that are too small to be an established exchange and probably represent a crime service that exchanges the cryptocurrency for local currency or another digital currency,” the researchers explain.

One of the largest transactions involving a Ryuk wallet found during this investigation was above $5 million (365 bitcoins), the researchers said in their report. This is not the highest ransom paid to Ryuk, though.

In a previous report, Advanced Intelligence said that the largest payment confirmedto these attackers was 2,200 BTC, which converted to $34 million at the time. The average ransom value received by the group is 48 bitcoins.

Escaping ID verification

Cashing out the ransom money in fiat currency is not a simple process but Ryuk set up a circuit that allows them to handle millions despite security researchers and law enforcement keeping a close eye on the operation.

The conversion from cryptocurrency is essential in identifying the criminals because reputable exchanges require personal documents before transferring the money to a bank account.

However, it is unclear how strict this verification is in the case of Huobi and Binance.

Ryuk ransomware has been active for more than two years and left behind a long list of victims. It is a tight enterprise that leaves little clues about its actions and profits.

Attacks from this threat actor focused mostly on organizations in the healthcare sector come November 2020, adding to the pressure from the pandemic. In the third quarter last year, the attackers were hitting, on average, 20 companies every week.

Considering the actor’s reputation of a tough negotiator that does not budge an inch regardless of the victim’s profile or financial difficulties, the $150 million revenue estimation is likely conservative. Obviously, the entire operation comes with some costs.

Another highly profitable ransomware gang is REvil (Sodinokibi), who announced through a public-facing representative that they made $100 million in one year from extorting victims. They said that the goal was to make $2 billion.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.