The Ryuk ransomware gang is one of the most prolific criminal operations that caused destruction in multiple industries around the world. According to a joint report published by security firms Advanced-intel and HYAS, Ryuk operators already earned more than $150 million worth of Bitcoin from ransom paid by their victims.
The experts traced payments involving 61 wallet addresses associated with Ryuk ransomware operations. The gang transfers most of its crypto-funds to exchanges through an intermediary to cash out. Experts noticed that the two primary (known) exchanges used by the group are the Asian exchange Huobi and Binance. Both exchanges are structured in a way that probably wouldn’t obligate them to comply with law enforcement requests and both were founded by Chinese nationals that moved their business to countries that are more friendly to cryptocurrency exchanges.
“Both exchanges require identity documents in order to exchange cryptocurrencies for fiat or to make transfers to banks, however it isn’t clear if the documents they accept are scrutinized in any meaningful way. A legal authority can request identity details for the individuals receiving the payments.” reads the report. “We would not expect successful criminal enterprises like Ryuk to make use of a US-based exchange although we have observed other ransomware operators taking this approach.”
Experts reported that Ryuk operators receive a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims. The analysis of the transactions allowed the researchers to estimate that the gang earned $150,000,000.
The researchers also identified significant flows of crypto currency to a set of addresses that are likely part of a crime service that exchanges the cryptocurrency for local currency or another digital currency. The experts also traced significant volumes of bitcoin moving from the laundering service to Binance, Huobi, and crime markets.
“These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range. After tracing bitcoin transactions for the known addresses attributable to Ryuk, the authors estimate that the criminal enterprise may be worth more than $150,000,000.” continues the analysis.
In order to limit their exposure, Ryuk operators create a couple of unique Protonmail addresses for each victim and use them to communicate with them.
“Enterprises that suffer from ransomware aren’t infected because they lack up to date antivirus software or because they chose the blue vendor instead of the red vendor.” concludes the report. “They’re encounting ransomware because they haven’t considered developing countermeasures that will prevent the initial foothold that is obtained by precursor malware like Emotet, Zloader, and Qakbot (to name a few).”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Ryuk ransomware)