Articles, Investigations | August 4, 2023

Unveiling the ransomware ecosystem: A tale of two markets

by Rich Litman

Crystal Marketing Team

Ransomware attacks have emerged as one of the most severe cyber threats for governments, critical infrastructure, and corporations worldwide.  

Collecting and analyzing ransomware data is essential to understanding the spread of ransomware and designing effective defense and mitigation mechanisms.  By leveraging the transparent nature of Bitcoin, the cryptocurrency used for most ransomware payments, the authors of A Tale of Two Markets were able to characterize evolving ransomware criminal structures and ransom laundering strategies. 

With the help of Crystal and its data, the authors were able to significantly enhance the study of the laundering strategies used by Ransomware groups and the time needed to wash out the money. Co-author Oosthoek said, “This was a crucial piece of data that enabled us to demonstrate the severe threat that Ransomware poses to our society.” 

Here we summarise the key findings from the paper, and highlight the threat that Ransomware poses. 

Ransomware as a Service 

Ransomware has become a global threat, affecting institutions and corporations worldwide.  

The rise of Ransomware as a Service (RaaS) has enabled criminals to profit from these attacks, with notable ransomware families like NetWalker, Conti, REvil, and DarkSide dominating the ransomware market. 

Cryptocurrencies, particularly Bitcoin, have appeared as the preferred payment method due to their network effects and perceived anonymity. However, law enforcement agencies have started using anti-money laundering regulations to disrupt ransomware actors by obtaining personal information from Bitcoin exchanges. 

Understanding the ransomware ecosystem 

The research paper A Tale of Two Markets supplies valuable insights into the ransomware ecosystem, focusing on two main categories: commodity ransomware and RaaS.  

Commodity ransomware refers to early forms of Ransomware, while RaaS involves a core team of developers who license their malware to affiliates.  

RaaS actors have shown greater sophistication in their operations, generating higher revenues and employing more efficient laundering strategies. 

Analyzing ransom payments

The study analyzes ransom payments made to Bitcoin addresses owned by ransomware actors and has shown that RaaS actors dominate the revenue, earning USD $95.7 million compared to USD $5.5 million earned by commodity actors.  

Ransomware families like NetWalker, Conti, REvil/Sodinokibi, DarkSide, and Locky have appeared as top earners in the ransomware market.  The revenue distribution over time shows a significant increase in RaaS revenue, with peaks in 2021 due to large ransom payments.  

USD revenue for commodity and RaaS.

USD revenue for commodity and RaaS. Source: A Tale of Two Markets 

The research methodology used 

Bitcoin addresses involved in ransom payments were obtained from various sources, including a crowdsourced payment tracker. The dataset held many Bitcoin addresses and their corresponding ransomware families. The transparency of Bitcoin allowed researchers to track ransom payments and estimate their value.  

In collaboration with our team at Crystal, the authors tracked outgoing transactions and studied the laundering strategies of ransomware groups.  

Different payment characteristics in ransomware 

Commodity ransomware actors often use single wallet addresses to receive multiple payments, while RaaS actors prefer new wallet addresses for each payment to enhance pseudo-anonymity.  

RaaS groups also use better operational security practices, using specific address formats like Pay-to-Script-Hash (P2SH) and Pay-to-Witness-Public-Key-Hash (P2WPKH) protocols. 

Examining money laundering strategies 

Money laundering plays a crucial role in ransomware operations. Ransomware actors typically launder illicit earnings by routing funds through various services to obscure the money trail.  

RaaS actors tend to empty the deposit address in one transaction, while commodity actors prefer multiple smaller transactions. RaaS actors show faster and more efficient laundering processes, with a significantly shorter time between receiving the payment and starting laundering. 

Challenges in fighting money laundering 

Fighting money laundering associated with ransomware poses challenges due to the pseudonymous nature of Bitcoin.  

However, forensic analysis and clustering algorithms help law enforcement agencies link addresses to real-world identities. RaaS actors primarily use fraudulent exchanges and mixers for laundering, while commodity actors prefer exchanges and potentially cashing out to fiat currency or other cryptocurrencies. 

RaaS actors show greater sophistication, generate higher revenues, and employ more efficient laundering strategies, posing challenges for law enforcement agencies. 

Recovery of payments and combatting ransomware 

The chances of recovering payments through law enforcement intervention may be higher with commodity ransomware than with RaaS, given the different laundering strategies and the traces left by the chosen services.  

Understanding the structure and dynamics of the ransomware ecosystem is crucial in developing effective countermeasures against these cyber threats. Ongoing efforts to combat ransomware and protect potential victims can be enhanced by using blockchain analytics tools.  

To discover how to blockchain analytics tools can help combat ransomware or to learn more about Crystal’s initiative for universities, please get in touch. 

Be the first to get news from Crystal