Chainalysis, a blockchain analysis company, has released part of a report showing potential connections between four major ransomware cybercrime groups.
The company’s 2021 Crypto Crime Report, which is due to be fully released in February, analyses blockchain ledgers to identify how cybercriminals are using cryptocurrencies.
Maze, Egregor, SunCrypt, and Doppelpaymer are the primary groups identified in the report.
Use of ransomware has massive increased in 2020, according to the report, with a 311% increase from the previous year in the amount paid by its victims to deposit addresses. This constituted nearly $350 million (£255m) worth of cryptocurrency. No other category of cryptocurrency-based crime saw a higher annual growth rate.
Despite this increase, Chainalysis suspects there are far fewer cybercriminals responsible for these attacks than one would assume. This is due to the nature of the RaaS model and the likelihood that many of these strains are only slight variations of software controlled by the same people.
Through analysing blockchain ledgers, Chainalysis has found evidence suggesting a number of connections between these four groups.
Using the company’s Reactor software to connect cryptocurrency transactions to real-world entities, Chainalysis found strong evidence that a Maze ransomware affiliate also worked for SunCrypt. In the graph (above), 9.55 Bitcoin – worth over £300,000 – had been sent by the Maze affiliate to an address labelled ‘Suspected SunCrypt admin.’
In another graph (below), Chainalysis believes two different ransomware strains appear to be using the same money laundering infrastructure.
Both strains’ victim payment wallets have sent funds to the same two deposit addresses, which analysis suggests belong to brokers who specialise in trading cybercriminals’ illicitly-gained cryptocurrencies for cash.
“While this doesn’t suggest that Maze and Egregor share the same administrators or affiliates, it’s still an important potential lead for law enforcement,” the report stated. “Cryptocurrency-related crime isn’t worthwhile if there’s no way to convert ill-gotten funds into cash.
“By going after bad actors like the money laundering service or corrupt brokers… law enforcement could significantly hamper the ability of Maze and Egregor to operate profitably,” the report added.
“Regardless of the exact depth and nature of these connections, the evidence suggests that the ransomware world is smaller than [expected],” Chainalysis added. This information can be a force multiplier for law enforcement. If they can identify and act against groups controlling multiple ransomware strains… then they’ll be able to halt or impact the operations of several strains with one takedown.”