Ransomware is the fastest-growing cyber threat and has come into the spotlight in recent months owing to a series of high profile attacks on critical infrastructure.
Here Coinfirm shares some of our findings from the monitoring and analysis of tens of thousands of blockchain addresses directly related to ransomware over the last 18 months.
January 2020 – June 2021 Notable Ransomware Events
March 2020: Maze ransomware group pledged they will “stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.”
April 2020: NetWalker’s month. Almost all of the ransomware payments made in April were detected as being paid to Circus Spider, a threat actor utilizing the now-ceased NetWalker ransomware. Four blockchain addresses from the group received major BTC inputs in that month (296.7, 154.2, 106.4 and 71.3 BTC).
July 2020: 414 BTC ($4.5 million on date of transaction) paid by U.S. travel management firm CWT to Ragnar Locker. This accounted for 88.1% of criminals’ ransomware income in the month out of 469.7 BTC. This payment remains the largest BTC ransomware payment a company has paid (by BTC amount and USD value).
September 2020: U.S. Universal Health Services suffered an attack from Ryuk – a prolific ransomware that specifically sought out hospitals as targets during the height of the pandemic – that crippled 250 of it’s hospitals. UHS did not pay the ransom, but the attack cost the healthcare provider $67 million. Ransomware targeting hospitals is not new as Coinfirm has documented before.
Jan 27th 2021: Netwalker taken down by the U.S. gov. The following two months saw just 0.161 and 0.294 BTC taken in, respectively, by ransomware gangs.
May 7th 2021: Colonial Pipeline. 75 bitcoin or $4.4 million paid (28.5% of total ransomware intake) a critical segment of infrastructure is targeted that can lead to devastating consequences. The Colonial Pipeline attack in May was one such event that caused the price of Gas to go above $3 for the first time since 2014 with widespread fuel shortages across the East Coast of the US. Its pipeline transports 2.5 million barrels per day of jet fuel, diesel and petrol – accounting for 45% of the East Coast’s supply.
May 14th: Shortly after the Colonial Pipelink attack, DarkSide lost access to its infrastructure. The FBI annouced its seizure of 63.7 BTC – part of the ransom payment from the Colonial to DarkSide the following month.
June 1st: JBS – the world’s largest meat processor, was attacked with thousands of employees affected. JBS paid REvil 301 BTC ($11 million on day of exchange). The attack accounted for almost 100% of the ransomware income from criminal gangs that month. Coinfirm is observing the trail of this ransomware payment as the funds go through the process of ‘layering’ by breaking down the sum and with CoinJoin transactions.
April to June are seemingly very busy periods for ransomware threat actors whilst January to March of the year tends to be more quiet (the latter periods are shown shaded in Fig. 1). This is in line with reports that ransomware threat actors tend to spend a few months of increased activity before going silent for long periods of time.
Dominik Konopacki, one of Coinfirm’s foremost analysts on ransomware noted that “we have recently had a lot of attacks on strictly strategic points, e.g. Colonial Pipeline or JBS. Last year we noted many cases of attacks on hospitals and healthcare providers. But these attacks on Colonial and JBS can have real effects on prices or supplies. We will see if this is a new trend: targeting on strategic points in various countries which is definitely another factor to motivate those victims to pay the ransom.”
98% of ransomware demands are paid in Bitcoin, with only 2% paid in Monero. Although gangs routinely request Monero, it can be hard for companies to get their hands on it as most centralized exchanges around the world have ceased trading of the asset due to regulatory crackdown by authorities against so-called ‘privacy coins’.
BTC Price & Ransomware Activity Correlation? Perhaps Not
Whilst ransom prices are usually based on the current price of crypto, ransomware activity is not.
When the price of Bitcoin rises, the ransom demands in BTC go lower (this is demonstrated by comparing Fig 1. and Fig 2., where the amount of BTC taken in seems to have decreased (1), but the USD value has increased (2) YoY). Interestingly, higher prices of crypto do not necessarily translate to more attacks. This is seen in the graph below in the comparison between the price of BTC per month and BTC paid to ransomware attackers by USD value on the day of transactions.
What can be seen in Fig 2. is that in 2020, ransomware activity increased despite no meaningful BTC price increase and in 2021 the price of BTC rose for a number of months before any significant ransomware activity was detected, demonstrating a low level of correlation between the price of Bitcoin and ransomware activity.
Policy Response to Ransomware
Arguments have been made on whether to ban cryptocurrency to stop ransomware as well as to ban the paying of ransoms. Banning cryptocurrency is something governments have been trying to do to one degree or another in various forms with little success. Banning the paying of ransoms however could have unintended consequences.
What is clear is how seriously governments are now taking the ransomware threat. President Biden and President Putin have recently held a number of high-level talks broaching the topic of ransomware attacks (many attackers originate from the borders of the Russian Federation).
From the U.S. side, last month the Department of Justice has designated ransomware as important a threat to tackle as terrorism whilst on the Russian side, a new law has been proposed in the State Duma to confiscate crypto from the proceeds of crime.
Co-ordinated law enforcement actions against these kinds of actors are effective. 2021 has seen three ransomware groups close operations so far; NetWalker, DarkSide and REvil. Whilst the first two were a direct action by the U.S. government, REvil has mysteriously gone offline in July of this year after launching an attack that affected 1,500 targets.