Ransomware, Threat Management

Nearly three-quarters of ransomware revenue generated by Russian strains

About 74% of revenues raised through ransomware go to Russian-affiliated actors, according to a Chainalysis report. Pictured: The Russian flag hangs outside the Russian Consulate on March 2, 2015, in Tallinn, Estonia. (Photo by Jordan Mansfield/Getty Images)

Nearly $3 in every $4 paid to a ransomware attack stems from a ransomware strain affiliated with Russian actors, according to a new report from cryptocurrency forensics group Chainalysis.

In its 2022 Crypto-Crime Report, Chainalysis tracked more than $400 million in ransom in 2021 — around 74% of the total ransomware pie — to strains that showed certain hallmarks of Russian activity. Those included software specifically designed not to deploy in the countries of the Russia affiliated Commonwealth of Independent States, tied directly to the EvilCorp group sanctioned by the United States for its ties to the Russian government, or that communicated with affiliates primarily in Russian, among other indicators.

Ransomware research often depends on analyzing forum chatter, publicly disclosed breaches and the findings of specific incident responders. Chainalysis and other forensics firms focused on the blockchain have a more holistic view based on currency flows to criminal wallets. So while the statistic concerning a a Russian nexus is new, it is not wholly unexpected.

"It is always an interesting thing to put the numbers together at the end of the year. But, actually based on what we've been following throughout the year, it really wasn't that much of a surprise," said Kim Grauer, Chainalysis head of research.

It was not just Russia-affiliated actors designing ransomware attacks. Thirteen percent of funds being transferred out of the wallets used to collect ransom went to wallets estimated to be in Russia, the same report finds. That was the most of any nation.

Over the past three years, according to the report, 13% of all value of cryptocurrency funds received by Russian businesses — around $700 million — have come from criminal sources. Of that amount, 5.5% comes from ransomware, with the bulk split between scams (45.6%) and dark net markets (43.1%).

"Our data is suggesting that Russia still allows Moscow City to remain a locus for illicit activity," said Grauer.

The United States sanctioned the Russian cryptocurrency exchange Suex in 2021, the first time an exchange had been sanctioned, for routine use in money laundering. Russia itself made limited inroads in fighting cybercrime over the last year and has discussed new mechanisms of restricting illicit cryptocurrency. But Chainalysis sees the problem continuing largely unabetted, including in a well-known hotbed of cryptocurrency money laundering, Moscow City's Federation Tower.

Federation Tower is the home address of Suex, which received $159 million in illicit cryptocurrency between 2019 and 2021 (around 37% of total receipts during that period). The Chainalysis report notes that other Federation Tower businesses include Garantex, which received $645 million in illicit cryptocurrency over the same time period (31% of total receipts), Buy-bitcoin, which received $11 million (27%) and other firms with substantial exposure.

Grauer said a normal exposure for an exchange or other cryptocurrency business would be far under 1%.

Though the research into Russia provides the most insight into the type of crime affecting enterprise, other data from the report has substantial geopolitical implications. Iran, for example has used three Bitcoin mining pools to generate $186 million since 2015 to evade sanctions, "most of it within the past year." Other pools not tracked by Chainalysis, the report notes, likely generated even more.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.