New research from SecAlliance: The rise of cryptocurrencies in ransomware payments

Published by:
Published on:
August 22, 2023

According to recent research from SecAlliance, the increasing prevalence of ransomware attacks and the adoption of cryptocurrency as a means of ransom payment pose considerable obstacles in the efforts to track and disrupt the illicit movement of funds.

The report, titled "Use of Cryptocurrencies by Ransomware Groups," explores the utilisation of cryptocurrencies by ransomware groups for illicit payments and the various techniques they employ to launder the acquired funds.

This research delves into the tactics used by ransomware groups in laundering cryptocurrency and the methodologies for tracking these activities. It also looks at topics such as the legal frameworks that are in place to regulate cryptocurrency and highlights the importance of international collaboration in effectively combating the illicit flow of funds associated with ransomware attacks.

Bitcoin continues to be the most widely used cryptocurrency among these groups, primarily because of its widespread adoption and accessibility. Monero is increasingly gaining attention for its advanced privacy features, while Ethereum is becoming popular due to its use in Non-Fungible Tokens (NFTs) and decentralised applications (dApps).

Ransomware groups commonly demand payments in cryptocurrency to their controlled wallets. After that they use diverse techniques to launder the funds and convert them into traditional currency. These include fiat off-ramps, peer-to-peer exchanges, online marketplaces, and mixing services, which can be utilised to obscure the origin and ownership of the funds.

Tracking cryptocurrency transactions in ransomware attacks is a particularly challenging task as ransomware operators have become more cautious. They now refrain from sharing wallet addresses in their ransom demands, making it even more difficult to trace the flow of funds.

The report acknowledges that efforts have been taken to enhance regulations and implement fresh sanctions in the cryptocurrency sector. Regulatory bodies such as the IRS, FinCEN, SEC, and CFTC in the United States, as well as ESMA and FCA in Europe, are responsible for enforcing regulations and overseeing compliance. The Financial Action Task Force (FATF) offers comprehensive global guidance on the application of anti-money laundering standards to cryptocurrency assets.

The report examines the ways in which cybercriminals employ cryptocurrencies, as well as centralised and decentralised exchanges, for their illicit activities. It emphasises the importance of international authorities collaborating to address the issue of illicit funds linked to ransomware attacks.

The process of tracking cryptocurrency transactions through blockchain analysis tools is explained, using an example of tracing the ransom payment for the Colonial Pipeline attack. It demonstrates how funds can be moved through multiple wallets and highlights the role of exchanges and money mules in the process.

Data in the report underlines that most funds linked to ransomware activity flowing towards fiat off-ramp addresses (ie. where cryptocurrency is exchanged for fiat currency) originated from just 21 wallets. This implies a significant portion of illicit funds are controlled by a relatively small number of wallet owners, indicating the potential existence of an interconnected network or affiliations among various ransomware groups. It is probable that even ransomware actors who appear unrelated are being overseen by the same individuals.

There are several regulations and sanctions imposed on cryptocurrency-related businesses to combat illicit activity. The report covers the actions of regulatory bodies such as FinCEN, ESMA, FCA, and the United States government's Joint Ransomware Task Force. The Office of Foreign Assets Control (OFAC) plays a crucial role in enforcing economic sanctions and monitoring compliance.

The report emphasises the need for international cooperation, a global approach to sanctions, standard regulations and continuous technological advancements to effectively combat the illicit use of cryptocurrencies by ransomware groups. But of course, it’s worth noting that achieving comprehensive international cooperation may be challenging due to geopolitical tensions and varying interests among countries.

SecAlliance suggests that the continuous development and refinement of blockchain monitoring technology is crucial for tracking illicit transactions and identifying individuals involved in money laundering activities. By collaborating with private companies and investing in research and development, law enforcement agencies can enhance their capabilities in detecting suspicious activities and staying ahead of evolving cybercriminal tactics.

It is only through collaborative efforts that the global community can mitigate the risks associated with crypto-related crimes and ensure the integrity and security of the financial ecosystem.

The report suggests that by addressing these challenges collectively, law enforcement bodies can work towards a safer and more secure environment for the use and adoption of cryptocurrencies in the future.  

Achieving comprehensive international cooperation requires a strong diplomatic relationship. This will be challenging in the short-medium term due to ongoing geopolitical tensions. Some countries may also benefit from the illicit use of cryptocurrencies, which can lead to a lack of willingness to cooperate fully in combating these crimes.

The full report is exclusively available on ThreatMatch for our ThreatMatch subscribers.