Ransomware Attacks and Ransom Payments Enabled by Cryptocurrency
By Bryan Palma · August 9, 2022
This summer I had the honor of providing a statement to the U.S. Senate Homeland Security & Governmental Affairs Committee during its hearing on the topic, “Rising Threats: Ransomware Attacks and Ransom Payments Enabled by Cryptocurrency.” Here are a few highlights on why this is a concern for me and Trellix given our work to help organizations detect, respond to remediate threats everyday.
Cryptocurrency: A dark veil
Cryptocurrency has become an almost universal form of payment in ransomware attacks. It helps criminals extort massive amounts of money from victims quickly. Because it is decentralized and distributed, malicious actors can easily hide transactions and make it difficult for authorities to track, confiscate their illicit gains and punish them with enforcement action.
In 2020, malicious actors extorted $692 million in cryptocurrency from ransomware attacks, up from $152 million in 2019, representing close to a 300% increase over a two-year period.
Following the money: The Sodinokibi case
Trellix Threat Labs continuously researchs threats using our sensors worldwide. Recently, we analyzed a ransomware-as-a-service known as Sodinokibi, or REvil. We discovered it involved generating a unique bitcoin (BTC) wallet for every single victim, as well as every Sodinokibi affiliate.
By linking underground forum posts with BTC transfer traces, we were able to uncover new information on the size of the campaign. We also uncovered what the affiliates do with their earnings following a successful attack. What did we learn from this analysis? Paying ransomware actors keeps the ransom model alive and drives other types of crime.
In 2021, Europol credited us with providing research which led to the arrest of five Sodinokibi’s affiliates and the identification of “master-wallets” also seized by authorities. The affiliates were digital thieves who demanded more than 200 million euros in ransom from their victims. With most of its infrastructure dismantled, the gang was nudged off the stage as a major player, though it continues its criminal activities at some level, even today. In my statement, I shared other groups we research including Lockbit, Cuba and Conti ransomware and Netwalker ransomware.
Action needed: Congress and the Executive Branch must explore these trends
The relationship of cryptocurrency to ransomware urgently needs further exploration. I urged our policy leaders to centralize reporting of ransomware attacks and their associated payments across federal agencies and adher to the recommendations in the recently released report by the Senate Homeland Security & Governmental Affairs Committee, entitled Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns.
If our elected leaders make this a priority, we can make an enormous difference in this area.
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
Our CEO On Living Security
By Bryan Palma · January 19, 2022
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
Time to Drive Change by Challenging the Challengers
By Michelle Salvado · January 19, 2022
Dynamic threats call for dynamic security – the path to resiliency lies in XDR.
2022 Threat Predictions
By Trellix · January 19, 2022
What cyber security threats should enterprises look out for in 2022?
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.