Ransomware actors are laundering hundreds of millions of dollars through pseudo-legitimate cryptocurrency exchanges, while early-stage malware that is often used to facilitate their attacks have become the most popular forms of malware in the world.
According to new analysis from Check Point, Emotet was the most popular malware variant in December, accounting for 7% of the organizations attacked for the month and 100,000 users every day as Christmas and New Years approached. After similar stints on top in September and October, the trojan saw a dropoff in November before roaring back ahead of the holidays. The malware “has now been updated with new malicious payloads and improved detection evasion capabilities.”
Emotet’s roll as one of the primary loaders for ransomware means it will likely continue to be one of the most widely used pieces of malware on the planet throughout 2021. The same is true for the next most popular malware, Trickbot, which impacted 4% of organizations and helps enable everything from ransomware and data theft to cryptojacking.
Other variants in the top 10, like Dridex and QBot, are also increasingly used in the kill chains of ransomware groups such as Egregor. Egregor – which has been absorbing operators and infrastructure from once-rival Maze Group in recent months – was the subject of an FBI industry alert this week obtained by BleepingComputer earlier this week. The group has claimed to have infected at least 150 victims and the bureau warned that their collaborative ransomware-as-a-service model make their operations both extremely flexible and hard to detect.
“Because of the large number of actors involved in deploying Egregor, the tactics, techniques and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation,” the FBI alert reads.
They also rely heavily on cryptocurrency payments and transactions with pseudo-legitimate online cryptocurrency exchanges in order to cash out. Ryuk, a ransomware strain which some analysts initially left for dead as recently as last year, has returned with a vengeance and now accounts for approximately one out of every five ransomware attacks observed by some threat intelligence organizations.
New research from Advanced Intelligence traced payments from Ryuk ransomware attacks to 61 different deposit addresses, the majority of which was sent to Huobi and Binance, both of which “claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply.” Those laws include certain identity disclosure requirements that would be problematic for a ransomware actor to provide.
“Both exchanges require identity documents in order to exchange cryptocurrencies for fiat or to make transfers to banks, however it isn’t clear if the documents they accept are scrutinized in any meaningful way,” write researchers Vitali Kremez and Brian Carter. “A legal authority can request identity details for the individuals receiving the payments.”
Ryuk operators also get “a significant” amount of their money from an unnamed third-party broker, who can sometimes dole out payments in the millions of dollars. Overall, Advanced Intelligence traced more than $150 million in Bitcoin transactions back to Ryuk actors. The research underscores how important tracing of cryptocurrencies have become to both law enforcement and private sector efforts to track, expose and degrade the money-making schemes of ransomware specifically and cybercrime generally.