The infamous operators of the Ryuk ransomware have amassed a fortune of at least $150m, according to researchers who studied the flow of Bitcoin to the group.
A new report from US threat prevention firm AdvIntel and UK-based threat intelligence vendor Hyas is based on analysis of 61 cryptocurrency deposit addresses linked to Ryuk.
Most of the digital currency the group collects is sent to Asia-based exchanges Huobi or Binance, which may help them to escape scrutiny, the report authors argued.
“Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply. In addition, both Huobi and Binance are companies that were founded by Chinese nationals but moved their business to other countries that are more friendly to cryptocurrency exchanges,” the researchers explained.
“Both exchanges require identity documents in order to exchange crypto-currencies for fiat or to make transfers to banks, however it isn’t clear if the documents they accept are scrutinized in any meaningful way.”
The team were also able to observe “significant flows” of Bitcoin to smaller entities. These are likely to be criminal enterprises set up to help launder funds into local currencies or other types of digital money.
As a further step to obfuscate their true identity, the Ryuk attackers get victims to pay a well-known broker, who in turn makes payments to the group, sometimes in the millions but more likely in the hundreds of thousands of dollars.
Any money not cashed out at the two Asian exchanges is used to pay for goods and services on cybercrime markets, the report claimed.
Two unique Protonmail addresses are prepared to communicate with each victim. These organizations are selected according to a scoring system in precursor malware used by the attackers, which apparently assesses their likelihood of paying.
“With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose or ability of the victims to pay,” the researchers continued.
“Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.”
The report recommended organizations develop counter-measures to prevent initial infection by precursor malware like Emotet or Zloader. All remote access points should require multi-factor authentication (MFA), and Office macros and remote access tools should be restricted, it added.