In recent times, Ransomware-as-a-Service (RaaS) has become an alluring and well-paid enterprise. According to researchers, blockchain transactions prove that ransomware attacks are interconnected.
A report generated by researchers, connect the four major ransomware families of 2020, Egregor, SunCrypt, DoppelPaymer, and the now-defunct Maze. Along with various other connections, analysis of the blockchain displayed coinciding of affiliates between these four ransomware gangs.
- After the fall of Maze, Egregor came into prominence. Some experts that Maze has rebranded as Egregor after most of its affiliates moved to Egregor Ransomware. Additionally, Maze and Egregor share similarities in codes, ransom notes, and victim payment sites.
- The evidence of a Maze RaaS affiliate with SunCrypt RaaS has been detected since the former had sent 9.55 Bitcoin to an address labeled Suspected SunCryptadmin.
- Similar relationships have been found to exist between Egregor and DoppelPaymer. Egregor had sent approx. $850,000 to an alleged DoppelPaymer admin wallet.
Although these connections don’t give enough evidence to suggest that these groups have a common admin, however, it is certain that there are affiliate overlaps. Although it suggests, that Maze and Egregor have the same OTC brokers that convert cryptocurrency into cash.
Last year, ransomware operators have made at least $350 million in ransom payments and most of the funds move to cryptocurrency exchanges.
Between August and December 2020, a smaller group of 25 addresses receives 46% while only 199 deposit addresses receive 82% of the funds. The smaller group made more than $63 million worth of Bitcoin.
The fluidity of the ransomware market is evident from these observations. Our internal experts believe that the interconnected landscape is a good thing when it comes to law enforcement as the ransomware world is smaller than we are made to believe. Consequently, the takedown of ransomware families might be expedited.
To read more, please check eScan Blog
