Payment trends associated with ransomware attacks


Ransomware is a type of malicious software (malware) that encrypts data or programs on computer systems to extort ransom payments from victims to decrypt the information and restore victims’ access to systems or data.

In some cases, the perpetrators threaten to publish sensitive files belonging to the victims, who can be individuals or businesses (including financial institutions). A ransomware attack can have serious and far-reaching consequences, including losing sensitive, proprietary, and critical information and business functionality.

Cybercriminals, who use ransomware, frequently use common tactics like large-scale phishing and targeted spear-phishing campaigns that trick victims into downloading a malicious file or visiting a malicious website, exploiting remote desktop protocol endpoints and software vulnerabilities, or launching “drive-by” malware attacks that infect legitimate websites with malicious code.

Payment processing for ransomware is typically a multi-step process involving at least one depository institution and one or more entities that facilitate victim payments directly or indirectly, such as money services businesses (MSB). Convertible virtual currency (CVC), the preferred payment method of ransomware perpetrators, is used in most ransomware schemes. After receiving the ransom demand, a ransomware victim will typically send funds to a CVC exchange via wire transfer, automated clearinghouse, or credit card payment to purchase the type and amount of CVC specified by the ransomware perpetrator.

The victim or an entity acting on the victim’s behalf then sends the CVC to the perpetrator’s designated account or CVC address, usually from a wallet hosted at the exchange. The perpetrator then converts the funds into other CVCs using various methods, including mixers, tumblers, and chain hopping. Smaller “smurfing” transactions involving multiple people and spanning a variety of CVC addresses, accounts, and exchanges, including peer-to-peer (P2P) and nested exchanges, are possible. Criminals prefer to launder ransomware proceeds in countries with lax anti-money laundering and counter-terrorist financing (AML/CFT) regulations.

This article will cover some of the top payment methods that have been linked to ransomware attacks. Detecting and reporting ransomware payments is critical for holding ransomware attackers accountable and preventing ransomware proceeds from being laundered.

1. Anonymity-Enhanced Cryptocurrencies (AECs)

Ransomware payments are usually denominated in CVCs, the most common of which is Bitcoin. However, they are increasingly requiring or incentivizing victims to pay in AECs that use anonymizing features like mixing and cryptographic enhancements to reduce the transparency of CVC financial flows. Cybercriminals have even offered victims who pay their ransoms in AECs a discount.

2. Unregistered CVC Mixing Services

Cybercriminals frequently use mixers to obfuscate their illicit activities and protect their illicit gains. By combining CVC belonging to other mixer users and splitting the value into many small pieces that pass through several different intermediary accounts, mixers aim to “break” the connection between the sender and the receiver of the CVC transaction. As a result, cybercriminals trade CVCs directly linked to a specific crime for CVCs of equal value originating from different sources. Anonymizing service providers and anonymizing software providers are both included in the mix.

3. Cashing Out Through Foreign CVC Exchanges

Cybercriminals frequently use CVC exchanges with lax compliance controls or operate in jurisdictions with little regulatory oversight to launder and cash out their illicit proceeds. These exchanges are frequently used in high-risk jurisdictions or lack effective information-sharing agreements with other countries. Cybercriminals and their affiliates could use these exchanges to convert the “dirty” CVC to their preferred legal tender or fiat currency, allowing them to reintegrate into the financial system.

4. Partnerships and Sharing Resources

Ransomware-as-a-service (RaaS) is a business model between ransomware operators and affiliates, in which ransomware developers sell or otherwise deliver ransomware software to individuals or groups who have separately gained illicit access to the victim network. Many cybercriminals with various skill levels use RaaS to monetize their illicit access by infecting computer networks with ransomware. The RaaS developer frequently receives a percentage of any ransom paid by the victim as part of the profit-sharing arrangement. The DarkSide ransomware, which cyber criminals used against Colonial Pipeline in early 2021, is a recent example of this model.