Friday, July 19, 2024

Connections Between Four of 2020’s Biggest Ransomware Strains Found

Chainalysis is a blockchain analysis company. They provide data, software, services, and research to government agencies, exchanges, financial institutions, and insurance and cybersecurity companies in over 50 countries.

The company has released the 2021 Crypto Crime Report on blockchain analysis showing connections between four of 2020’s biggest ransomware strains.

Cybersecurity researchers point out that many RaaS affiliates carrying out attacks switch between different strains, and many believe that seemingly distinct strains are controlled by the same people.

Using blockchain analysis, experts investigated potential connections between four of the 2020s most prominent ransomware strains: Maze, Egregor, SunCrypt, and Doppelpaymer.

Experts say all four ransomware strains use the RaaS model, which means that affiliates carry out the ransomware attacks themselves and pay a percentage of each victim payment back to the strain’s creators and administrators.

All four also use the “double extortion” strategy of not just withholding victims’ data but also publishing pieces of it online as an extra incentive for victims to pay the ransom.

As shown above, Egregor only became active just before Q4 2020 (mid-September to be specific), soon after the Maze strain became inactive. Some cybersecurity researchers see this as evidence that Maze and Egregor are linked in some way.

Blockchain analysis suggests affiliate Overlap and other possible connections between the four Ransomware Strains

Maze and SunCrypt:

Using the company’s Reactor software to connect cryptocurrency transactions to real-world entities, Chainalysis found strong evidence that a Maze ransomware affiliate also worked for SunCrypt. In the graph (above), 9.55 Bitcoin – worth over £300,000 – had been sent by the Maze affiliate to an address labelled ‘Suspected SunCrypt admin.’

Egregor and Doppelpaymer:

Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet. An egregor-labelled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators.

Maze and Egregor:

Both strains’ victim payments’ wallets have sent funds to two deposit addresses at a prominent cryptocurrency exchange via intermediary wallets. Chainalysis believes both the ransomware strains appear to be using the same money-laundering infrastructure.

“While this doesn’t suggest that Maze and Egregor share the same administrators or affiliates, it’s still an important potential lead for law enforcement,” the report stated. “Cryptocurrency-related crime isn’t worthwhile if there’s no way to convert illicitly-gained funds into cash.

By going after bad actors like the money-laundering service or corrupt brokers, law enforcement could significantly slow down the ability of Maze and Egregor to operate profitably.

 “Regardless of the exact depth and nature of these connections, the evidence suggests that the ransomware world is smaller than expected,” Chainalysis added. This information can be a force multiplier for law enforcement. If they can identify and act against groups controlling multiple ransomware strains, then they’ll be able to halt or impact the operations of several strains with one takedown.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles