Chainalysis is a blockchain analysis company. They provide data, software, services, and research to government agencies, exchanges, financial institutions, and insurance and cybersecurity companies in over 50 countries.
The company has released the 2021 Crypto Crime Report on blockchain analysis showing connections between four of 2020’s biggest ransomware strains.
Cybersecurity researchers point out that many RaaS affiliates carrying out attacks switch between different strains, and many believe that seemingly distinct strains are controlled by the same people.
Using blockchain analysis, experts investigated potential connections between four of the 2020s most prominent ransomware strains: Maze, Egregor, SunCrypt, and Doppelpaymer.
Experts say all four ransomware strains use the RaaS model, which means that affiliates carry out the ransomware attacks themselves and pay a percentage of each victim payment back to the strain’s creators and administrators.
All four also use the “double extortion” strategy of not just withholding victims’ data but also publishing pieces of it online as an extra incentive for victims to pay the ransom.
As shown above, Egregor only became active just before Q4 2020 (mid-September to be specific), soon after the Maze strain became inactive. Some cybersecurity researchers see this as evidence that Maze and Egregor are linked in some way.
Bleeping Computer noted that “Maze and Egregor share much of the same code, the same ransom note, and have very similar victim payment sites”.
Blockchain analysis suggests affiliate Overlap and other possible connections between the four Ransomware Strains
Maze and SunCrypt:
Using the company’s Reactor software to connect cryptocurrency transactions to real-world entities, Chainalysis found strong evidence that a Maze ransomware affiliate also worked for SunCrypt. In the graph (above), 9.55 Bitcoin – worth over £300,000 – had been sent by the Maze affiliate to an address labelled ‘Suspected SunCrypt admin.’
Egregor and Doppelpaymer:
Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet. An egregor-labelled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators.
Maze and Egregor:
Both strains’ victim payments’ wallets have sent funds to two deposit addresses at a prominent cryptocurrency exchange via intermediary wallets. Chainalysis believes both the ransomware strains appear to be using the same money-laundering infrastructure.
“While this doesn’t suggest that Maze and Egregor share the same administrators or affiliates, it’s still an important potential lead for law enforcement,” the report stated. “Cryptocurrency-related crime isn’t worthwhile if there’s no way to convert illicitly-gained funds into cash.
By going after bad actors like the money-laundering service or corrupt brokers, law enforcement could significantly slow down the ability of Maze and Egregor to operate profitably.
“Regardless of the exact depth and nature of these connections, the evidence suggests that the ransomware world is smaller than expected,” Chainalysis added. This information can be a force multiplier for law enforcement. If they can identify and act against groups controlling multiple ransomware strains, then they’ll be able to halt or impact the operations of several strains with one takedown.”