Thursday, March 28, 2024

Connections Between Four of 2020’s Biggest Ransomware Strains Found

Chainalysis is a blockchain analysis company. They provide data, software, services, and research to government agencies, exchanges, financial institutions, and insurance and cybersecurity companies in over 50 countries.

The company has released the 2021 Crypto Crime Report on blockchain analysis showing connections between four of 2020’s biggest ransomware strains.

Cybersecurity researchers point out that many RaaS affiliates carrying out attacks switch between different strains, and many believe that seemingly distinct strains are controlled by the same people.

Using blockchain analysis, experts investigated potential connections between four of the 2020s most prominent ransomware strains: Maze, Egregor, SunCrypt, and Doppelpaymer.

Experts say all four ransomware strains use the RaaS model, which means that affiliates carry out the ransomware attacks themselves and pay a percentage of each victim payment back to the strain’s creators and administrators.

All four also use the “double extortion” strategy of not just withholding victims’ data but also publishing pieces of it online as an extra incentive for victims to pay the ransom.

As shown above, Egregor only became active just before Q4 2020 (mid-September to be specific), soon after the Maze strain became inactive. Some cybersecurity researchers see this as evidence that Maze and Egregor are linked in some way.

Blockchain analysis suggests affiliate Overlap and other possible connections between the four Ransomware Strains

Maze and SunCrypt:

Using the company’s Reactor software to connect cryptocurrency transactions to real-world entities, Chainalysis found strong evidence that a Maze ransomware affiliate also worked for SunCrypt. In the graph (above), 9.55 Bitcoin – worth over £300,000 – had been sent by the Maze affiliate to an address labelled ‘Suspected SunCrypt admin.’

Egregor and Doppelpaymer:

Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet. An egregor-labelled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators.

Maze and Egregor:

Both strains’ victim payments’ wallets have sent funds to two deposit addresses at a prominent cryptocurrency exchange via intermediary wallets. Chainalysis believes both the ransomware strains appear to be using the same money-laundering infrastructure.

“While this doesn’t suggest that Maze and Egregor share the same administrators or affiliates, it’s still an important potential lead for law enforcement,” the report stated. “Cryptocurrency-related crime isn’t worthwhile if there’s no way to convert illicitly-gained funds into cash.

By going after bad actors like the money-laundering service or corrupt brokers, law enforcement could significantly slow down the ability of Maze and Egregor to operate profitably.

 “Regardless of the exact depth and nature of these connections, the evidence suggests that the ransomware world is smaller than expected,” Chainalysis added. This information can be a force multiplier for law enforcement. If they can identify and act against groups controlling multiple ransomware strains, then they’ll be able to halt or impact the operations of several strains with one takedown.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles