Blockchain analysis shows that funds paid in extortion are laundered through services primarily catering to Russian users.
Recently published research by Chainalysis shows that a staggering 74% of all ransomware revenue went to threat actors affiliated with Russia last year.
In other words, around $400 million worth of cryptocurrency ended up filling the pockets of cyber criminals connected to Russia in some form.
Unsurprisingly, researchers claim that Moscow's financial district plays a critical role in soliciting money laundering activities for cybercriminals.
How do they know?
Researchers tie specific ransomware strains to Russia based on several criteria. One of the most obvious criteria is affiliations with EvilCorp, a Russia-based gang of cybercriminals with suspected ties to the Russian government.
Another indication of links to Russia is restraint from attacking countries that belong to the Commonwealth of Independent States (CIS), a block that unites nine former members of the Soviet Union.
"Many ransomware strains contain code that prevents the encryption of files if it detects the victim's operating system is located in a CIS country," reads the report.
In other cases, cybercriminals provided CIS-based organizations with decryptors instead of taking the ransom.
The third indicator of Russian affiliation is the language of a ransomware strain, location-specific settings, and other indicators linking beneficiary groups to Russia.
According to the researchers, blockchain analysis combined with web traffic data points to ransom revenue going to Russian users.
"Overall, roughly 74% of ransomware revenue in 2021 — over $400 million worth of cryptocurrency — went to strains we can say are highly likely to be affiliated with Russia in some way," Chainalysis researchers claim.
26.4% of ransomware revenue is affiliated to Russia by CIS-avoiding criteria, while 9.9% went to EvilCorp, and 36.4% are affiliated via other Russian connections.
It is estimated that 13% of total ransomware revenue went to users directly in Russia, more than any other region.
An analysis of cryptocurrency businesses based in Moscow's financial district, also known as Moscow City, points to companies partaking in money laundering activities.
According to Chainalysis, these businesses receive hundreds of millions of dollars worth of cryptocurrency per quarter, with totals peaking at nearly $1.2 billion in the second quarter of 2021.
It is estimated that illicit and risky addresses make up between 29% and 48% of all funds received by Moscow City crypto businesses.
"In total, across the three-year period studied, these businesses have received nearly $700 million worth of cryptocurrency from illicit addresses, which represents 13% of all value they've received in that time," reads the report.
The majority of the illicit funds in Moscow City, $313 million, are linked to scams, while an additional $296 are attributed to darknet markets. Ransomware is estimated to add another $38 million to the mix.
The report claims that while some Moscow City-based crypto businesses are large enough to 'miss' the illicit funds due to large overall revenues, others can hardly be given the benefit of the doubt.
"But for other Moscow City cryptocurrency businesses, illicit funds make up as much as 30% or more of all cryptocurrency received, which suggests those businesses may be making a concerted effort to serve a cybercriminal clientele," reads the report.
It's worth noting that more than half of crypto businesses suspected to be compliant in money laundering activities are based in the same building – the Federation Tower.
Cyberattacks are increasing in scale, sophistication, and scope. The last 18 months were ripe with major high-profile cyberattacks, such as the SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya.
The prevalence of ransomware has forced governments to take multilateral action against the threat. It's likely a combined effort allowed to push the infamous REvil and BlackMatter cartels offline and arrest the Cl0p ransomware cartel members.
Recent arrests of Revil ransomware affiliates in Russia caused shockwaves in the criminal underground. The arrests made many threat actors uneasy since many felt local authorities would turn a blind eye if victims of ransomware attacks were outside Russia.
A recent report by Digital Shadows' Photon Research Team shows concerns about possible arrests and confiscation of property became a lot more common.
Gangs, however, either rebrand or form new groups. Most recently, LockBit 2.0 was the most active ransomware group with a whopping list of 203 victims in Q3 of 2021 alone.
More from CyberNews:
Subscribe to our newsletter