Ransomware-as-a-Service (RaaS) has become a lucrative enterprise. As per research by Chainalysis, blockchain transactions prove that ransomware attacks are interconnected.
What does the research say?
The report connects the four major ransomware families of 2020 - egregor, SunCrypt, DoppelPaymer, and the now-defunct Maze. Blockchain analysis displays overlapping of affiliates, along with other connections, between these four ransomware gangs.
Egregor came into prominence right after Maze shut down shop. Most of its affiliates moved to Egregor, which has made some experts suspect that Maze has rebranded as Egregor. In addition, Maze and Egregor share similarities in codes, ransom notes, and victim payment sites.
Evidence regarding the connection of a Maze RaaS affiliate with SunCrypt RaaS has been detected. The former had sent 9.55 Bitcoin to an address labeled Suspected SunCryptadmin.
Similar relationships have been found to exist between Egregor and DoppelPaymer. Egregor had sent approx. $850,000 to an alleged DoppelPaymer admin wallet.
What does this imply?
Although these connections do not suggest that the groups have a common admin, it is certain that there are affiliate overlaps. It is also determined that Maze and Egregor have the same OTC brokers that convert cryptocurrency into cash.
More insights
Ransomware operators have made at least $350 million in ransom payments last year and most of the funds move to cryptocurrency exchanges.
While only 199 deposit addresses receive 82% of the funds, a smaller group of 25 addresses receives 46%. Between August and December 2020, the smaller group made more than $63 million worth of Bitcoin.
