A joint investigation by Advanced Intelligence and HYAS has detected 61 Bitcoin wallets allegedly linked to Ryuk ransomware trading groups, finding that transactions of this cryptocurrency circulate mainly in Huobi and Binance. Experts report that, when a ransomware victim pays the ransom, the transfer arrives at a broker that sends it to malware traders to finally go through a money laundering service or into the hands of criminal groups.
Experts mention that there are other significant cryptocurrency flows that lead to other addresses that handle smaller amounts associated with criminal services. According to the report, one of the largest cryptocurrency transactions was over $5 million (35 Bitcoin); however, this is not the highest amount that has been paid for a ransom to Ryuk traders.
Experts mention that, without considering their operating expenses, Ryuk operators made more than $ 150 million USD in profits during 2020.
Although collecting money from these bailouts is a complex task, Ryuk’s operators have established a mechanism that allows them to manage millions of fraudulently obtained dollars despite the constant work of the authorities. An essential step for identifying criminals is during the conversion of cryptocurrency to cash or other variants of virtual assets, although Huobi and Binance might be more permissive to this process.
This variant of malware has been active for at least two years in which it already accumulates a long list of victims of all kinds. Over the past few months, this group of threat actors focused their efforts on engaging health service organizations, further complicated things in pandemic times.
Ryuk is characterized by rigidity of operators, as they do not usually negotiate ransom fees. It is difficult to know the volume of profits of these groups, as the cost of their trades is completely unknown.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.