In the past, the research conducted by Chainalysis has provided levels of insight into ransomware operations that were sorely lacking in the past. By following the “money”, largely in the form of the trail left by ransomware gangs who utilize cryptocurrencies as their main vehicle for conducting their shady extortion business, Chainalysis provides a view of the criminal underworld few would typically see. The last time this publication covered research conducted by the blockchain analysis firm, their research revealed that two hacker groups were responsible for 60% of crypto hacks behind cryptocurrency theft from exchanges.
The latest report by Chainalysis, “The Chainalysis 2021 Crypto Crime Report” will be released later in February. In the meantime the firm has published a supplementary article detailing the connections between four of last years most prominent ransom gangs, Maze, Egregor, SunCrypt, and Doppelpaymer. Previously it was theorized that that Ransomware as a Service (RaaS) affiliates will often switch between ransomware strains to generate more profit. This would imply that the number of active ransomware threat actors is smaller than the ransomware activity currently seen and that there is a level of interconnectedness that has only been speculated upon.
The four ransomware strains covered in the report all follow the RaaS business model, meaning that affiliates carry out the ransomware attacks themselves and pay a percentage of each victim payment back to the strain’s creators and administrators. In addition, all four are known for adopting the double extortion tactic of not only demanding a ransom but threatening to release stolen data if the ransom demands are not met. Maze, who now appears to have retired from ransomware related activity, was one of if not the first ransomware gang to make good on threats to publicly release sensitive data.
Analyzing the profit generated by each of the four ones can see Maze’s profit drop in line with their shutting down of operations. Egregor, who only really became active in the last quarter of 2020, seemed to take Maze’s market share in record time. Security researchers believe there is a link between Maze and Egregor. As Chainalysis points out,
“In early November, Maze’s operators said the strain was shutting down in a press release posted to its website, following a slowdown in activity. Soon after, most of its affiliates migrated to Egregor, leading some to believe that the Maze operators have simply rebranded as Egregor and instructed the affiliates to join. This is relatively common in ransomware, though it’s also possible that the affiliates have decided for themselves that Egregor is their best option. It’s even possible that the Maze affiliates became unhappy with the Maze operators, leading to the split. However, as noted by Bleeping Computer, Maze and Egregor share much of the same code, the same ransom note, and have very similar victim payment sites. Cybersecurity firm Recorded Future notes this too, as well as similarities between Egregor and a banking trojan called QakBot.”
Suncrypyt, as covered by Bleeping Computer, claimed that they were also part of the Maze Cartel, which at the time included Ragnar Locker and LockBit. Maze denied any affiliation with Suncrypt, however as the Chainalysis article points out,
“…the claim of a connection is also supported by a privately circulated report from threat intelligence firm Intel471 claiming that representatives from SunCrypt described their strain as a “rewritten and rebranded version of a ‘well-known’ ransomware strain.” Intel471’s report also claims that SunCrypt only works with a small number of affiliates at a time, whom the SunCrypt operators interview and vet extensively. Therefore, we believe any overlap in affiliates between SunCrypt and other ransomware strains would be more likely to suggest a deeper connection between the two strains, rather than just coincidence.”
Connections and Overlap
The murky world that ransomware developers and affiliates operate in is almost impenetrable to the average person on the street. This makes knowing and understanding their ecosystem difficult, to put it mildly. All the possible connections alluded to above were merely theories supported by some evidence but nothing that confirms any link between the four gangs mentioned above beyond a doubt. Analysis of the blockchains does seem to add more evidence to the circumstantial claims above of links and affiliate migration. Researchers first looked at the possible connections between SunCrypt and Maze.
By analyzing, cryptocurrency wallet transactions relating to how Maze paid affiliates could be determined. One such wallet was not only linked to Maze payments but also SunCrypt. As to payments to affiliates in general they receive the majority of the payment as they are the ones taking the most risk in distributing and executing the malware. The next split goes to a third-party, who can perform several roles including bulletproof hosting, penetration testing services, or access to vulnerabilities in victims’ networks. The last and smallest cut will go to the ransomware's administrators.
Returning to the link between Maze and Suncrypt, it was discovered that a Maze affiliate sent roughly 9.55 Bitcoin via an intermediary wallet to an address labeled “Suspected SunCrypt admin,” which was identified by researchers as part of a wallet that has consolidated funds related to a few different SunCrypt attacks. A similar story unfolds between affiliate wallets between known Egregor and Doppelpaymenr wallets. An Egregor wallet sent roughly 79 Bitcoin to a suspected Doppepaymer administrator wallet. Researchers believe that the Egregor-labeled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators.
The Maze and Egregor connection are possibly the most interesting as both appear to be using the same money-laundering network. As researchers point out,
“Both strains’ victim payments’ wallets have sent funds to two deposit addresses at a prominent cryptocurrency exchange via intermediary wallets. Based on their transaction patterns, we believe that both deposit addresses belong to over-the-counter (OTC) brokers who specialize in helping ransomware operators and other cybercriminals trade illicitly-gained cryptocurrency for cash. In the case of Maze, those funds first flow through another suspected money laundering service before reaching the OTC addresses — it’s unclear whether Maze receives cash from that service or from the OTCs themselves, and it’s also possible that the OTC broker and those running the laundering service are one in the same.”
It is important to note that the evidence brought forward by Chainalysis researchers is no smoking gun, but it does add credence to theories of affiliate migration and a higher level of interconnectedness than what many believe. More importantly, their research may provide law enforcement with important leads. The research conducted may help law enforcement close the net around the money laundering infrastructure, making it harder for ransomware gangs and other cybercriminals to cash out. The suspected laundering network suspected to be employed by Maze and Egregor received funds from Doppelpaymer, WastedLocker, and Netwalker. From the last three, nearly 3 million USD seems to have changed hands.
In concluding, the article notes that based on analyzing the movement of cryptocurrency between wallets there are significant links and overlaps between affiliates. This suggests that the ransomware world is smaller than one may initially think given the number of unique strains currently operating. It is hoped that this new information becomes a force multiplier for law enforcement helping them to identify and act against groups controlling multiple ransomware strains or the network chosen to launder money.