Ransomware gang Ryuk thought to have pulled in US$150 million

One ransomware gang, Ryuk, is estimated to have netted over US$150 million (A$194 million) through its criminal extortion activities, researchers estimate.

Cybersecurity firm HYAS principal researcher Brian Carter worked with the chief executive of Advanced Intelligence, Vitali Kremez, to trace payments to Ryuk through 61 Bitcoin deposit addresses, and found Bitcoin transactions worth millions of dollars.

Ryuk is known to use two cryptocurrency exchanges, Seychelles-based Huobi with offices in Asian countries, and Binance, which is believed to be located in the Cayman Islands.

To make it harder to follow the money trail, Ryuk receives victim payments in Bitcoin via a broker.

After ransom payments are received from the broker, Ryuk sends the Bitcoin funds to cryptocurrency laundering services, which exchange it for fiat money at Huobi and Binance.

While Huobi and Binance claim to comply with international anti-money laundering laws, Carter and Kremez noted that the exchanges are structured "in a way that probably would not obligate them to comply [with financial regulation]".

Huobi and Binance require identity documents from customers wanting to exchange cryptocurrency for fiat money, or to make funds transfers to banks.

Carter and Kremez said that it's not clear, however, that the identity documents are scrutinised in any meaningful way for know your customer (KYC) regulatory requirements.

Blockchain forensics firm Chainalysis estimated that Huobi and Binance handled more than half of the US$2.8 billion in illicit Bitcoin transactions it was able to identify in 2019.

Bitcoin is the favoured cryptocurrency for Ryuk's large ransom demands, which can run into the millions per victim.

The exchange rate for 1 Bitcoin is currently A$52,228, as the cryptocurrency appreciated sharply last year, from less than A$15,000 at the beginning of 2020.

Ransomware has become an increasingly lucrative business.

Security vendor McAfee tracked another gang, Netwalker, between March 1 and July 27 2020, and found a total of 2795 Bitcoin being transferred to the criminals in that period.

At today's exchange rate, that amounts to approximately A$146 million.

Being able to operate with impunity, ransomware criminals have become increasingly ruthless as well, targeting a wide range of organisations including public service agencies, health care and large enterprises, in many cases exfiltrating sensitive data to reinforce their extortion demands.

Ryuk itself has garnered a reputation as being hardnosed with their demands, and unwilling to negotiate with victims, showing no sympathy for them, Carter and Kremez said.

The ransomware criminals use several types of malware droppers such as Emotet, Zloader, Qakbot and Trickbot to gain initial access to networks, and move laterally inside these to disable defences and detection systems.

Carter and Kremez suggested users restrict Microsoft Office macro execution, keep remote access up to date and enable two-factor authentication to counter the initial attacks by ransomware criminals.

Using remote access tools like Citrix and Microsoft Remote Desktop Protocol applications is especially risky, and their use should be limited to a specific set of internet protocol addresses only.