Ransomware Summer: Attacks Heated Up, but So Has the Global Response

This summer, we’ve seen a spate of ransomware attacks on a diverse set of businesses, from telecom to automotive. Here’s the TL;DR:

• Ransomware attacks against CDK Global—a major provider of software solutions for auto dealers—and telecom giant AT&T.

• Reportedly, in both cases, ransom payments were made in cryptocurrency, and were traced by TRM to known ransomware actors.

• Since the 2021 watershed attack on Colonial Pipeline, we have seen a global response to the ransomware epidemic.

• Because payments are made in cryptocurrencies, law enforcement, using blockchain intelligence, can track ransom payments and disrupt ransomware groups such as LockBit.

{{horizontal-line}}

Ransomware is a type of malicious software (malware) that encrypts a victim's files, making them inaccessible. The attacker then demands a ransom, typically paid in cryptocurrency, in exchange for the decryption key needed to restore access to the data. Ransomware can spread through phishing emails, malicious downloads, or exploiting vulnerabilities in software.

Over the last few years, we have seen the proliferation of ransomware-as-a-service (RaaS), which has significantly lowered the barrier to entry of malicious actors. RaaS is a business model used by cybercriminals that allows non-technical attackers to deploy ransomware attacks with minimal effort. In this model, experienced ransomware developers create the malicious software and offer it to affiliates, who then use it to execute attacks. In exchange, the developers receive a share of the ransom payments. Key features of RaaS include a user-friendly interface, profit sharing, support and updates, and darknet enabled anonymity and accessibility. Examples of RaaS platforms include ReVil, Darkside, and LockBit.

A busy 2024 for ransomware attacks and wins

So let’s dive into this summer. 

CDK Global

In June, CDK Global, a major provider of software solutions for automotive dealerships, suffered two significant ransomware attacks attributed to the BlackSuit ransomware gang. This double attack affected thousands of car dealerships across North America, impacting their ability to conduct normal operations such as vehicle servicing, sales, inventory management, and financing applications. 

TRM’s Head of Global Investigations Chris Janczewski confirmed to CNN that on June 21, about 387 bitcoin—then the equivalent of roughly USD 25 million—was sent to a cryptocurrency account controlled by cybercriminals affiliated with a type of ransomware called BlackSuit. Mr. Janczewski did not identify who sent the payment, but, according to CNN, three other sources closely tracking the incident confirmed that a roughly USD 25 million payment had been made to BlackSuit affiliates, and that CDK was very likely the source of that payment.

AT&T

Then, just last week, AT&T disclosed that hackers had stolen the call records for tens of millions of customers—and that the company paid a member of the hacking team more than USD 300,000 to delete the data and provide a video demonstrating proof of deletion.

According to a report by Wired, the hacker him or herself—part of the notorious ShinyHunters hacking group—provided the cryptocurrency addresses that sent and received the ransom payment to Wired. TRM’s Janczewski confirmed to Wired that a transaction occurred in the amount of about 5.72 bitcoin (the equivalent of USD 373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets—but said there was no indication of who controlled the wallets.

Change Healthcare

In addition, the first half of 2024 saw several other high-profile ransomware and cyberattacks, including the Change Healthcare exploit that impacted the healthcare sector's data security and crippled pharmacies across the US—including those in hospitals. The ransomware group that perpetrated the attack, known as AlphV or BlackCat, received a USD 22 million transaction following the attack. TRM connected the Bitcoin address that received the USD 22 million payment to the AlphV hackers and linked the address to payments from two other AlphV victims.

The disruption of LockBit

There have also been successes this year. In February, UK’s National Crime Agency, the United States Department of Justice (DOJ), the FBI, and Europol announced the disruption of notorious ransomware group LockBit and the takedown of its associated website infrastructure.

LockBit is one of the most prolific ransomware groups in the world. The group has had unprecedented impact on businesses and critical infrastructure across the globe, using a Ransomware-as-a-Service (RaaS) model to conduct thousands of attacks and extort victims for large ransom payments in cryptocurrency. Through on-chain analysis, TRM estimates that addresses controlled by LockBit administrators and affiliates have received over GBP 160 million (or USD 200 million) in bitcoin since 2022, of which over GBP 85 million (or USD 110 million) are still unspent in multiple addresses on-chain.

The global response

Since the watershed attack on Colonial Pipeline in 2021, we have seen a global government response.

The United States

The US Department of Justice stood up a specialized NatSec Cyber Unit and Ransomware Task Force, and has aggressively pursued indictments and arrests of related to ransomware gangs such REvil and LockBit. The US Treasury Department has used sanctions to target non-compliant Russia-based cryptocurrency exchanges like Suex and Chatex, which were found to facilitate ransomware payments. In addition, US and global law enforcement have partnered with private sector entities like TRM Labs for information sharing initiatives such as project IVAN.

European Union

The EU has implemented a comprehensive cybersecurity strategy that includes measures to enhance the cybersecurity capabilities of member states, foster information sharing, and support cross-border cooperation in tackling ransomware. In addition, the EU Cybersecurity Act establishes a framework for certification of cybersecurity products and services, aiming to improve the security of digital products and networks across Europe.

United Kingdom

The UK has established the National Cyber Security Centre which provides guidance, support, and resources to organizations to defend against ransomware attacks. It also collaborates with industry partners to improve the overall cybersecurity posture of the UK.

Australia

The Australian government has launched a Ransomware Action Plan that includes measures to increase penalties for ransomware attacks, enhance cybersecurity standards, and promote information sharing between the government and private sector. In addition, Australia has established Joint Cyber Security Centres to facilitate collaboration between government, industry, and academia to share threat intelligence and develop strategies to combat ransomware.

International collaboration

The US, through the Counter Ransomware Initiative, has led efforts to form international coalitions with other countries to combat ransomware through intelligence sharing, coordinated law enforcement actions, and setting global standards for cybersecurity. In addition, the US, Europe, and the UK have engaged with G7 nations and NATO allies to address ransomware threats, emphasizing collective defense and coordinated responses. Agencies like INTERPOL and Europol also coordinate international law enforcement efforts to disrupt ransomware networks, share intelligence, and support operations that target ransomware operators. Finally, on the ransom payments side, in October 2023, forty countries signed a pledge never to pay ransom to cybercriminals as part of the White House-led International Counter Ransomware Initiative.

Laundering the proceeds of ransomware

Notably, last year, the Financial Action Task Force—the international standard-setter on combating money laundering and terrorist financing—released its first ever dedicated report on ransomware, which set out the nature of the threat, ransom payment laundering typologies, and provided recommendations on how countries should respond.

As for the laundering of ransoms, the report highlights that the payment and subsequent laundering of ransomware proceeds is “almost exclusively conducted through virtual assets.” It finds that Bitcoin accounts for 99% of payments, with Monero making up the rest.

The report lists the following common aspects of ransomware money laundering:

• The use of anonymity-enhancing technologies, techniques, and tokens such as peel chains to obscure the source of funds. Peel chains utilize several intermediary accounts to move funds, each time siphoning off a small amount into another account.
• The role of mixers and privacy coins in money laundering—however, as noted above, most payments are made in Bitcoin. According to TRM, while bitcoin is the primary cryptocurrency used for ransomware payments, BTC is often converted to other types of cryptocurrencies during the laundering process through bridges and non-custodial exchanges.
• The limited (but perhaps increasing) use of DeFi protocols to layer ransomware funds ahead of offramping into fiat currency.
• Common use of virtual asset service providers (VASPs) in high-risk jurisdictions with lower levels of KYC controls to offramp funds.
• Finally, the use of money mules—individuals who handle transactions on the behalf of others—to establish accounts to launder money for criminal groups.

Now let’s take a look at how a ransomware group launders ransom payments.

LockBit: A deep-dive into the laundering of ransom payments

 TRM’s analysis of LockBit’s on-chain activity provides additional insights into the financial activity of ransomware groups. Historically, LockBit has used Bitcoin as the primary cryptocurrency used to facilitate ransom payments. But the group has also looked to privacy-enhanced payment options such as ZCash for both collecting from victims and paying its affiliates.

On-chain analysis of LockBit activity highlights the group’s operating structure, where victims’ initial ransom payments undergo a financial split: 80% goes to the LockBit affiliate, and 20% goes to LockBit’s administrators. LockBit operators have subsequently used Wasabi 2.0 to mix funds, and multiple non-custodial exchanges and centralized VASPs in the United States and Asia to launder victim funds.

The role of blockchain intelligence in disrupting ransomware

While we have seen a series of disruptions over the last few months, the spate of attacks this summer tells us that ransomware actors will continue to target myriad businesses and evolve their tacts. In addition, with AI projected to be a catalyst for making ransomware attacks more sophisticated and efficient, we may see increasing numbers of attacks. As this happens, both hardened cybersecurity, global cooperation, and the ability to track payments will be critical.