A report published today by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don't operate in their own bubbles but often switch ransomware suppliers (RaaS services) in a search for better profits.
The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.
But to understand these dynamics, a short intro into the current ransomware scene is needed. Today, the ransomware landscape is very similar to how modern businesses operate.
There are coders who create and rent the actual ransomware strain via services called RaaS -- or Ransomware-as-a-Service -- similar to how most modern software is provided today.
Some RaaS operators rent their ransomware to anyone who signs up, while others prefer to work with small groups of verified clients, which are usually called "affiliates."
The affiliates are the ones to usually spread the ransomware via email or orchestrate intrusions into corporate or government networks, which they later infect and encrypt with the ransomware they rented from the RaaS operator.
In some cases, the affiliates are also multiple groups themselves. Some are specialized in breaching a company's network perimeter, and are called initial access vendors, while some groups are specialized in expanding this initial access inside hacked networks to maximize the ransomware's damage.
All in all, the ransomware landscape has evolved from previous years and is now a collection of multiple criminal groups, each providing its own highly-specialized service to one another, often across different RaaS providers.
BTC transactions show collaborations between criminal groups
The Chainalysis report released today confirms these informal theories with undisputable and unforgeable cryptographic proof left behind by the Bitcoin transactions that have taken place among some of these groups.
For example, based on the graph below, Chainalysis said it found evidence to suggest that an affiliate for the now-defunct Maze RaaS was also involved with SunCrypt RaaS.
"We see that the Maze affiliate also sent funds — roughly 9.55 Bitcoin worth over $90,000 — via an intermediary wallet to an address labeled 'Suspected SunCryptadmin,' which we've identified as part of a wallet that has consolidated funds related to a few different SunCrypt attacks," Chainalysis said.
"This suggests that the Maze affiliate is also an affiliate for SunCrypt, or possibly involved with SunCrypt in another way."
Similar findings also show a connection between the Egregor and DoppelPaymer operations.
"In this case, we see that an Egregor wallet sent roughly 78.9 BTC worth approximately $850,000 to a suspected Doppelpaymer administrator wallet," researchers said.
"Though we can't know for sure, we believe that this is another example of affiliate overlap. Our hypothesis is that the Egregor-labeled wallet is an affiliate for both strains sending funds to the Doppelpaymer administrators."
And last but not least, Chainalysis researchers also found evidence that the operators of the Maze and Egregor operations also used the same money-laundering service and over-the-counter brokers to convert stolen funds into fiat currency.
Since several security firms have suggested that the Egregor RaaS is a rebrand and continuation of the older and defunct Maze operation, such findings come to support these theories, showing how old Maze tactics permeated to the new Egregor operation.
Report confirms observations made by security firms
"Interesting report and very much aligns with what we are seeing," Allan Liska, a security researcher with threat intel firm Recorded Future, told ZDNet.
"Recorded Future is seeing more fluidity in the RaaS market now than at any other time in the (admittedly short) history of the RaaS market.
"Part of this is because of the reality that there is a growing stratification between the haves and have nots in ransomware. There are fewer actors making a lot of money, so ransomware actors are jumping from one RaaS to another to improve their chances of success," the Recorded Future analyst said.
Furthermore, Liska says there are other connections and overlaps between other RaaS groups, and not just Maze, SunCrypt, and Egregor.
The Recorded Future analyst pointed to the Sodinokibi (aka REvil) RaaS operation as being one of the services where many groups overlap, primarily because the Sodinokibi administrator, an individual going by the name of Unknown, has often actively and openly recruited affiliates from other RaaS programs.
Interconnected landscape is actually a good sign
But while we might view these connections and overlaps as a sign of successful cooperation between cybercrime groups, Chainalysis believes that this interconnectedness is actually a good sign for law enforcement.
"The evidence suggests that the ransomware world is smaller than one may initially think given the number of unique strains currently operating," Chainalysis said.
This, in theory, should make cracking down and disrupting ransomware attacks a much easier task since a carefully planned blow could impact multiple groups and RaaS providers at the same time.
According to Chainalysis, these weak spots are the money-laundering and over-the-counter services that RaaS operators and their affiliates often use to convert their stolen funds into legitimate currency.
By taking out legitimate avenues for converting funds and reaching real-world profitability, Chainalysis believes RaaS operations would have a hard time seeing a reason to operate when they can't profit from their work.