Elementus recently released a blockbuster report on the ransomware industry. It contained many new insights about how this industry is structured, its mechanics, and how its players operate. Though it’s well known that ransomware groups are growing in the size of their targets and their payouts, for example, we’re the first research team to have found more than $1 billion dollars in ransom paid in a single year (2021, in the chart below):
More interestingly, this report is the first to clearly articulate the evidence that the ransomware space is likely controlled by a relatively small number of teams that are responsible for creating, maintaining, and often morphing multiple strains.
One of the more fascinating takeaways, however, is the geographic concentration of these ransomware groups.
Ranked by payments received from victims in 2021, the eight most prolific ransomware strains were Conti, Darkside, Phoenix Locker, Sodinokibi, Egregor, Blackmatter, Alphv, and Pysa. The chart below shows payments received for 2020 (black bar) as well as payments received for 2021 (orange bar), and the strains are ranked in descending order based on payments received for 2021 (Conti received the most that year and Pysa received the least).
There are strong indications that five of these eight are operating out of Russia, including the two most dangerous strains, Conti and Darkside, as well as Sodinokibi, Blackmatter, and Alphv.
The evidence for the other three, Phoenix Locker, Egregor, and Pysa, is more mixed, but for each there’s at least some inkling that they could be based in Russia. We’ll be offering additional details around this geographic concentration in coming weeks.
It’s not terribly surprising that Russia would be attractive for a cybercriminal outfit, as the willingness of autocrats like Putin to selectively look the other way on criminal activity when it furthers their own goals is well-documented.
But Russia’s singular role in this escalating crypto crime saga is notable, especially given the plethora of sanctions hitting Putin over his invasion of Ukraine. Whether there will also be growing approbation over their failure to tackle this global crime trend remains to be seen.
In the next section, I’ll discuss the evidence for each of the eight strains being based in or connected to Russia in some way.
Where are the major ransomware strains located?
Conti is in Russia
Conti–the ransomware strain responsible for many infamous attacks, including a recent hack of the Costa Rican government–is widely believed to be in Russia.
Among the most compelling lines of evidence was their response to the sanctions levied against Russia after the recent invasion of Ukraine. They greeted news of the sanctions by issuing a public statement in which they threatened to attack the US, the EU, and NATO-allied countries if they continue to retaliate against Russia.
A group operating out of, say, Chile would be less inclined to take such a bold stance on behalf of a pariah state.
Darkside was likely in Russia
Darkside was the ransomware group behind the notorious Colonial Oil Pipeline attack. The hackers were able to access Colonial’s computer systems through a virtual private network (VPN) whose password had likely been leaked on the dark web. As the pipeline transports some 2.5 million barrels of oil every day, its shutdown led to shortages in the Eastern United States.
Speaking in the immediate aftermath of the attack U.S. president Joe Biden said: “So far, there is no evidence from our intelligence people that Russia is involved,” adding: “Although there is some evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”
What the president was alluding to is that, while the U.S. intelligence community cannot lay this attack squarely at Putin’s feet, they believe that the ransomware family is located in Russia, and therefore is the responsibility of the Russian government to rein in.
Sodinokibi was based in Russia
Sodinokibi, also known as REvil, is a hacker group that rose to prominence in 2019 when two Florida cities, Riviera Beach and Lake City, were targeted and extorted to the tune of $1.05M.
News reports state that Putin’s Federal Security Service (FSB) shut REvil down in a series of raids at 25 addresses in Moscow, St. Petersburg, and Lipetsk, pointing to a direct link.
Blackmatter was likely in Russia
Blackmatter began operations very shortly after the demise of Darkside, a Russian group. When they announced they were shutting down they did so in Russian. The news came almost immediately after the announcement that the U.S. and Russia were going to be working more closely to stop the ransomware threat.
While this may not be conclusive evidence, it supports our belief that Blackmatter was based in Russia.
Alphv is likely in Russia
Also known as Black Cat, Alphv began ramping up operations in the aftermath of REvil, Blackmatter, and Darkside closing their doors. What’s more, the group aggressively targeted ex-members of these three groups, all believed to be based in Russia.
The group also favored posting advertisements and recruitment messages in Russian on Russian messaging boards.
Phoenix Locker could be in Russia
This would be an interesting coincidence if the group isn’t based in or tied to Russia.
Egregor could be in Russia
According to Bank info security, the Russian hacker group REvil has alleged that its rival, Egregor, is operated directly by the Russian government. As a layperson, I think it’s pretty interesting that REvil chose Russia and not China, Iran, or North Korea as the putative base of operations for Egregor, but then again hackers aren’t known for their scrupulous honesty.
As it stands there's no definitive proof of this claim one way or another–and it is not taken particularly seriously among the members of the security community who study this issue–but there were recently several arrests of Egregor affiliates in nearby Ukraine.
Pysa’s/Mespinoza’s origin isn’t known
After reading a number of different articles I couldn't come up with anything definitive on where Pysa resides. Pysa is utilizing the tactics of Russian-based group Conti, and there’s speculation that Pysa might be extending Conti's work. This makes it possible that they’re Russian, but the evidence is too tenuous to say for sure, hence why Pysa is one of the three strains we aren’t sure about.
The fact that so much ransomware firepower is coming out of Russia is cause for alarm. But perhaps, as we noted in the ransomware report, it’s also an opportunity for law enforcement and compliance teams.
Maybe Russian hackers use consistent methods of attack, which can be identified and mitigated in advance. Perhaps there are common Russian software tools used by multiple groups with weaknesses which can be understood and exploited. Or maybe, in some Halcyon future, relations with Russia will improve enough to pave the way for a comprehensive joint effort to stop this threat.
Elementus is a best-in-class blockchain analytics platform that detects a wide variety of bad actors on-chain. We are building the Who’s Who of the blockchain to enable legitimate entities in the space to avoid exposure to ransomware funds, solve complex crypto crimes, and remain in compliance.
Powered by SourceFlow™, EntityIndex™, and patent-pending Intelligent Network Expansion™ technology, the Elementus platform automatically examines large structures of on-chain activity to rapidly detect risks that are otherwise impossible to see.
We trace the movement of crypto in an automated fashion, achieving in seconds what previously took days or weeks of manual analysis and making blockchain data more transparent than it has ever been.
Elementus is based in New York City. The CEO and founder is Max Galka.
Follow the crypto — with Elementus.