74% of stolen funds from ransomware attacks went to Russian-affiliated wallet addresses in 2021


According to to a new report published by blockchain analytics firm Chainalysis on Monday, approximately 74%, or over $400 million USD, of ransomware revenue last year were funneled into high-risk wallet addresses that are likely to have been based in Russia. The report analyzed ransomware hacks throughout 2021 and determined their affiliation to Russia through three key characteristics:

  1. Traces of Russia-based cybercriminal organization Evil Corp being behind a given breach; the group has alleged ties to the Russian government.
  2. Ransomeware programmed only against victims of non-former-Soviet countries.
  3. Ransomware strains that share documents and announcements in the Russian language.

In addition to the selection criteria, it appears that web traffic data confirms the vast majority of extorted funds are laundered through Russia. Another 13% of funds sent from ransomware addresses to services went to users who were likely in Russia — more than any other region . Such ransomware strains typically infect a user’s computer via a program exploit, or when downloading unknown files, etc. They then encrypt the victim’s files and demand payment through, most often, Bitcoin (BTC) or Monero (XMR) to a wallet address to make the files accessible.

One famous case occurred last year when Russia-based hacking entity Darkside, through exploiting a single leaked password, infected the computer systems of Colonial Pipeline. As a result, the pipeline’s operators were forced to pay over $4 million in crypto ransom — of which $2.3 million was recovered — to regain access to their encrypted files, but not before causing a brief fuel crisis during the ordeal.

Russian ransomware encryption hack | Source: Reuters