Top crypto ransomware attacks extorted $69 million in bitcoin: Immunefi

Crypto ransomware payments have generated more than $69.3 million from the top 10 attacks since 2020. The $40 million paid in bitcoin by the Chicago-based insurance company CNA Financial represents 57.7% of that total.

As the use of cryptocurrencies like bitcoin has grown, so has their popularity among ransomware groups, since they offer a different level of risk than using traditional banking methods, which generally allow for the seizure of funds.

The top crypto ransomware payments have been identified in a new report from the web3-focused bug bounty platform Immunefi, connected to eight specific malware strains.

JBS, CWT, Brenntag, Colonial Pipeline, Travelex, UCSF, BRB Bank, Jackson County and the University of Maastricht join CNA Financial in the top 10, with ransom payments ranging from $218,000 to $40 million. All payments were made in bitcoin with the ransomware strains originating from Russia, Eastern Europe and Iran.

Source: Immunefi

Only two of the companies involved were able to recover any of the payments made. Colonial Pipeline recovered $2.3 million of its $4.4 million ransom payment, while the University of Maastricht managed to recover the full $218,000 it paid. In total, those recoveries make up just 3.6% of the top crypto ransomware payments.

According to Immunefi’s report, researchers detected eight specific malware strains related to the ransom payments. Ransomware-as-a-Service operators REvil/Sodinokibi and Darkside were the most used. Phoenix CryptoLocker, a variant of the ransomware family released by Russian-based cybercriminal group Evil Corp, was the most profitable and was behind the extortion of CNA Financial.

To protect from ransomware attacks, Immunefi recommended that organizations ensure they have extensive and regular backups of vital data and a recovery plan for restoration in the event of an attack. It also suggested keeping systems and applications up to date, training staff on common phishing techniques and using intrusion detection and antivirus software.

Why bitcoin?

Despite the wide range of crypto assets now available, bitcoin was the currency of choice for the ransomware groups, likely due to its recognizability and accessibility, according to Immunefi.

Bitcoin transactions are pseudonymous rather than anonymous and can be tracked by combining blockchain analytics with other data, with a growing industry of on-chain specialists like Chainalysis and Elliptic finding connections between bitcoin addresses and real-world entities.

However, ransomware groups are correct that the decentralized nature of crypto can facilitate larger payments due to the challenges of transferring millions of dollars through the legacy banking system without being caught.

In terms of cashing out into fiat currency, the report suggests ransomware groups use centralized exchanges with fake IDs, private OFAC-sanctioned exchanges or government connections in jurisdictions that do not cooperate with foreign subpoenas. 

Alternatives to fiat off-ramps include using bitcoin directly to purchase goods and services, trying to obfuscate funds via a crypto mixer or swapping assets between blockchains.

Crypto bug bounties

Decentralized applications are also an attractive target to malicious actors keen to exploit weaknesses in blockchain-based protocols. 

Immunefi has come to dominate crypto bug bounty rewards as a result — paying out over $52 million to ethical hackers for finding vulnerabilities in web3 protocols last year. In comparison, the second-most popular platform, HackenProof, has paid less than $850,000 in total, according to its website.

Since its inception in 2020, Immunefi claims to have paid out more than $65 million in total bounties, helping to secure $25 billion in user funds across protocols like Chainlink, MakerDAO, Compound, Polygon and Synthetix. The highest bounty facilitated by Immunefi was a $10 million award for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol. 

An Immunefi security researcher was awarded a $1 million bounty earlier this month after saving a potential theft of $200 million from three Polkadot parachains. In September, Immunefi raised $24 million in a Series A round led by Framework Ventures.