Cybercriminals who disseminated the Sodinokibi ransomware earned an enormous payday from targeted victims who paid the demanded Bitcoin ransom fee.
In a new report, McAfee researchers located various posts released on underground malware and hacker forums whereby one affiliate distributor known by the handle “Lalartu” quickly made the equivalent of $287,499 in Bitcoin in merely 72 hours.
Evidently, Lalartu was vouching for the Sodinokibi Ransomware (Ransomware-as-a-Service).
McAfee researchers were able to locate the forum post made by Lalartu, who publicly released a screenshot of partial transactions ID for roughly $287,499.00 worth of ransom payments in merely 72 hours.
By closely examining existing samples of the Sodinokibi Ransomware, McAfee was capable of establishing that the average ransom payment was between .44 and .45 Bitcoins, which amounts to around $4,000 (USD). Such
With the assistance of Blockchain data analysis organization Chainalysis, McAfee could collect the full transaction IDs from the affiliate distributor’s forum post and utilize them to map out the Bitcoin transactions connected to these ransom and affiliate payments.
This information served to be significant for McAfee’s analysis of the Bitcoin transactions related to the Sodinokibi ransomware and its affiliates.
From the information gathered, McAfee could observe additional ransomware payments being made and the 60/40 or 70/30 sharing of revenues between the affiliate and the RaaS authors.
“We see victims paying to their assigned wallets; from there it takes an average of two to three transactions before it goes to an ‘affiliate’ or ‘distribution’ wallet. From that wallet we see the split happening as the moniker ‘UNKN’ mentioned in his forum post we started this article with. The 60 or 70 percent stays with the affiliate and the remaining 40/30 percent is forwarded in multiple transactions towards the actors behind Sodinokibi.”
By looking into the Bitcoin transactions for additional Sodinokibi affiliates, McAfee was capable of obtaining a clearer picture of how the ransomware distributors are utilizing their lucre.
For instance, the affiliate distributor in the subsequent screenshot transferred a small amount of an unidentified service and a greater amount to the BitMix mixer for the purpose of attempting to render it more difficult to track down those coins further away.
Some of the illicit funds obtained by the affiliate distributors were used to buy illicit goods and services on the dark web such as drugs, weapons, and hacking services.
Interestingly, one of the bigger affiliate distributors that McAfee was capable of tracing possessed a wallet comprising 443 Bitcoins or roughly $4.5 million (USD), illustrating that they are an important player.
Hackers & Cybercriminals Still Prefer Bitcoin
Despite the fact that Bitcoin remains to be the preferred cryptocurrency among hackers and cybercriminals, organizations like Chainalysis may assist law enforcement agencies in identifying and unmasking the culprits behind ransomware attacks.
Deploying a big database of already identified Bitcoin cryptocurrency addresses, such Blockchain data analysis organizations provide important services that render it easier for investigators in law enforcement to trace how Bitcoins are being deployed.
Nevertheless, operators and affiliates of RaaS continually deploy cryptocurrency mixing services in order to tumble their illicit funds, which have made it tremendously difficult for law enforcement investigators to identify the culprit behind the ransom demands.