Security researchers following the money circuit from Ryuk ransomware victims into the threat actor’s pockets estimate that the criminal organization made at least $150 million.

They found that Ryuk operators primarily use two legitimate cryptocurrency exchanges to cash out the Bitcoin from paying victims as fiat money.

Ryuk’s money circuit

Threat intelligence companies Advanced Intelligence and HYAS tracked 61 Bitcoin wallets attributed to the Ryuk malware enterprise and discovered that the cryptocurrency moves from an intermediary to Huobi and Binance exchanges.

When a Ryuk victim pays the ransom, the money reaches a broker that passes it to the malware operators. The money then goes through a laundering service before getting to legitimate cryptocurrency exchanges or being used to pay for criminal services on underground markets.

“In addition to Huobi and Binance, which are large and well-established exchanges, there are significant flows of crypto currency to a collection of addresses that are too small to be an established exchange and probably represent a crime service that exchanges the cryptocurrency for local currency or another digital currency,” the researchers explain.

One of the largest transactions involving a Ryuk wallet found during this investigation was above $5 million (365 bitcoins), the researchers said in their report. This is not the highest ransom paid to Ryuk, though.

In a previous report, Advanced Intelligence said that the largest payment confirmedto these attackers was 2,200 BTC, which converted to $34 million at the time. The average ransom value received by the group is 48 bitcoins.

Escaping ID verification

Cashing out the ransom money in fiat currency is not a simple process but Ryuk set up a circuit that allows them to handle millions despite security researchers and law enforcement keeping a close eye on the operation.

The conversion from cryptocurrency is essential in identifying the criminals because reputable exchanges require personal documents before transferring the money to a bank account.

However, it is unclear how strict this verification is in the case of Huobi and Binance.  

Ryuk ransomware has been active for more than two years and left behind a long list of victims. It is a tight enterprise that leaves little clues about its actions and profits.

Attacks from this threat actor focused mostly on organizations in the healthcare sector come November 2020, adding to the pressure from the pandemic. In the third quarter last year, the attackers were hitting, on average, 20 companies every week.

Considering the actor’s reputation of a tough negotiator that does not budge an inch regardless of the victim’s profile or financial difficulties, the $150 million revenue estimation is likely conservative. Obviously, the entire operation comes with some costs.

Another highly profitable ransomware gang is REvil (Sodinokibi), who announced through a public-facing representative that they made $100 million in one year from extorting victims. They said that the goal was to make $2 billion.