Threat intelligence company Advanced Intelligence and cybersecurity firm HYAS in a joint report wrote that they tracked 61 Bitcoin wallets attributed to Ryuk ransomware. They discovered that criminals send most of the crypto to an exchange via an intermediary to cash out.
Once a victim’s money is paid to a broker, they send it to the Ryuk operators who move most through laundering services. It then reaches exchanges where it is either cashed out or used on criminal enterprises.
Rather than preferring obscure crypto exchanges, the criminals use well-established names, such as the Asia-based Binance and Huobi. Both require proof of identity before someone can transfer fiat currencies to a bank, though the ransomware gangs are likely using fake IDs.
“In addition to Huobi and Binance, which are large and well-established exchanges, there are significant flows of crypto currency to a collection of addresses that are too small to be an established exchange and probably represent a crime service that exchanges the cryptocurrency for local currency or another digital currency,” write the researchers.
Ryuk payments are usually in the hundreds of thousands of dollars range, though some victims end up paying millions. Local governments are a popular target for the operators; Jackson County and Key Biscayne were both hit by Ryuk, which remains the most profitable variant of ransomware.