Ransomware is a type of malicious software that encrypts a victim’s files. The attackers then demand payment in exchange for the decryption key, typically in the form of cryptocurrency, like Bitcoin, because it is easier to make the exchange anonymous. In recent years, ransomware attacks have become an increasingly common form of cybercrime, and the attackers behind them have been able to generate significant amounts of money. But what happens to all of that ransom money? Where does it go and how is it used?

The vast majority of ransomware payments make their way to Eastern Europe and the former Soviet Union. These regions have become hub for cybercrime due to the high level of technical expertise and the relative ease with which criminal operations can be conducted.  This begs the question about how closely these criminal organizations are to nation states. While Western governments are careful about blaming other nations for such attacks, it is clear that interests are aligned. Western states have noticed an increase in cybercrime activities against them for their support of Ukraine over the last year, clearly an indication of a link in ideologies at the least.  It should be noted that North Korea is also even more clearly in the cybercrime game and uses funds from ransomware payments to directly finance the regime.

Once the ransom money has been converted into more liquid forms (local currency), it can be used for a variety of purposes. Some of the ransom money is used to fund the attacker’s lifestyle, including expensive cars, luxury vacations, and high-end real estate. Other money is invested in other criminal operations or laundered through various financial institutions to make it appear as legitimate income.

While Hollywood likes to portray “hackers” as reserved types in hoodies sitting alone in a dark room, ransomware attacks are often carried out by organized crime syndicates. These organizations are extremely well connected and organized as well as any Fortune 500 company. As with any corporation, part of revenue goes back into product development funding development and distribution of new malware, the creation of botnets, and the purchase of stolen data on the dark web. This money can also be used to bribe law enforcement or government officials, allowing the attackers to operate with impunity.

Mr. Robot

The flow of ransomware money is complex and multifaceted, and it is difficult to determine exactly where it all goes. Some of it is used to fund the attackers’ lifestyles, while some is invested into developing new and more complex attacks.  Some attacks may directly or indirectly prop up nations.

If hit with ransomware, each company and individual must evaluate the cost rebuilding their systems and data against paying the ransom. However, that is a simplistic view of the equation. With the rise of corporate social responsibility, paying a ransom to restore services must consider what the ransom proceeds may support.

Paul Bergman
Follow me
Verified by MonsterInsights