4 of 2020’s Biggest Ransomware Strains Linked to Majority of Attacks

The four most prominent ransomware strains of 2020, Maze, Egregor, SunCrypt, and Doppelpaymer have connections that lead back to the same Ransom as a Service (RaaS) network and affiliates.

According to a new Chainalysis 2021 Crypto Crime Report, established connections between the four strains indicate that they are either being controlled or executed by the same group of people.

“There may be fewer cybercriminals responsible for ransom attacks that one would initially think, given the number of individual attacks, distinct strains and amount stolen from victims.”

RaaS is a business model by ransom developers who lease or sell different strains of their ransomware to affiliates who in turn use them to perform attacks on individuals or organizations.

Cybersecurity researchers identified strong links between the four strains, all of which were relatively active in 2020. They were used to attack different companies and institutions including Barnes &Noble, LG, Pemex and University Hospital New Jersey.

“All four use the RaaS model, meaning that affiliates carry out the ransom attacks themselves and pay a percentage of each victim payment back to the strain’s creators and administrators.”

Additionally, the strains have all been using the same double extortion method to blackmail their victims by threatening to withhold data and publish it online for extra intimidation.

Ransomware Strains are Interlinked

The Maze strain disappeared shortly after Egregor became active in Q4 2020. Its administrators later announced in November that its website was shutting down due to reduced activity.

“Some Cybersecurity researchers see this as evidence that Maze and Egregor are linked in some way.”

Researchers further claimed that Maze operators either rebranded to Egregor or joined the latter’s operators, with a row between the two groups resulting in a split.

“Maze and Egregor share much of the same code, the same ransom note, and have very similar victim payment sites.”

SunCrypt has also been linked severally to Maze, including through a privately circulated report from a threat intelligence firm saying that SunCrypt is a rebrand of a well-known ransomware strain.

A connection between Egragor and Doppelpaymer has also been established through a 78.8 BTC ransom payment for Egregor that was suspected to be a Doppelpaymer administrator wallet.

Useful Information for Law Enforcement

Chainalysis concludes that Law enforcement agencies could benefit from this information to expand their crackdowns and even halt operations of well-known interlinked strains with a single takedown.

“Evidence suggests that the ransom world is smaller than one may initially think, given the number of unique strains currently operating.”

Ransomware attacks grew by 311% in 2020, with $350 million being paid by ransomware victims to attackers, despite crypto-related criminal activity falling by 83%.