Following the posting of partial transaction IDs for ransomware payment by a Sodinokibi affiliate, researchers were able to use the information in order to track affiliates ‘ money trail and sometimes how they invest their illegal profits.

Earlier this month, McAfee looked at the Gand Crab Ransomware as a collaborator and how the Sodinokibi Ransomware hired the leading performers to create a full-blown affiliate group after the shutdown of GandCrab.

In this coverage, it was shown how an associate, called Lalartu, used an underground malware and hacker website to spread Sodinokibi Ransomware RaaS.


In a new report, McAfee researchers continue their analysis of the Sodinokibi Ransomware by trailing the money of the affiliate on the basis of transaction IDs of the affiliate above.

Follow the trail of money

McAfee found another forum post from the affiliate called Lalartu, who had previously vouchered for the RaaS during research into the Sodinokibi Ransomware affiliate.

In this post, the affiliate posted a partial transaction ID screenshot of about $287,499.0 in 72 hours of ransom payments.


Transactions posted by Affiliate

Through analyzing current ransomware samples, McAfee was able to determine that the median ransom payment was between $44 and 45, which is roughly $4,000 USD. This average price also applies to the Lalartu screenshot ransom payments.

McAfee was able to collect full transaction IDs from the affiliate post with the support of Chainalysis, a blockchain data analysis company, and use them to map the Bitcoin transactions linked to these payments by affiliates.


Mapping Ransom Payments

This data was then the starting point for McAfee’s investigation into Sodinokibi RaaS’ and their affiliates ‘ bitcoin transactions.

“Lalartu’s payments have served as a starting point and we’ve taken them from here,” said McAfee’s John Fokker, head of cyber investigations, in a conversation with BleepingComputer.

“We looked up the Developers portions of partners, based on transaction portions etc.” McAfee could see other ransomware payments made and 60/40 or 70/30 revenue split among affiliates and raaS operators, based on collected information.

“We see victims paying to their assigned wallets; from there it takes an average of two to three transactions before it goes to an ‘affiliate’ or ‘distribution’ wallet. From that wallet we see the split happening as the moniker ‘UNKN’ mentioned in his forum post we started this article with. The 60 or 70 percent stays with the affiliate and the remaining 40/30 percent is forwarded in multiple transactions towards the actors behind Sodinokibi.”


Tracing an affiliate’s transactions

McAfee saw other partners purchasing goods in underground markets by using bitcoins. Such markets accept Bitcoins for illicit goods such as medicines, weapons and hacking.

Most specifically, one of McAfee’s biggest partners had a wallet containing 443 BTC or about US$ 4.5 million, which proved that they are a big player.

“Following the traces of one particular affiliate, we ended up seeing large amounts of bitcoins being transferred into a wallet which had a total value of 443 BTC, around 4,5 million USD with the average bitcoin price.”

Obviously, Bitcoin transactions become less anonymous

While Bitcoin has been designed as a decentralized method of sending payments and providing a greater degree of privacy for buyers and sellers by using new services such as Chainalysis and others, privacy is slowly fading away.

These services use a large database of already identified bitcoin addresses to track how bitcoins are used.

According to the Reddit AMA now deleted from an alleged Chainalysis worker, such services may also be used in some cases to monitor the IP address of a recipient and the beneficiary.

Use IP addresses, monitoring devices used in a bitcoin transaction and potentially related users is even simpler for law enforcement officers.

Categorized in:

Tagged in: