Security

Ransomware Extorts $25 Million in Payments over 2 Years

• By Joshua Bolkan
• 08/01/17

A team of researchers from New York University (NYU), University of California, San Diego (UCSD) and Google estimates that victims of ransomware have paid out more than $25 million over the last two years.

The team, which also included researchers from Chainalysis, a blockchain analysis firm, examined 300,000 files from more than 30 different kinds of ransomware and tracked blockchain payments to estimate the amount and scale of money paid by victims. Their findings were presented at the Black Hat USA 2017 conference.

Danny Yuxing Huang, a Ph.D. candidate in Computer Science and Engineering UCSD and one of the researchers on the project, tracked bitcoins as they moved from potential victims to ransomware operators and from ransomware operators to coin exchanges, perhaps for liquidation.

"By masquerading as a part of the ransomware infrastructure," said Huang in a prepared statement, "I also gathered statistics on infected computers, such as the number of infections over time, and the geographical distribution of infected machines."

Last year was the first year ransomware was a multi-million-dollar industry, according to the researchers, and it wasn't necessarily the most well known ransomware that accounted for that growth.

The WannaCry attack, for example, generated seemingly endless headlines as it froze hospitals and more than 10,000 other organizations out of their own records, but it only pulled in about $140,000, good for the 11th spot on the list of ransomware with the largest payouts.

The researchers also noted that WannaCry wasn't true ransomware, but wipeware, as victims were not able to retrieve their data even after paying the ransom.

Locky and Cerber grabbed fewer headlines than WannaCry, but they're raking in money at $7.8 million and $6.9 million, respectively, in paid ransoms to date.

Locky is also notable for being the first ransomware to generate more than $1 million in monthly payments.

"Locky's big advantage was the decoupling of the people who maintain the ransomware from the people who are infecting machines," said Damon McCoy, assistant professor of computer science at NYU, in a prepared statement. "Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business."