Google Study Discovers Ransomware Victims Paying Out More Than $25 million

Victims of Ransomware cyber attack have paid more than $25 million in ransoms over the last two years, as per a study presented today by the researchers at Google, UC San Diego, Chainalysis and the NYU Tandon School of Engineering. By tracking down those payments through the blockchain and comparing them against known samples, researchers were able to create a comprehensive picture of the ransomware ecosystem. 

Ransomware has become an almost inevitable threat in the recent years. Once a system gets infected, the program encrypts all local files to a private key which is held only by the attackers and they demand from victims thousands of dollars in bitcoin to recover the systems. The attack is destructive but profitable, one that has proven particularly popular among cybercriminals. This summer, computers at San Francisco’s largest public radio station got locked up by an extremely brutal ransomware attack which forced producers to bank on mechanical stopwatches and paper scripts in the aftermath. 

The study followed 34 separate families of ransomware and found that a few major strains brought in the majority of the profits. The data shows a ransomware strain called Locky to be the patient zero of the recent epidemic, spurring a huge increase in payments on its arrival in early 2016. In the subsequent years, the program would bring in more than $7 million in payments. 

Importantly, Locky was the first ransomware program which kept the payment and encryption infrastructure separate from the groups distributing the malware, allowing the malware to spread faster and farther than its competitors. 

“Locky’s big advantage was the decoupling of the people who maintain the ransomware from the people who are infecting machines,” says NYU professor Damon McCoy, who worked with the project. “Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business.” 

Other strains caught on soon. Cerber and CryptXXX adopted a similar playbook to rake in $6.9 million and $1.9 million, respectively. In each case, the number reflects total payouts made by victims of the attack, and it is not clear how much of the money made its way back to the original ransomware authors. 

The same data shows that ransomware authors are getting smarter about avoiding antivirus software. Once a specific malware program has been identified by the antivirus systems, they typically scan for matching binaries — an identical copy of the recovered program. But modern malware can automatically change the binary once a given strain is detected by the antivirus systems, a trick which ransomware programs have learned well. During the study, researchers discovered thousands of new binaries a month which were associated with the Cerber ransomware, allowing it to pass through many signature-based antivirus systems.


Post a Comment