Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

Ransomware - behind the curtain

Thursday, July 27, 2017 By

Google study finds true extent of ransomware payments by painstakingly tracking transactions on the blockchain


A new study has uncovered some interesting aspects of ransomware, including more accurate figures on payments made by victims than ever before.

Overall, ransomware victims have paid more than $25m in ransom over the last two years, according to a study by researchers at Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering. The study crunched the numbers by following payments through the Bitcoin blockchain, and by tracking addresses in specific malware families. The result is an extensive insight into the ransomware underworld, a sector that recently saw the biggest ransomware payment ($1m).

Ransomware - behind the curtain

The study followed 34 different strains of malware, but identified Locky as the ‘patient zero’ of recent years, creating a huge spike in payments in early 2016. Locky variants alone have received $7m since then. The researchers pointed to Locky’s particular advantage being a result of the RaaS (Ransomware as a Service) model, as it has resulted in role specialisation, with developer teams maintaining the malware code, and other groups managing infection vectors, botnets, etc.

Locky was dethroned by another family, Cerber, in 2017, the latter earning $6.9m. Cerber offered many of the benefits of Locky, and augmented them with its own affiliate marketing scheme, where commissions were paid based on the number of victims that paid up. The blockchain records were where affiliates made the most, with between eight and 10 affiliates making the majority of the money, and a large number are still active today. Of the victims that paid up, 90 per cent made just a single transaction, while 9 per cent failed to account for the transaction fees, and a final 1 per cent made multiple transactions.

The families of ransomware tracked largely affected individuals on Windows desktops - Google plans to present the full report at a security conference this week. A separate report estimated that the total paid out by victims of ransomware has now topped $1bn, having grown 600 per cent in 2016. Other analysts predict that Ransomware damage costs will exceed $5 bn in 2017, representing an increase of more than 15 times from 2015.

Ilia Kolochenko, security expert and CEO of High-Tech Bridge commented: "Ransomware is a very serious problem, unlike other exaggerated trends, such as APT or IoT, ransomware is a fundamental economic problem. Cybercriminals quickly understood that they can easily and safely make quick-money from this extortion, and started leveraging the approach everywhere: from hard drives to websites and even smart TVs.

I wouldn't be surprised if, in the future, attackers particularly target voting systems, hospitals or nuclear plants, and that governments will come to accept paying them any amount to get back access to life-critical systems. Ransomware phenomena will appear everywhere. Therefore, we cannot just solve a "problem of ransomware", we need instead to solve the global problem of cyber insecurity, such as vulnerable systems and missing backups."

While it is certain that ransomware will continue to be prevalent, clearly the threat will evolve to combat better data security and backup practices, as well as widen the net with varied infection vectors and strategies. Another likely change was telegraphed by the Shadowbrokers hacker group - which originally leaked the NSA vulnerabilities deployed by WannaCry and NotPetya - when they switched from payments in Bitcoin to demanding Zcash (ZEC). The latter is much more private than Bitcoin, potentially making the type of analysis Google has undertaken much harder or nearly impossible.

Either way, while businesses and individuals continue being infected and paying out for their data the cycle will continue...


Mark Mayne Mark Mayne has covered the security industry for more than 10 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment