Ransomware victims have paid more than $25 million in ransoms over the last two years. This information comes courtesy of a study carried out by researchers at Google, Chainanalysis, UC San Diego and the NYU Tandon School of Engineering. These researchers were able to come up with a comprehensive picture of the ransomware ecosystem by following payments through the blockchain and comparing them against known samples.
This is hardly surprising, as ransomware has become an almost unavoidable threat in recent years. Once a system is infected, the program encrypts all local files to a private key held only by the attackers, who then demand thousands of dollars in exchange for the encrypted files.
This study tracked 34 separate families of ransomware, with a few major strains bringing in the bulk of the profits. The data shows a peculiar strain called Locky as patient zero of the recent epidemic, spurring a huge uptick in payments when it arrived in early 2016. In the years that followed, the problem would cost ransomware victims over $7 million. Soon, other stains caught up. Cerber and CyptXXX cost victims a total of $6.9 respectively and $1.9 million. In each case, the number reflects total payouts made by victims. Now, it is not quite clear how much of the money made it back to the original ransomware authors.
The same data shows authors getting smarter about avoiding antivirus software. Once a particular malware program has been identified, antivirus systems typically scan for matching binaries, which are in identical copy of the recovered program. But modern malware can automatically change the binary once a given strain is detected, which is a trick that ransomware programs have mastered now. Researchers found that thousands of new binaries a month associated with the Cerber malware, which allow it to get past many signature-based antivirus systems.