Victims of ransomware have paid more than $25 million during the past few years, according to researchers at Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering.
Google will present the findings at a security conference on Wednesday with the goal of alerting the public that ransomware continues to become more profitable and underscoring the importance of backing up files frequently.
The study tracked 34 separate families of ransomware strains between 2014 and mid-2017. Some companies have thrown around much larger numbers -- about $1 billion in 2016 -- but NYU professor Damon McCoy, who worked on the project, said the team was very conservative and only included the amount of hits tracked through blockchain and bitcoin payments.
Similar to the way blockchain can track and identify ads that run on specific publisher sites through programmatic channels, McCoy said the technology allowed researchers to "chase and identify each payment," from victim to ransomware operator, and in some cases can identify when the payments were cashed out.
At the beginning of 2016, a major strain of ransomware called Locky became the first to make more than $1 million per month in revenue, bringing in an estimated $7.8 million. The main innovation was that it managed to decouple the operation of the ransomware and maintenance of the software from the distribution and ability to spread the malware to victims. They recruited some of the major botnets and spam operators to distribute the ransomware.
Locky was dethroned by Cerber in 2017, when it earned an estimated $6.9 million. Cerber managed to successfully pull off an affiliate marketing scheme, in which people are paid a commission for every infected victim that pays the ransomware. The data shows how much each affiliate made. Between eight and 10 affiliates make the majority of the money, but there are a large number of affiliates who continue to distribute the ransomware.
About 90% of the victims paid the ransom in one transaction, whereas 9% did not account for the transaction fee, and the remainder split payments in multiple transactions.
Researchers tracked the payment to a Russian operated exchange point called BTCE, where they can exchange the bitcoin into other currency, McCoy said. "The bitcoin exchange in Russia probably means there very little we can do," he said.
The families of ransomware tracked largely affected individuals on Windows-running desktop computers. The study aims to highlight the danger of ransomware and explain the importance of backing up computer files to help protect against these types of malicious acts. Most people are infected with the virus either by clicking on an advertisement, through an email, or an infected website.