Tracking payments uncovers the true cost of ransomware

Victims have paid out more than $25 million as a result of ransomware in the past two years

A new survey has revealed the monetary costs of the most recent worldwide ransomware attacks, by tracking payments through secure systems.

Ransomware has become an increasingly common hazard in today's cyber landscape; WannaCry and NotPetya are just two recent examples that have affected thousands, if not millions, of machines. Despite advice, many firms continue to pay demands, fuelling the cycle. The threat has become so prevalent that businesses are insuring themselves against infection by stockpiling digital currencies.

Researchers from Google, Chainalysis, UC San Diego and the NYU Tandon School of Engineering built a holistic picture of the ransomware ecosystem by following payments through blockchains (digital currencies are commonly demanded by ransomware authors, due to their anonymity) and comparing them against known samples. They found that victims of infections have paid more than $25 million in the last two years, The Verge reports.

34 families of ransomware were tracked, but the bulk of the profits came from just a few major strains. The first of these strains to make an appearance was Locky, in early 2016, which to date has garnered payments of more than $7 million. Other major success stories include Cerber ($6.9 million) and CryptXXX ($1.9 million).

NYU professor Damon McCoy told The Verge, "Locky's big advantage was the decoupling of the people who maintain the ransomware from the people who are infecting machines... Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business."

Ransomware authors are becoming more experienced and now find it easier to avoid antivirus software - largely because many such programmes rely on fingerprinting, while the malware itself is polymorphic: it changes its signature to avoid detection. Marvin Kleczynski, CEO of Malwarebytes, told us at InfoSec this year, "That was fine back in the day, when malware took six months to update, but now you're looking for very, very generic behaviours."