Ransomware Victims Have Paid $25 Million in the Span of 2 Years

Ransomware Victims Have Paid $25 Million in the Span of 2 Years, Google-Led Study Shows

Since 2016, ransomware victims have paid over $25 million to cyber criminals, this according to a new Google-led study – with inputs from the University of California San Diego (UCSD), New York University (NYU) and Chainalysis researchers.
 
Google researchers – Elie Bursztein, Kylie McRoberts, Luca Invernizzi – in the study called “Tracking desktop ransomware payments end to end” found that over the period of 2 years, ransomware criminals have earned a total of $25,253,505.
 
"A niche term just two years ago, ransomware has rapidly risen to fame in the last year, infecting hundreds of thousands of users, locking their documents, and demanding hefty ransoms to get them back,” Bursztein, McRoberts and Invernizzi said. “In doing so, it has become one of the largest cybercrime revenue sources, with heavy reliance on Bitcoins and Tor to confound the money trail.”
 
According to Google, since 2016, there has been an 877% increase in the search queries of the keyword “ransomware” – the term used to refer to a malware that encrypts victims’ computers and demands a ransom payment for the key to unlock the computer.
 
The top 10 ransomware earners, according to the Google-led study, are Locky ransomware (with a total $7.8 million earning), followed by Cerber ($6.9 million), CryptoLocker ($2 million), CryptXXX ($1.9 million), SamSam ($1.9 million), CrytoWall ($1.2 million), AINamrood ($1.2 million), TorrentLocker ($1 million), Spora ($0.8 million) and CoinVault ($0.2 million).
 
According to the study, a ransomware goes through the following process:

1. Victim's computer is infected.
2. Victim is shown a ransom note.
3. Victim visits payment site.
4. Victim buys bitcoin.
5. Ransom payment moves across multiple bitcoin wallets.
6. Criminals accumulate bitcoins then sell them for currency.

Locky Ransomware

​Aside from being the top grossing ransomware since 2016, the Google-led study cited Locky as one of the notable ransomware for being the first ransomware to earn $1 million per month.
                                     
The Google-led study said Locky brought “ransoms to the masses”. This ransomware first appeared in February 2016. According to Symantec, cyber criminals aggressively spread this malware by using compromised websites and massive spam campaigns. This malware encrypts files on victims’ computers and demands ransom payment.
 
Allen Stefanek, president and CEO, Hollywood Presbyterian Medical Center, publicly admitted that as a result of Locky ransomware attack, the hospital paid 40 bitcoins – equivalent to nearly $17,000. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.”

Cerber Ransomware

​This ransomware is another notable ransomware cited by the study for its consistent income of $200,000 per month for over a year. This malware first appeared in February 2016.
 
According to Kaspersky Lab, this ransomware, also dubbed as a “multipurpose malware”, when executed via email attachment, encrypts files and demands money for their safe return. This ransomware, according to Kaspersky Lab, also infects computers for other purposes such as for a distributed denial of service (DDoS) attack or as a spambot.

Wipeware vs. Ransomware

Worthy to note is that the Google-led study didn’t include WannaCry and NotPetya (also known as Petya) as part of the top 10 top highest grossing ransomware in the past two years. WannaCry was only ranked 11th, with a total of $0.1 million earning.
 
The Google-led study classified WannaCry and NotPetya as ransomware “impostors”. The study found that even if WannaCry and NotPetya victims pay ransom, they still couldn’t unlock their computers. "Wipeware pretending to be ransomware is on the rise." the researchers noted.
 
Matt Suiche from Comae Technologies, who concluded that NotPetya is a wiper, not a ransomware, explained the difference between a wiper and ransomware:
​
"The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) – a wiper would simply destroy and exclude possibilities of restoration."
 
WannaCry first appeared last May 12; NotPetya first appeared last June 27. While WannaCry affected hundreds of thousands of computers around the world, NotPetya only affected tens of thousands of computers worldwide. The glaring similarity between WannaCry and NotPetya is how they affected major government institutions and big companies.
 
WannaCry disrupted the operations of UK’s National Health Service, Renault's assembly plant in Slovenia, U.S. express delivery company FedEx and Spanish telecommunications company Telefonica. NotPetya, meanwhile, disrupted the operations of the Chernobyl nuclear plant, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, Cadbury and Oreo-maker Mondelez and Russian oil and gas giant Rosneft.

How to Protect Your Organization from Ransomware and Wipeware

Here are 4 tips on how to protect your organization from ransomware and wipeware:

1. Backup Your Data
According to the Google-led study, ransomware criminals were able to inflict significant damage to their victims as only 37% of computer users backup their data.
 
In today’s digital world, organizations’ effectively operate because of data availability. Given the importance of data in your organization, this important commodity should be protected at all cost.
 
When it comes to data backup, having one backup file may not be enough to safeguard your organization’s data. The United States Computer Emergency Readiness Team (US-CERT) recommends organizations to follow the “3-2-1 rule”:

• Rule 3: Store 3 copies of any important file – 1 primary and 2 backups.
• Rule 2: Store the files on 2 different media types to protect against different types of hazards.
• Rule 1: Keep 1 copy offsite (e.g., outside the business facility).

 
2. Keep Your Operating System and Other Software Updated
Microsoft’s Windows 10 update, for instance, can help detect the latest batch of Cerber ransomware.
 
3. Disable Loading of Macros in Office Programs
“To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros,” Microsoft said.
 
4. Think before You Click
Refrain from opening emails from senders you don’t recognize. Don't click or open the following attachments:

• Files with .LNK extension
• Files with double dot extension (for example, profile-d39a..wsf)
• Files with .wsf extension