Speaking at Black Hat 2017 in Las Vegas, Luca Invernizzi, Kylie McRoberts and Elie Bursztein presented findings from research into the recent prevalence and impact of ransomware, revealing that, of the ransomware payments they were able to track, authors have made at least $25m in profit so far.
In a session titled ‘Tracking Desktop Ransomware Payments End to End’ the speakers described 2016 as a “turning point” and a year in which “ransomware became a multi-million dollar business” dominated by a few ‘kingpins’.
Of these linchpins of ransomware strands, Locky was the most profitable ($7.8m) followed closely by Cerber ($6.9m), with Bursztein claiming that Cerber is likely to become the most profitable by the end of 2017 as “it is still very active.”
Interestingly, in 2017 ransomware increased binary diversity to evade AVs, and in terms of victim payments overall the researchers found that 90% of victims who paid ransoms did so in a single transaction.
According to Kylie McRoberts, last year’s unprecedented ransomware activity was largely influenced by one particular ransomware family: Locky.
“We saw Locky really dominate the press last year and we saw ransomware infections starting to surge, and in particular we saw key infrastructure (like hospitals) targeted.”
One of the most important things about Locky, she added, was that it was the first family to make over a million dollars in revenue per month, and “that really highlighted the fact that ransomware is truly profitable for cyber-criminals.”
When it comes to the rise of newer ransomware strands, Cerber recognized the usefulness of renting out cyber-criminal infrastructure and instead focusing on the code.
“We think that Cerber’s successful use of ransomware as a service model has really highlighted that this isn’t a game for tech-savvy cyber-criminals anymore, it’s something that anyone can get involved in.”
To conclude, McRoberts said that recently we have seen the rise of “ransomware impostors”, with certain types of malware designed to be more like ‘wipeware’ with no intention of actually decrypting victims’ files and data.