LAS VEGAS—Over the past two years, 35 unique ransomware strains earned cybercriminals $25 million, with Locky and its many variants being the most profitable.
The data comes from a study debuted Wednesday at Black Hat by Google, Chainalysis, UC San Diego, and the NYU Tandom School of Engineering. The study is unique in that it based calculations on bitcoin payments and blockchains. The result allowed researchers to create a precise picture of the ransomware ecosystem and who the top earners were, starting with Locky at $7.8 million in payments from victims, followed by Cerber and CryptXXX that earned $6.9 million and $1.9 million.
“Ransomware is here to stay and we will have to deal with for a long time to come,” said Kylie McRoberts, a senior strategist with Google’s Safe Browsing team.
The results show that the last two high-profile ransomware attacks, WannaCry and NotPetya, were flops when it came earning money. “Petya, NotPetya and other variants never earned money, because it was more wiper malware – not true ransomware,” McRoberts said. She called the wiper malware trend “the rise of the ransomware impostors.”
In contrast, researchers said Locky pulled in more than 28 percent of the $25 million earned by ransomware since 2016.
Locky’s secret, according to Luca Invernizzi, a research scientist in Google’s anti-abuse team, is that its authors focused on malware development and finessing the supporting botnet infrastructure. Keeping development separate from distribution allowed the malware to be spread wider and faster than its competitors.
Cerber success has been its affiliate model, allowing it to sustain income of $200,000 a month, McRoberts said.
Researchers also singled out Spora as an up-and-coming ransomware to watch. They said the malware sets itself apart integrating topnotch customer support with features such as real-time chat to help victims navigate payments and offering immunity packages to avoid getting hit by the ransomware again in the future.
According to Google, the malware writers behind CyptoLocker, Locky and Cerber have been getting better at evading detection by creating malware that can automatically change binaries. The study found 23,000 unique binaries for Cerber in 2017 and 6,000 for Locky. Of the samples Google looked at, a total of 301,588 binaries were examined. That’s been key when it comes to sneaking past antimalware protection, said Elie Bursztein leads Google’s anti-abuse research.
Google researchers warned that in the year ahead ransomware-as-a-service was going to become even more prevalent and so will the number of impostors looking to cause more damage than extort money.