Ransom ware victims have paid more than $25 million in ransoms over the last two years, according to a study presented today by researchers at Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering. By following those payments through the block chain and comparing them against known samples, researchers were able to build a comprehensive picture of the ransom ware ecosystem.Ransom ware has become an almost unavoidable threat in recent years. Once a system is infected, the program encrypts all local files to a private key held only by the attackers, demanding thousands of dollars in bitcoin to recover the systems. It’s a destructive but profitable attack, one that’s proven particularly popular among cybercriminals. This summer, computers at San Francisco’s largest public radio station were locked up by a particularly brutal ransom ware attack, forcing producers to rely on mechanical stopwatches and paper scripts in the aftermath.The study tracked 34 separate families of ransom ware, with a few major strains bringing in the bulk of the profits. The data shows a ransom ware strain called Locky as patient zero of the recent epidemic, spurring a huge uptick in payments when it arrived in early 2016. In the years that followed, the program would bring in more than $7 million in payments.“Locky’s big advantage was the decoupling of the people who maintain the ransom ware from the people who are infecting machines,” says NYU professor Damon McCoy, who worked on the project. “Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business.”Other strains soon caught on. Cerber and CryptXXX followed a similar playbook to rake in $6.9 million and $1.9 million, respectively. In each case, the number reflects total payouts made by victims, and it’s unclear how much of the money made it back to the original ransom ware authors.The same data shows ransom ware authors getting smarter about avoiding antivirus software. Once a particular malware program has been identified, antivirus systems typically scan for matching binaries — an identical copy of the recovered program. But modern malware can automatically change the binary once a given strain is detected, a trick that ransom ware programs have learned well. Researchers found thousands of new binaries a month associated with the Cerber ransom ware, allowing it to skate past many signature-based antivirus systems.
For more news updates Follow and Like us on Facebook