Ransomware victims are paying out millions a month. One particular version has cost them the most

Over six-and-a-half years, ransomware victims have handed over vast amounts of bitcoin to crooks. Some variants of the malware have generated more ransom than others.
Written by Steve Ranger, Global News Director

Ransomware victims have paid out more than $140 million to crooks over the last six-and-a-half years, according to calculations by the FBI.

Joel DeCapua, an FBI special agent in the global operations and targeting unit, told the RSA Conference 2020 that ransoms worth $144.35 million were paid between January 2013 and July 2019. The FBI only looked at ransoms paid in bitcoin, so the actual figure is likely even higher, although bitcoin is the cryptocurrency of choice for cyber-extortionists.

Ryuk was the leading ransomware variant, generating roughly $61m between February 2018 and October 2019. Crysis/Dharma was the second most lucrative ransomware, generating $24m between November 2016 and November 2019. Third on the list, Bitpaymer, generated $8 million between October 2017 and September 2019, while SamSam managed $6.9m between January 2016 and the end of November 2018.

DeCapua said that a huge chunk -- around $64m -- of that ransom then passed through virtual currency exchanges as crooks looked to cash out, although $37m remains in wallets as unspent bitcoin. 

The advice from law enforcement agencies is not to pay the ransoms demanded by crooks. That's because paying the ransom won't guarantee you get your data back (you're dealing with crooks after all) and paying up will further fuel the criminal activity of these gangs and allow them to target more victims. However, when faced with losing their critical data, or an even higher bill to rebuild from scratch, a proportion of organisations will pay the ransoms. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

In terms of how ransomware attacks begin, DeCapua said that Remote Desktop Protocol (RDP) provides the initial foothold in 70% to 80% of incidents.

Mostly this is done by brute-force attacks on RDP – that is, the use of automated tools to try password variations until one works.

"It's brute force because there are really, really bad passwords or there are just complex passwords that are re-used all over the place and they end up on some password cracking list," said DeCapua. If cracking RDP is not the source of the ransomware infection, then it will be phishing, he said.

Not using human-readable passwords, he said, is a step towards halting ransomware. "If you can tell your password to someone else in under 30 seconds, it's probably not a secure password," he said, along with closer monitoring of networks. That's because, while it may be hard to stop hackers getting onto the network, it is much easier to spot their tracks as they move about inside the network -- which is when you can catch them.

He also said companies should have a plan for what to do if they are hit with ransomware, and a backup – offline.

Editorial standards