Recently two global ransomware campaigns made headlines due to the incredible reach they managed to have.
Both WannaCry and NotPetya managed to reach hundreds of countries, despite only earning their authors about $140,000 and $10,000 respectively. These numbers are minimal, as according to a report, 34 ransomware families earned extortionists $25 million in only two years.
Presented at Blackhat, one of the largest computer security conferences in the United States, the report produced by researchers at Google, the University of California San Diego, New York University and blockchain analysis firm Chainalysis, found that ransomware only became massively profitable in the last year and a half.
According to Luca Invernizzi, both NotPetya and WannaCry were probably not made for financial gains, while the others were. He stated:
They [WannaCry and NotPetya] were clearly not interested in cashing out the money.
Researchers found that the ransomware ecosystem is dominated by two kingpins: Locky and Cerber.
The rise of the RaaS (Ransomware as a Service) model could have helped fuel the surge in the ecosystem’s profitability, as in early 2016 existing ransomware families managed to make about $100,000 a month. A few months later, the figure jumped to $2.5 million.
Cerber, according to presented data, has been consistently earning over $200,000 per month while Locky, the highest earner to date with $7.8 million extorted from victims, was the first to earn bad actors over $1 million in a single month.
These ransomware kingpins got to these numbers by infecting victims with the help of the Necurs botnet, which, according to research from IBM, has infected over six million computers worldwide.
To get in-depth knowledge on the ransomware market, researchers were able to use Google’s vast collection of malware files. It includes 301,588 ransomware files from 34 different strains. Moreover, they analyzed bitcoin transactions on the blockchain to reach the payout figures and determine how ransomware extortionists were cashing out their earnings. Researchers only added figures to the total when they had high confidence they were from a ransomware payment.
Cashing out Ill-Gotten Bitcoins
The report suggests 95% of criminals were using the popular bitcoin exchange BTC-e to cash out their extorted bitcoins, as most traced ransom payments ended up on the exchange. The conclusion comes at a time in which an alleged BTC-e admin, Alexander Vinnik, has been arrested for using the exchange to launder $4 billion in bitcoin.
According to reports, Vinnik laundered the money and did business in the U.S. without following proper protocols against money laundering. Moreover, as reported by CCN.com, he obtained funds from the Mt Gox hack and allegedly laundered them through BTC-e. Reuters adds that he also used Tradehill, another bitcoin exchange he owned, to help launder the funds.
Before news of Vinnik’s arrest and links to both BTC-e and Mt Gox started circulating, BTC-e went down. On Twitter, the exchange stated it was due to unplanned maintenance. The latest update claims it’ll be back up in five to 10 days.
Google’s report, and Vinnik’s arrest, seem to show that a recent report from the European Commission to the European Parliament and Council, that found that the implementation of appropriate Anti-Money Laundering (AML) and CTF (Counter-Terrorist Financing) legal framework will help mitigate the risk of digital currencies being misused, is seemingly correct.
A Texas Congressman had also called for AML/KYC compliance to stop bad actors from using cryptocurrencies to fund their campaigns.
Featured image from Shutterstock.