Ryuk,
Dharma, Bitpaymer, SamSam and other prominent ransomware strains have generated
hundreds of millions of dollars for their authors, according to calculations by
the FBI. Does that mean the GandCrab gang, which doesn’t even make the FBI’s
list, was lying about pocketing $2 billion before closing shop? Well, not
exactly.
Over the
past three years, ransomware operators have been advancing their tools and
techniques not only to evade detection, but also to wring the most profit out
of an attack. One such innovation is the practice of stealing the victim’s data
and threatening to publish it online if payment is denied. As one would
imagine, it works. In what is essentially a fully fledged data breach,
ransomware that also threatens to publish stolen data is a scary affair. Most
victims end up paying.
Counting
every victim and every ransomware strain is difficult, but the most prolific
incidents and ransomware families inevitably crop up over the years. The FBI
recently decided to take a macro look and see the damage done by the most
efficient and profitable ransomware strains. According to Joel DeCapua, a
special agent in the bureau’s global operations and targeting unit, the tally
between January 2013 and July 2019 sits at $144.35 million. If the number
strikes you as suspiciously low, you’re not alone.
Speaking at
the RSA Conference 2020, DeCapua said Ryuk took the lead with $61 million between
February 2018 and October 2019 and Crysis/Dharma came in second at $24 million
between November 2016 and November 2019. Third on the list was Bitpaymer, making
$8 million between October 2017 and September 2019. SamSam, one of the
most-used strains in attacks on healthcare institutions, allegedly made $6.9
million for its authors between 2016 and 2018.
$64 million of
the total ransoms paid to cybercrooks is said to have passed through virtual
currency exchanges before the bad guys cashed out. $37 million remains unspent,
the agent said.
Avid cybersecurity news readers will probably notice something wrong with these figures – especially those keeping a close eye on the GandCrab gang in 2018 and 2019. When the infamous ransomware-as-a-service was retired, its authors claimed to have amassed $2 billion in payments from victims. Even if that number is inflated, it still should have beefed up the FBI’s tally well beyond the half-a-billion mark. So why isn’t the FBI mentioning GandCrab, arguably the most prolific ransomware strain in history?
According to ZDNet, the FBI only counted ransomware families that made demands in Bitcoin, cybercriminals’ favorite digital currency. The GandCrab guys, as some readers may remember, demanded ransom in Dash, a crypto-currency that had just made its debut in cybercrime as GandCrab was wreaking havoc. There are, of course, many other ransomware strains out there cashing in using many different altcoins, so the real bottom line in ransomware profits is arguably much higher.
DeCapua also
disclosed to his RSA audience that attackers mostly favor brute-force attacks
on poorly-secured Remote Desktop Protocol (RDP) instances, trying out easy or
common passwords until they get a match. And if RDP doesn’t cut it, phishing
always works like a charm to trick unsuspecting users to hand over login credentials.