Ransomware took in $1 billion in 2016--improved defenses may not be enough to stem the tide

According to a security expert who requested anonymity, ransomware cybercriminals took in about $1 billion last year

ransomware locked computer stock image cropped
Credit: Bet_Noire / iStock

Increased user awareness of phishing threats, better antivirus technology, more industry-wide information sharing and cross-border efforts by law enforcement authorities will combine to turn the tide against ransomware this year, according to some security experts, but others expect the attacks to continue to increase.

According to a security expert who requested anonymity, ransomware cybercriminals took in about $1 billion last year, based on money coming into ransomware-related Bitcoin wallets.

That includes more than $50 million each for three wallets associated with the Locky ransomware, and a fourth one that processed close to $70 million. Cryptowall brought in close to $100 million before it was shut down this year. CryptXXX gathered in $73 million during the second half of 2016, and Cerber took in $54 million, the expert said.

Smaller ransomware families brought in another $150 million, and the FBI has reported $209 million in ransomware payments during the first three months of 2016. In addition to this $800 million or so in known payments, there are many other Bitcoin wallets that are unknown to researchers and uncounted, pushing the estimated total to $1 billion for all of 2016.

"The $1 billion number isn't at all unreasonable and might even be low," confirmed Mark Nunnikhoven, vice president of cloud research at Trend Micro.

"It's getting difficult to track the amount of money flowing into criminals' Bitcoin wallets because they've started to try and hide the transactions across a large number of wallets," he added.

He said that there was a 400 percent increase in ransomware variants last year, and he expects to see a 25 percent growth in ransomware families in 2017.

"What we're seeing is a bit of a maturation in how to execute these attacks, so we're expecting a leveling off to a more realistic growth curve," he said.

But criminals will continue innovating because of how profitable ransomware is.

"I don't think we'll see the 100 percent growth that we saw from 2015 to 2016," said Allan Liska, intelligence analyst at Recorded Future. "I think we'll probably see a 50 percent growth."

The markets for stolen medical records, credit card numbers and email addresses are collapsing, he said.

"Not only is it taking a while to get paid, but they're not getting paid as much as they used to," he said.

Meanwhile, ransomware is an easy business to get into, the payout is immediate, and it offers an ongoing revenue stream.

"There's no incentive for them to discontinue ransomware," he said.

Some experts expect growth to be even higher.

Successful ransomware attacks will double this year, predicted Tom Bain, vice president at CounterTack.

"The reality is that every single customer I speak to, anyone in the industry really, this is their number one concern," he said.

Better defensive technology and collaboration will help, he said, but the problem is going to get worse before it starts to get better.

Gartner analysts estimate that there were between 2 million and 3 million successful ransomware attacks in 2016, and that the frequency will double year over year through 2019.

"I think they're right," said Bain.

But not all experts think the future is quite that bleak.

[ ALSO ON CSO: The history of ransomware ]

Raj Samani, vice president and CTO at Intel Security, predicts that anti-ransomware efforts will begin to pay off in the next few months.

"We'll see a spike earlier on this year, but then I anticipate our efforts with law enforcement to be successful," he said.

Intel, along with Kaspersky Labs, Europol, and the Dutch National High Tech Crime Unit formed an alliance this past summer, No More Ransom. Since then, more than a dozen other law enforcement agencies have joined up, including Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland, and the United Kingdom. Several other security vendors have also joined up.

"Now that we've got more law enforcement agencies on board, and more private sector firms, we expect to see an increase in successful take-down operations," said Samani.

In addition to working together to bring down ransomware operations, the group also distributes free anti-ransomware tools.

That, combined with more user awareness about phishing and better detection technologies, will combine to stop the growth of this attack vector, Samani said.

"As an industry, we've started to develop new products, sandboxing, threat intelligence exchanges," he said. "It is getting better."

However, he warned that malware authors do have one significant advantage.

"There's an asymmetry of information," he said. "They have tools and services that will allow them to run their malware through all the anti-virus engines out there. They can install our products and they know how our products work because we openly talk about them. This is one of the big security challenges."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web