Ransomware isn’t just a hot topic in the media, it’s a real and growing threat, according to a team of Google-led researchers. Google publicly presented its findings in a session titled “Tracking Ransomware End to End” at the Black Hat USA security conference in Las Vegas on July 26.
Ransomware has been a hot topic with Google users, with search queries for the term “ransomware” increasing by 877 percent over the past year, according to Elie Bursztein, anti-fraud and abuse research team lead at Google. To gain a better understanding of ransomware, Google worked with researchers from Chainalysis, the University of California at San Diego (UCDS) and New York University (NYU).
A key reason why ransomware is so devastating to victims is because not everyone has proper data backups, Bursztein said. According to Google data he cited, approximately only 37 percent of users back up their data on a regular basis.
When a victim of ransomware doesn’t have a backup, that’s when the business model of ransomware comes into play, as some of these victims will choose to pay the ransom to get their data back. Nearly all ransomware relies on the Bitcoin cryptocurrency as the payment model. Bursztein said Bitcoin is popular because it is easy for attackers to set up and Bitcoins are easily converted by attackers into cash.
Bitcoin is typically held in what is known as a Bitcoin wallet, which is also the address to which a victim will make a ransom payment. Ransomware attackers will move Bitcoins from multiple wallets into a single account that Luca Invernizzi, research scientist at Google, referred to as the criminal’s accumulation wallet.
“If we can identify the accumulation wallet, then we can look at the Bitcoin transaction ledger and discover victims,” Invernizzi said. “So it’s critical for us to discover the accumulation wallet.”
Google and its research partners used a multistage process to find accumulation wallets. One part of the process was to look across the internet and social media for ransomware reports, where victims reveal that they paid a ransom to a particular Bitcoin address. Going a step further, Invernizzi said Google infected its own isolated virtual machines with ransomware to get some ransomware Bitcoin payment addresses.
“We made micro-transactions to the different Bitcoin wallets that we discovered to uncover more of the ransomware payment network,” he said.
In addition, Google’s researchers collected 154,000 ransomware binary files from 34 different ransomware families to get a broad view of the ransomware ecosystem, according to Invernizzi. Google then applied machine learning techniques to scale and automate the ransomware Bitcoin wallet discovery process.
Based on the Google’s analysis, the researchers came up with an estimate of how much money was paid by ransomware victims from the beginning of 2014 until the end of the second quarter of 2017.
“We found that overall at least $25 million has been paid in ransomware,” Bursztein said. “We think this is a low-ball number.” There are likely many payments that Google did not discover, he added.
Google’s $25 million figure for ransomware payments is, however, higher than what was publicly reported to law enforcement. The FBI’s Internet Crime Center (ICE) 2016 Internet Crime Report revealed that ICE received just 2,673 ransomware complaints that resulted in victims losing approximately $2.4 million in 2016.
Prior to 2016, Google’s data shows minimal payments to ransomware wallets. Bursztein said that 2016 was the turning point for ransomware and was the first time that ransomware became a multimillion-dollar business.
“We are now fairly certain that ransomware is here to stay and will be with us for quite a long time due to its ability to return a lot of profit to malware authors,” Bursztein said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.