Figures from the U.S. Federal Bureau of Investigation (FBI) show that at least $144.35 million in Bitcoin was paid by victims of ransomware attacks between January 2013 and July 2019 – Around $1.83 million a month. That only includes ransoms paid in Bitcoin and the FBI is not notified about all ransom payments, so the true figure is likely to be substantially higher.
Over the past 6.5 years there have been many ransomware variants released and some have proven to be more successful than others. The criminal organization behind Ryuk ransomware has earned the most through ransomware attacks, generating more than $61 million in ransoms between February 2018 and October 2019. $24 million was paid by victims of Crysis/Dharma ransomware attacks between November 2018 and November 2019, Bitpaymer attacks generated $8 million in ransom payments between October 2017 and September 2019, and the SamSam ransomware gang generated $6.9 million in ransom payments between January 2016 and November 2018.
At the RSA Conference 2020, FBI special agent Joel DeCapua explained that the cybercriminals behind these campaigns had cashed out $64 million over the past 6.5 years through cryptocurrency exchanges and around $37 million remains in wallets and has yet to be spent.
By far the most common attack vector is Remote Desktop Protocol (RDP), which is used to gain access to networks in 70%-80% of ransomware attacks. These attacks are automated and take advantage of bad passwords using brute force tactics to guess passwords. Stolen credentials are often used to gain access to networks. Strong passwords may have been set, but they are often reused on multiple platforms. A data breach at one company sees the passwords added to password cracking lists that are used in attacks on other companies. The remaining 20%-30% of attacks mostly involve phishing.
DeCapua said the best defense against ransomware attacks is to use strong, non-human-readable passwords and ensure the network is closely monitored. Preventing attackers from gaining access to the network can be a challenge, but it is far easier to identify attacks in progress when attackers are moving inside the network and attempting to gain access to as many devices as possible. Close monitoring of the network will allow IT teams to identify an attack in progress and take action before any damage is caused. Oftentimes, attackers spend days, weeks, or months in the network before they deploy their ransomware payloads.
Security awareness training needs to be provided to everyone in the organization, with a focus on phishing identification. It is also essential that good backup policies are adopted, and backups are frequently created and stored offline where they cannot be accessed by attackers. In the event of an attack, organizations will then have options for restoring data.
The FBI does not recommend paying the ransom as there have been many cases where the attackers have just pocketed the money and have not provided valid keys to decrypt data. Ransom payments also fuel further criminal activity and allow the gangs to conduct attacks on more victims.