Meet Top 15 Ransomware Families Who Got More Than 22,000 Bitcoins

Between 2013 and mid-2017, ransomware payments reached at least BTC 22,967.54, which at current prices is more than USD 160 million, a recent study of 35 ransomware families claims.

Source: iStock/AndreyPopov

However, the study assumes that ransomware authors cashed out immediately after receiving victims’ payments, which left them with “only” USD 12.8 million in their pockets.

The study, titled “Ransomware in the Bitcoin Ecosystem”, has been released by the researchers who are part of TITANIUM, an international project focused on crime and terrorism involving virtual currencies and underground market transactions.

The analysis indicates there are "clear inequalities in the market, which could be considered as a top-heavy market in which only a few players are responsible for most of the ransom payments."

Below are the Top 15 ransomware families by received payments.

Source: Ransomware in the Bitcoin Ecosystem

The Locky ransomware accounts for more than 50% of the ransomware payments and the first three families account for 86% of the market while the other 32 families share the remaining 12%, the researchers concluded.

Also, the study adds that the incoming transactions of 12 ransomware families range from very low payments up to USD 2,000. Three ransomware families have higher payments on average: DMALockerv3, GlobeImposter and SamSam. In January 2016, DMALockerv3 was known to ask for ransom payments of 15 BTC (which was equivalent to USD 6491.25). The SamSam ransomware was also known to ask ransoms based on the number of machines infected and the ransom could go from 1.7 BTC (at the time USD 4,600) to decrypt a given machine up to 12 BTC (at the time USD 32,800) to decrypt all machines infected.

“Famous ransomware campaigns are likely to be a short-term, one-time deal, in which a ransomware author makes money quickly and then stops, possibly due to various forms of security interventions,” the authors said.

Longitudinal payment trend per ransomware family:

Source: Ransomware in the Bitcoin Ecosystem

"With over 500 known ransomware families, it has become one of the dominant cybercrime threats for law enforcement, security professionals and the public," the study says. However, it concludes “that the total ransom amounts gathered through ransomware attacks are relatively low compared to the hype surrounding this issue."

The study is co-authored by Masarah Paquet-Clouston, a security researcher from Canada’s GoSecure Research, Benoît Dupont, a professor from the International Centre for Comparative Criminology of the Université de Montréal, and Bernhard Haslhofer, a Senior Scientist at the Digital Insight Lab at the Austrian Institute of Technology (AIT).

The three-year TITANIUM project, which stands for Tools for the Investigation of Transactions in Underground Markets, was launched in May 2017, and is designed to develop a range of technical solutions to support the institutions tasked with combating crime and terrorism. The international consortium was formed by 14 law enforcement partners from Austria, Germany, the Netherlands, Finland, Spain, and the UK, with the International Criminal Police Organization (INTERPOL) also on the list.

"Activities in the second year [of the project] are mainly related to a first release of software components which will be evaluated in field labs," Michael Mürling, who is responsible for marketing and communications within the Center for Digital Safety and Security of the AIT, one of the project partners, told