A recent study co-authored by NYU Assistant Professor of Computer Science and Engineering at the Tandon School of Engineering Damon McCoy found that ransomware — a type of computer software which encrypts users’ files and does not return them unless payment has been made — has generated approximately $16 million from over 20,000 victims of the cyber attacks throughout the two years the study was conducted.
Ransomware has spread rapidly in frequency and in effect. An extortionist even used ransomware to hold Atlanta local government’s computer systems hostage last month.
McCoy conducted the study alongside nine additional co-authors from NYU; the University of California, San Diego; Google; and cryptocurrency intelligence company Chainalysis.
The authors were able to reach several key conclusions. They found that users in South Korea are affected by ransomware on an unusually large scale, for example. The team also discovered that the cyber criminals behind the attacks often used a Russian Bitcoin exchange, BTC-E, to convert the Bitcoin payments to legal currencies.
McCoy and his team began their research over two years ago to get a better sense of just how pervasive these attacks are.
“There’s a lot of security companies throwing around these huge numbers, like billions of dollars in ransomware, but they didn’t provide any methodology as to how they were arriving at these huge numbers,” McCoy said. “So, we kind of wanted to get it from an academic standpoint.”
The study included techniques for scanning the web to find self-reported victims, who will sometimes post online the Bitcoin address to which they sent the ransom. Part of the research even included simulating an actual transaction between the cyber criminal and the victim.
“We did not do a full ransom payment because we didn’t want to pay them lots of money, but we would give them a few cents into a ransom address,” McCoy said. “By us paying this few cents, our few cents gets aggregated with payments from actual victims. And then we’re able to find the actual victim payments from the ransomware. It’s almost like kind of squirting a tiny bit of ink or something into the flow of money.”
Tandon master’s student Maxwell Aliapoulios, one of the paper’s co-authors, said the team looked to a few key signs to determine within a margin of error if a transaction was conducted by a ransomware victim or not.
“We had a giant transaction set and we wanted to establish filters like, if they paid this amount and the payment was coming from an exchange, then we were confident by this filter that it was a victim,” Aliapoulios said. “So that would help us with preserving confidence when we made the final statistical descriptions of the variant by saying they made this much money or they were active during this time, that type of stuff.”
Some filters used on the data include where payments originate from, such as a Bitcoin exchange or a deep web market — an illegal online marketplace not accessible using regular internet browsers. Other filters even pinpointed the payment installments.
“For some species of ransomware, they always ask for increments of like one Bitcoin or two Bitcoins, so we used that type of information to say that if someone’s paying exactly one Bitcoin or one Bitcoin and a couple standard deviations away from one Bitcoin, then we can be confident that because of the amount paid that transaction is more likely to be a victim than someone who paid, say, 0.67 Bitcoin,” he continued.
With the rise of cryptocurrencies like Bitcoin, McCoy speculates that ransomware attacks, which thrive off of such difficult-to-trace payments, could become more of a threat to internet users.
“A hypothesis could be that as Bitcoin becomes more usable, then that might increase the conversion of victims to paying customers of these ransomware operations,” McCoy said. “It gets kind of scary because in the ransomware, people begin earning more revenue, they’re likely going to sink some of that revenue basically back into their business of ransomware. It’s going to allow them to infect more people and it kind of perpetuates the vicious cycle.”
Though ransomware is prolific, research on it has struggled to keep up.
“It’s not just like anyone in their apartment is making a type of ransomware and starts affecting people,” Aliapoulios said. “This is like a giant organization that is making a lot of money. So it’s kind of like cat-and-mouse, especially with cryptocurrency and cybercriminal stuff.”
As the growth of ransomware outpaces research on the topic, it seems anyone could potentially be at risk. Wagner student Lindsey Frey weighed in.
“Everyone uses the internet everyday, so anytime you click on something, you have to be cautious,” Frey said. “That affects pretty much anyone who uses a computer.”
McCoy hopes to do further research on the complicated world of cyber crime and online payment systems, but in the meantime he has some simple advice to help people avoid losing their files to ransomware.
“Backup your files,” he said.
Email Sarah Jackson at [email protected]