FBI: $144 million in ransomware payments made over 6 years

SAN FRANCISCO -- How much money have victims spent making ransomware payments to threat actors? Quite a bit, according to the FBI.

Between Oct. 1, 2013 and Nov. 7, 2019, approximately $144.35 million in ransomware payments were made, according to FBI supervisory special agent Joel DeCapua at an RSA Conference 2020 session Monday.

That figure only includes bitcoin payments, but as DeCapua noted during the session, "the vast majority of ransomware proceeds are paid in bitcoin." The figure also does not quantify a party's loss or total cost of an incident -- only the ransom paid.

The session, titled "Feds Fighting Ransomware: How the FBI Investigates and How You Can Help," offered a deep dive into the FBI ransomware investigation process, including how incidents are investigated and what counts as a victory on the investigation side.

The panel featured other notable statistics as well. As for which ransomware variants raised the most money, Ryuk raised $61.26 million in ransoms over a one-year period, Crysis/Dharma raised $24.48 million in a nearly three year period, and in a significant drop-off, Bitpaymer was the third most impactful variant with $8.04 million raised in a two-year period.

DeCapua explained that, regarding where ransomware proceeds went, leading destinations included cryptocurrency exchanges, directly into the pockets of cybercriminals, and mixers, which are services used for laundering cryptocurrency.

Part of what makes ransomware so successful, DeCapua said, was the extensive economy that's been built around the malware. Malware authors design new variants of ransomware and built ransomware-as-a-service operations where they contract affiliates on hacker forums and dark web sites; the affiliates then spread the ransomware to victims and earn a percentage of the payments.

Following his presentation, DeCapua offered another element that he believes may be contributing to the ransomware economy. In an audience Q&A, an individual asked if ransomware payments should be insurable.

After some hesitation, DeCapua answered.

"No one wants to pay the ransom actors. I think a lot of companies get insurance now. They say, 'Well, if we are hit by ransomware, we are just going to defer to what our insurance company wants to do,'" he said. "They can say it wasn't their choice to pay the ransom, because like I said, no one wants to pay the ransom. So I think that because ransom payments are insurable, I think it has caused more ransoms to be paid."