This week marks the one-year anniversary of the launch of the NoMoreRansom project. The project comprises an alliance of law enforcement agencies and private industry, currently totaling 109 partners. Its purpose is to gather all known ransomware decryptors in one location (the NoMoreRansom website) so that ransomware victims can at least attempt to decrypt encrypted files.
The project was launched on July 25, 2016 by the Dutch National Police, Europol, McAfee and Kaspersky Lab and now holds access to 54 decryption tools provided by 9 partners and covering 104 ransomware families. The site itself is available in 26 languages.
Since its inauguration it has helped decrypt 28,000 ransomware victim devices — but, warns Europol, the threat is still escalating. “Ransomware has soared since 2012, with criminals lured by the promise of profit and ease of implementation. The threat continues to evolve, becoming stealthier and more destructive, increasingly targeting businesses more than individuals because the potential returns are much higher.”
Europol notes that WannaCry alone claimed more than 300,000 business victims across 150 countries in its first few days; and that some organizations are still struggling to recover from the NotPetya attacks of June 27. It adds, “The total number of users who encountered ransomware between April 2016 and March 2017 rose by 11.4% compared to the previous 12 months, from 2,315,931 to 2,581,026 users around the world.
These figures demonstrate that NoMoreRansom is no solution to ransomware. It has benefited 28,000 users (and this should not be dismissed); but that figure is less than one-ninetieth of the total number of victims.
Europol recognizes this. “Prevention is no doubt better than cure. Internet users need to avoid becoming a victim in the first place. Many up to date prevention tips are available on www.nomoreransom.org.” Its advice remains, “If you do become a victim, it is important not to pay the ransom and report your infection to the police.”
It is equally clear, however, that many people do pay the ransom. At Black Hat this week, Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering researchers presented details of their own investigation into ransomware payments. They have been able to track payments through the bitcoin blockchains from distribution sites to the cash-out points. It is hoped that law enforcement will be able to pick up the trail from here and use traditional money-tracking methods to locate the criminals.
The team tracked 34 separate ransomware families over the last two years, concluding that ransomware victims have paid out $25 million to the criminals; and that Locky alone generated $7 million. Cerber generated $6.9 million and CryptXXX generated $1.9 million.
With such figures, it is understandable that the usual ‘official’ advice from both law enforcement and security researchers is, “Don’t pay the ransom: there is no guarantee that the criminals will decrypt your files, you paint a target on your back for further attacks, and you fund the whole criminal ecosystem.”