That’s the amount people and companies have paid out when their files have been locked up, say researchers.

What’s cooler than a million dollars? A billion dollars. The rise of ransomware has been quantified throughout the last year by Group-IB, a global threat hunting and intelligence company, and it seems cybercriminals are rolling in it.

Throughout the second half of 2019 and the first half of 2020, there has been an “unprecedented surge” in ransomware attacks, say Group-IB. They’ve recorded more than 500 successful attacks against everyone from small companies to large government agencies. What’s more, the amount gained by criminals by locking up files is significant: a conservative estimate by Group-IB sets the amount raised through such attacks at $1 billion.

“The most severe financial damage has been detected as a result of ransomware activity,” say the threat hunters. “The past year, a painful period for the world’s economy, culminated in the spike of cybercrime and was marked by the rise of underground market for selling access to corporate networks and over 2-fold growth of the carding market.”

The United States bears the brunt of attacks

The United States has been unluckiest – or unsafest, depending on your point of view. Group-IB say the country was hit with a ransomware “plague” in the last 12 months, accounting for six in 10 of every single ransomware incident recorded. European countries followed up next with a further 20% of attacks.

The types of companies attacked varied: the top five victims by sector included manufacturing, retail, state agencies, healthcare and construction.

Most of them were attacked by organised gangs. Maze and REvil are two of the biggest proponents of ransomware strains, accounting between the two of them for more than 50% of all successful attacks launched. 

And who’s attacking has changed, too. “The ransomware pandemic was triggered by the active development of private and public affiliate programs bringing together ransomware operators and cybercriminals involved in compromising corporate networks,” reckon Group-IB, who believe the arrangement is far more intricate than many may think.

Taking cuts and receiving change

“Ransomware operators buy this access and then encrypt devices on the network; after receiving a ransom from the victim, they pay out a fixed rate to their partners under the affiliate program,” they add.

There’s also been a concerning shift in the way that ransomware attackers operate. They’re no longer as trusting of their victims as they once were – perhaps a response to the way in which people have been told under no circumstances to pay up if they’re ensnared in a trap. 

“In late 2019, operators of ransomware adopted a new technique and started downloading all the information from a victim organization to then blackmail them to increase the chances of ransom being paid.”

say the researchers.

“Maze, who allegedly called it quits not long ago, pioneered the tactic of publishing victims’ sensitive data as leverage to extort money,” they add. “If a victim refuses to pay ransom, they risk not only losing all the data but having it leaked. In June 2020, REvil started auctioning the stolen data.”

It all makes for a concerning situation, and a worrying place to be as a potential victim, trying to navigate the complicated digital world without falling foul of someone ensnaring you in a ransomware trap. 

One of the key ways to avoid ransomware is to avoid phishing scams: however, the issue is that here too cybercriminals have upped their game. “Since the start of the year, there has been a rise in advanced social engineering, namely when multi-stage scenarios are used in a phishing attack,” say Group-IB. 

“As part of such increasingly popular phishing schemes, threat actors first stake out the victim: they establish contact with the target individual (e.g., through a messenger), create an atmosphere of trust, and only then do they direct the victim to a phishing page.”