Slide from research presented at Black Hat 2017

Research presented yesterday at the Black Hat USA 2017 security conference revealed that Bitcoin trading platform BTC-e is responsible for cashing out 95% of all ransomware payments made since the start of 2014.

The presented data was the result of a collaboration between Google (owner of VirusTotal), blockchain analyst firm Chainalysis, and researchers from the University of California, San Diego, and New York University.

Researchers analyzed 34 ransomware families

The project, named "Tracking Ransomware End to End" analyzed 34 ransomware families based on an initial dataset of 154,227 ransomware binaries, which was later expanded with 147,361 files to a total of 301,588 binaries. (Owning VirusTotal has its perks.)

Researchers wrote scripts that analyzed each binary, extracted payment site and/or Bitcoin wallet addresses, and passed the data to Chainalysis experts who then tracked if Bitcoin moved through those wallets, and where it went.

Because of the huge dataset of ransomware binaries, the research project was able to create a big picture on the number of ransomware payments made during the past three and a half years, and how these payments evolved across time.

Earnings per month

By far 2016 was ransomware's most lucrative year. Monthly ransom payments surpassed $1 million, and even went above $2 million in two other months.

This meteoric rise can be attributed to two families alone, Locky and Cerber, both who appeared in 2016.

While Locky's success can be explained by close ties to Necurs — today's largest spam botnet — Cerber's success is in its thriving RaaS service that allows lesser technical crooks to rent fully-functional ransomware binaries without having any coding knowledge.

Locky gang made the most money

According to Google's research, the Locky crew made around $7.8 million, while the Cerber group was a close second with $6.9 million. The CryptoLocker gang was in a distant third, with only $2.0 million in estimated revenue.

Earnings per ransomware family

The research project's biggest discovery was that the Bitcoin funds obtained from coercing ransom payments were eventually converted into real-world (fiat) currency.

The exit point for 95% of all the Bitcoin ransom payments were wallets hosted by BTC-e, a Bitcoin trading platform headquartered in Russia.

A day before the research team's presentation, Greek police arrested BTC-e's owner based on an international warrant issued by US authorities.

The US accused BTC-e's owner of aiding ransomware operators cash out ransom payments, but also accused him of laundering Bitcoin funds stolen from other Bitcoin trading platforms such as Mt. Gox, Bitcoinica, Bitfloor, and others. You can find out more details about the arrest in our article here. The research's findings are available here.