What About GandCrab’s $2 Billion? Ransomware Operators Pocketed Only $140 Million Over Six Years, FBI Calculates

Ryuk, Dharma, Bitpaymer, SamSam and other prominent ransomware strains have generated hundreds of millions of dollars for their authors, according to calculations by the FBI. Does that mean the GandCrab gang, which doesn’t even make the FBI’s list, was lying about pocketing $2 billion before closing shop? Well, not exactly.

Over the past three years, ransomware operators have been advancing their tools and techniques not only to evade detection, but also to wring the most profit out of an attack. One such innovation is the practice of stealing the victim’s data and threatening to publish it online if payment is denied. As one would imagine, it works. In what is essentially a fully fledged data breach, ransomware that also threatens to publish stolen data is a scary affair. Most victims end up paying.

Counting every victim and every ransomware strain is difficult, but the most prolific incidents and ransomware families inevitably crop up over the years. The FBI recently decided to take a macro look and see the damage done by the most efficient and profitable ransomware strains. According to Joel DeCapua, a special agent in the bureau’s global operations and targeting unit, the tally between January 2013 and July 2019 sits at $144.35 million. If the number strikes you as suspiciously low, you’re not alone.

Speaking at the RSA Conference 2020, DeCapua said Ryuk took the lead with $61 million between February 2018 and October 2019 and Crysis/Dharma came in second at $24 million between November 2016 and November 2019. Third on the list was Bitpaymer, making $8 million between October 2017 and September 2019. SamSam, one of the most-used strains in attacks on healthcare institutions, allegedly made $6.9 million for its authors between 2016 and 2018.

$64 million of the total ransoms paid to cybercrooks is said to have passed through virtual currency exchanges before the bad guys cashed out. $37 million remains unspent, the agent said.

Avid cybersecurity news readers will probably notice something wrong with these figures – especially those keeping a close eye on the GandCrab gang in 2018 and 2019. When the infamous ransomware-as-a-service was retired, its authors claimed to have amassed $2 billion in payments from victims. Even if that number is inflated, it still should have beefed up the FBI’s tally well beyond the half-a-billion mark. So why isn’t the FBI mentioning GandCrab, arguably the most prolific ransomware strain in history?

According to ZDNet, the FBI only counted ransomware families that made demands in Bitcoin, cybercriminals’ favorite digital currency. The GandCrab guys, as some readers may remember, demanded ransom in Dash, a crypto-currency that had just made its debut in cybercrime as GandCrab was wreaking havoc. There are, of course, many other ransomware strains out there cashing in using many different altcoins, so the real bottom line in ransomware profits is arguably much higher.

DeCapua also disclosed to his RSA audience that attackers mostly favor brute-force attacks on poorly-secured Remote Desktop Protocol (RDP) instances, trying out easy or common passwords until they get a match. And if RDP doesn’t cut it, phishing always works like a charm to trick unsuspecting users to hand over login credentials.