How much money ransomware has made (and how to stop it)

History of ransomware

It feels like ransomware has been around for forever. We’ve seen it wreak havoc on some of the biggest companies in the world. The private and public sectors have lost millions –not just to cyber criminals, but also in fixing the wreckage after. Ransomware has exploded due to the rise in cryptocurrencies. Cyber criminals can now demand payments that are untraceable.

The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as…

“a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.

Ransomware can be devastating to an individual or an organisation. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.”

If you’re hit by ransomware, it can be bad news. The fate of your business could depend on the integrity of cyber criminals. What is the history of ransomware, and how much damage has each strain caused?

At the end, we list the 6 most effective ways to prevent a ransomware attack.

CryptoLocker (2013)

CryptoLocker was spread by the Gameover ZeuS botnet. It searches your computer for files to encrypt – including on external hard drives and in the cloud.

CryptoLocker infected over 500,000 machines for a ransom of $300 or €300. Its most common method of infection was via email attachments – often in innocuous looking documents labelled .pdf, .doc etc.

Total money stolen: $3,000,000

Cerber (2016)

Cerber is the best example of a sinister practice - ransomware as a service.

Developers build the malware and sell the ‘kits’ on the dark web to would-be cybercriminals. You don’t need any technical skills to launch the attack. The developers of the ransomware then get a cut (normally 40%) of any takings.

Cerber works without an internet connection – so even unplugging your PC can’t save you.

Total money stolen: $6,900,000

Locky (2016)

Locky was the big money-maker. Like CryptoLocker, it arrived via a malicious email attachment (a Word doc with a macro Trojan). Once clicked, the malware uses social engineering, conning the user to enable macros. This opens a binary file that downloads Locky onto the PC.

Aside from the usual advice of “patch”, “update anti-virus and anti-spam” and “educate your users”, it reminds us of another fundamental lesson – “disable macros”.

Total money stolen: $7,800,000

WannaCry (2017)

WannaCry spread through the EternalBlue exploit and DoublePulsar backdoor implant tool.

EternalBlue exploited a vulnerability in the Server Message Block protocol for Microsoft systems. First developed by the NSA, it was leaked by the hacking group, the Shadow Brokers.

WannaCry is a “worm” because it automatically spreads itself around the network.

WannaCry famously had a built-in “killswitch”. The ransomware would check a particular URL before acting. As long as the domain was unregistered and inactive, it would continue. British security researcher (and hacker) Marcus Hutchins spotted it and registered the domain - effectively shutting down WannaCry.

Notable victims included The NHS, Nissan and Telefónica.

Total money stolen: $140,000

NotPetya (2017)

Like WannaCry, NotPetya used the EternalBlue exploit. It earned a relatively paltry $10,000 because paying the ransom didn’t return data to the victims.

It’s aim wasn’t to make money – it was destruction. The White House estimates the cost was more than $10 billion in damages. It was most likely an act of cyberwarfare, against the Ukraine by Russia.

Notable victims include Maersk, WPP and Merck & Co.

Total money stolen: $10,000

Thanatos (2018)

Although it didn't earn much, Thanatos is an interesting ransomware case for two reasons:

1. In addition to being distributed by email, it also spread via Discord - the voice and text chat app for online gamers.

2. Unlike most ransomware, Thanatos didn’t demand payment in Bitcoin. Instead, it used less common cryptocurrencies, including Bitcoin Cash, Zcash and Ethereum.

Total money stolen: $720

Ryuk (2018)

Ryuk was derived from the Hermes source code. Hermes is available for sale on forums as a commodity for mass-scale attacks.

Ryuk ransomware targets large enterprises for big ransom payments. It spreads through botnets, such as TrickBot and Emotet. These can then launch malspam campaigns of their own to other networks.

Notable victims included Mitsubishi Aerospace, Data Resolution and Tribune Publishing.

Total money stolen: $3,700,000

There is and will be a constant tug of war between cyber criminals and cyber security. For every day internet users (individual or businesses), follow these 6 rules to minimise the chances of falling prey to ransomware.

1. Patch and update your systems
2. Use anti-virus and anti-spam software
3. Don’t click links or open attachments from unsolicited emails and unknown senders
4. Don’t enable macros from email attachments
5. Restrict user permissions to install and run software
6. Backup your data!

Click here to see the original infographic.

Visit us:


Databarracks Ltd
1 Bridges Court
SW11 3BB

Get in touch:

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.