Ransomware attacks are bigger than ever, but the payouts appear to be shrinking. While the ransomware suspected to be a variant of Petya makes headlines around the world, whoever set it loose isn’t really making a whole lot of money, especially if they paid for the software to begin with.
At the time of writing, the Bitcoin address that today’s global attack points to has only collected 29 payments, for a total of 3.15 BTC, or $7,497. Considering the breadth of entities affected, that suggests that most victims know better than to cooperate.
TechCrunch spoke with McAfee Chief Scientist Raj Samani following the attack. He suggested that awareness campaigns against paying these kind of cyber ransoms are having an impact.
“Twenty people have paid — my guess is most of those are security researchers,” Samani said. He cautions that paying the ransom doesn’t even mean you’ll get a decryption key back to unlock your system. With WannaCry, he notes that only an “inconsequential” amount of keys were returned to victims.
Anomali Director of Security Strategy Travis Farral echoed this sentiment in a statement to TechCrunch. “Bitcoin payments currently already exceed $3,600, but it’s essential that victims understand that payment may not actually allow them to access their data, and may just fund hackers to commit further crimes.”
In spite of their scope, recent ransomware attacks don’t approach the hundreds of millions that something like 2014’s CryptoWall was able to generate. WannaCry, by comparison, has made around $150,000 to date. Samani explained that the small payments you see with something like today’s ransomware matches the market for an attack like this. “Around about 200 to 400 dollars seems to be the going rate,” Samani said. “They’ve got to make it small enough because they want people to pay the ransom.”
“We saw this with WannaCry; there are so few people that are making the payments,” Samani said. “I think the message of ‘don’t pay’ seems to be getting through.”
For now, there are way more questions than answers. One possibility is that the attack looked like ransomware, but that wasn’t its main intended effect. “Was it ransomware?” Samani asked. “Well, in name, but it was destructive in nature. In this particular case, you have what is being publicized as a ransomware campaign… actually encrypting the master boot record.”
Whether the ransom was this attack’s intentions or not, victims may no longer be able to pay up. As Gizmodo’s Dell Cameron reports, email host Posteo has shut down the account associated with the bitcoin ransom, meaning that there is no longer a way for victims to pay or reach their attacker.
Still, additional small payments appear to be trickling in. You can track them in real time with a @petya_payments, a bot by Quartz’s Keith Collins. We’ll continue following this story as it develops.