Written by Patrick Howell O'Neill

Ransomware payments in 2017 will hit a record $2 billion, according to a new research from the cybersecurity firm Bitdefender.

That figure would make 2017 the most costly year ever for ransomware, doubling the $1 billion paid out by ransomware victims in 2016 and skyrocketing above the $24 million paid in 2015. The upward trend will likely continue into 2018 as malware becomes more sophisticated and difficult to stop.

Exacerbating the problem is amount attributed to total damage, which exceeds $5 billion, according to Cybersecurity Ventures. The NotPetya attacks alone caused over $310 million in damages to U.S. pharmaceutical giant Merck, a $300 million loss for the courier firm FedEx and a $200 million loss for the shipping firm Maersk.

The average ransomware demand is up to $1,000, a 266 percent rise from 2016. The spike is credited to more victims paying up, including many businesses that privately pay five-figure ransoms. Only 47 percent of victims who pay the ransom ever recover any files.

As profits continue to grow, so will iterations of the malware. Ransomware strains including Troldesh and GlobeImposter have code showing the developers are likely beta testing use of the GPU — instead of the CPU — to encrypt a target’s computer. That means the attack will unfold hundreds of times faster that previously seen, making it increasingly difficult for antimalware tools catch and block the spreading ransomware.

“Usually encrypting 20 gigabytes of files takes a lot of time,” Bogdan Botezatu, senior threat analyst at Bitdefender, told CyberScoop. “Between the moment encryption starts and finishes, the user can see the tell-tale signs like files not being available. Those victims can shut down the computer and restart in recovery mode to prevent the ransomware from going further. If the attackers expedite the infection, users wouldn’t be able to save anything. They will have to pay up.”

By design, GPUs handle bigger tasks — like encryption — better than CPUs, which is why most cryptocurrency mining happens on GPUs. Additionally, by offloading the encryption process to the GPU, the malware uses new APIs that go unmonitored by many security solutions.

Finally, experts are seeing a rise in malware that can morph in order to avoid detection. More commonly known as P-polymorphism, the process is already being weaponized by hackers. Some of the best polymorphic engines, like that seen in Qbot malware, can be offered as a rentable service on the black market in the way that other criminal services are sold.

“Qbot has a polymorphic engine that’s really really good,” Botezatu said. “It operates in the cloud and employs tricks that gives it a headstart compared to other engines. It’s very difficult to train machine learning models to intercept all the models used by this engine. We’re having a very, very difficult time fending off malware packed with this engine.”

Bitdefender’s $2 billion estimate builds on work by the FBI, which first estimated that ransomware crossed the $1 billion threshold in 2016. Telemetry from Bitdefender, which has 500 million customers use its security products, has witnessed ransomware activity rise rapidly beyond the FBI’s estimates.

“We monitored the amount of ransomware we see this year,” Botezatu explained. “We took into account about a ten percent conversion rate. If ten percent of people convert from ransom to paid, these hackers should be making about $2 billion.”

That number might be significantly higher. A total of 34 percent of global ransomware victims pay the hackers, according to research by Norton. That number nearly doubles to 64 percent for U.S. victims, which is why the country is the single largest target for these attacks.

Botezatu emphasized that the $2 billion number is merely an estimate and that most ransomware attacks go unreported, either because victims want to keep the security breach a secret or they think reporting is pointless.

Bitdefender’s new global threat landscape report said ransomware by far the most frequently encountered threat currently facing internet users. As the number of malware families explodes to over 160 distinct groups, one-in-six spam emails include ransomware either in attachments or links.

That finding echoed a recent Europol report saying ransomware is far and away the cybercriminal weapon of choice for 2017.

“Ransomware has eclipsed most other cyberthreats with global campaigns indiscriminately affecting victims across multiple industries in both the public and private sectors,” Europol’s researchers wrote in the 2017 Internet Organised Crime Threat Assessment. “Some attacks have targeted and affected critical national infrastructures at levels that could endanger lives. These attacks have highlighted how connectivity, poor digital hygiene standards and security practices can allow such a threat to quickly spread and expand the attack vector.”