Over the last few years there has been an explosion in ransomware attacks, and the latest analysis shows the crooks are banking some serious Bitcoin.

An analysis by F-Secure's chief research officer Mikko Hyppönen of a Bitcoin wallet used by Cryptolocker shows the operators are moving millions of dollars of virtual currency around, which they have gained from extorting users by encrypting their files.

"That's a nice amount of money and tax free too," he told The Register. "It got me thinking; we have 'unicorn' private companies worth over a billion dollars with no revenues. Now there could be criminal gangs with better valuations – it's possible and pretty weird."

Cryptolocker's revenues aren't that hard to estimate, since the software only uses a couple of Bitcoin wallets to collect ransoms. In this case the operators moved over 5,200 Bitcoins through the wallet – or around $2.2m in real money. That's better profits than a host of unicorns, not to mention dying behemoths like Yahoo!

According to research by the Cyber Threat Alliance (CTA), ransomware operators running rival CryptoWall code have pulled in around $325m over the last three years. To date there have been few arrests of ransomware operators, leading the US to offer bounties of up to $3m for capturing the perps.

The dramatic increase in ransomware is almost totally down to the invention of Bitcoin, he said. Rather than infecting computers and trying to siphon off online banking funds via money mules, or renting pwned systems to a botnet, criminals can get an instant return on investment with ransomware and are structuring themselves like traditional businesses.

"These gangs refer to their victims as 'customers' and, once they have paid the ransom, will work actively to make sure the files are decrypted successfully," he explained. "They want the reputation of being reliable because it encourages people to pay up if they want their files back."

In the case of Cryptolocker and Cryptowall, the operators wrote their own code and haven't shared it, but we are now seeing ransomware becoming commercially available online from dark markets for anyone to use.

"Take CTB locker for example; that's a franchise. One group of guys wrote it, but didn't infect anyone with it because that would be illegal," Hyppönen said sarcastically. "Instead they sell the kit to others to do that." ®