Ransomware victims have paid more than $25 million in ransoms over the last two years, according to a study presented today by researchers at Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering. By following those payments through the blockchain and comparing them against known samples, researchers were able to build a comprehensive picture of the ransomware ecosystem.

Ransomware has become an almost unavoidable threat in recent years. Once a system is infected, the program encrypts all local files to a private key held only by the attackers, demanding thousands of dollars in bitcoin to recover the systems. It’s a destructive but profitable attack, one that’s proven particularly popular among cybercriminals. This summer, computers at San Francisco’s largest public radio station were locked up by a particularly brutal ransomware attack, forcing producers to rely on mechanical stopwatches and paper scripts in the aftermath.

A destructive but profitable attack

The study tracked 34 separate families of ransomware, with a few major strains bringing in the bulk of the profits. The data shows a ransomware strain called Locky as patient zero of the recent epidemic, spurring a huge uptick in payments when it arrived in early 2016. In the years that followed, the program would bring in more than $7 million in payments.

Crucially, Locky was the first ransomware program to keep the payment and encryption infrastructure separate from the groups distributing the malware, allowing the malware to spread farther and faster than its competitors.

“Locky’s big advantage was the decoupling of the people who maintain the ransomware from the people who are infecting machines,” says NYU professor Damon McCoy, who worked on the project. “Locky just focused on building the malware and support infrastructure. Then they had other botnets spread and distribute the malware, which were much better at that end of the business.”

Other strains soon caught on. Cerber and CryptXXX followed a similar playbook to rake in $6.9 million and $1.9 million, respectively. In each case, the number reflects total payouts made by victims, and it’s unclear how much of the money made it back to the original ransomware authors.

The same data shows ransomware authors getting smarter about avoiding antivirus software. Once a particular malware program has been identified, antivirus systems typically scan for matching binaries — an identical copy of the recovered program. But modern malware can automatically change the binary once a given strain is detected, a trick that ransomware programs have learned well. Researchers found thousands of new binaries a month associated with the Cerber ransomware, allowing it to skate past many signature-based antivirus systems.