But how many are successful, in that they net the people behind the attack the money that they are seeking? It is not easy to compute this as different attack groups have different approaches.
In general, actors behind an attack first gain entry to a system, exfiltrate the data — to be used as an extra bargaining chip later — and encrypt the files on the system. A ransom note is then generated and the attackers wait for the victim to respond.
At times, the victim responds speedily and then there is no way any security firm that looks for these kinds of attacks will ever know, not unless the victim makes it public. It is more common for a victim who pays a ransom to stay mum.
If the victim responds at this stage, then the attackers remove those screenshots and nobody would be any the wiser. Security researchers would notice only if they happen to be monitoring the sites in question very often.
Brett Callow, ransomware researcher at New Zealand-based security outfit Emsisoft, said it depended on how one defined success as some groups may have a lower conversion rate but would extract more per victim and vice versa.
"Also, keep in mind that the groups which publish the most may not be the most active nor the most successful," he told iTWire. "There’s no set formula for calculating a ransom demand, and some groups likely aim higher than others.
"That means they may get paid more when they’re successful, but that they’re successful less frequently than groups which make lower demands. In other words, the groups which publish most could be the least successful. Maybe. Or maybe not. Who knows?"
Chester Wisniewski, principal research scientist at Sophos, said in recent months, the ransomware ecosystem had split into two distinct types of threat actor.
"The first are focused on ransomware-as-a-service tools to provide to unskilled attackers and are either charging for the toolset or taking a commission on every ransom payment," he said in response to a query. "They primarily target individuals and small businesses where the barrier to entry is very, very low.
"The second are the ones going after the multi-million-dollar ransoms of enterprise-size victims. These attackers usually work in small groups of uniquely skilled individuals and often at least one of them has similar talents as a very advanced penetration tester.
"This set of attackers have been seen demanding upwards of US$10 million (A$14.25 million)."
Callow said the strategies varied from group to group. "NetWalker posts a couple of screenshots fairly quickly, but delists if/when the company comes to the negotiating table," he said. "Mespinoza, on the other hand, seems not to publish until they deem the case a lost cause. So NetWalker's victims are perhaps a little more visible."
He said Emsisoft had used a figure of 33% success in a country-by-country analysis of attacks. "That seems like a reasonable middle ground, as other research claims either a higher or lower number.
"In many ways, this highlights the problem of information being held in pockets with each company producing stats that are based on its own client base - enterprises or SMBs, insured or uninsured, Europe or Australia, etc."
Callow said STOP accounted for more than half the submissions to ID Ransomware, a site to which one can upload a ransom note and/or sample encrypted file to identify the ransomware that had been used to carry out out the encryption.
STOP was spread only through pirated software so any anti-virus firm would list a low percentage for STOP as people who used pirated software were unlikely to use any anti-virus products.
Callow said he was not criticising any anti-virus firm. "Our data likely suffers from similar biases at times," he pointed out. "It's just an example of how companies' users/audiences can result in distorted stats."
Wisniewski said as the second set of attackers had moved to very high ransom demands, most of them had also moved into extortion over disclosure of stolen data to try to apply additional pressure on victims.
"There is no evidence I have seen that this has had much impact, but anecdotally it seems about half or more of victims are paying these high ransom demands," he said.
"Some of this has been fuelled by 'ransom negotiators' as well as insurance companies. This is likely why the US Department of the Treasury has hinted that paying ransoms may be illegal and they are looking to enforce these rules against facilitators as well as victims."
iTWire also contacted Russian security firm Kaspersky for its take on this topic, but a company spokesperson said it had no information to offer.