The Booming Business of Ransomware

Written April 11th, 2017

Post Tags: Cyber, cybersecurity, ransomware

By Andrew Paulette

Once considered the domain of nation-state intelligence agencies, tech-savvy teenagers with too much time on their hands, and miscreants devoted to chaos and disorder, the development and deployment of malware has matured into a profitable business model – last year the cost of ransomware was estimated at $1 billion and a report sponsored by Malwarebytes estimated that more than 40% of those affected paid ransom demands.

As described in part I and part II of this series, ransomware is an ideal financial model for cyber criminals, for a number of reasons:

1.) attacks affect both the organizations attacked as well as the customers of those organizations,

2.) attacks scale well to large campaigns with many targets,

3.) attacks place the onus of payment directly on the target instead of requiring a third party interested in stolen data, and

4.) attacks increase pressure on the target by robbing them of access to their data.

Cybercriminals don’t need to be particularly tech-savvy to run these campaigns; they can enlist the aid of distributors who develop and provide ransomware as a service – a model that has given rise to a successful supply chain of hackers selling their products on the dark web for thousands of dollars. On the dark web, interested parties can run ransomware campaigns for a commission for each successfully paid ransom. It’s no wonder then, that in 2016 alone, variants of ransomware increased by 400%. With so many benefits, such easy access, and endless targets, ransomware will certainly grow in 2017 and the foreseeable future.

As with any economic market (legal or otherwise), the potential for profit will inevitably draw more competitors into the space, leading to greater competition. This growth and competition will lead to new challenges for cybercriminals looking to finance their activities. Recent attacks against unsecured, internet-accessible databases, for instance, were further complicated due to the fact that multiple organizations were attempting to collect the ransom, leaving victims unable to recover their data. This type of activity undercuts the legitimacy of the criminals and can make future victims less likely to pay the ransom. Due to the volume of cyber criminals and attacks, we can expect that future attacks will be more creative and aggressive as criminals try not only to evade arrest, but also outmaneuver their competition for a higher payout.

New and improved – the changing payment options behind ransomware

Part of ransomware’s success is in its careful calibration of the cost of the ransom. Using economic principles, cyber extortionists identify the right price for their services. Too much, and the victim may decide the data is not worth the ransom, or that it’s cheaper to recover through legitimate means like backups. Too little, and the criminal lowers his or her return on investment. This balancing act is part of the strategy behind a successful ransomware campaign.

But what if your customer only needs access to a portion of their data – perhaps only decrypting a few files? What if they can’t pay for their data, but will agree to an alternative arrangement? While ransomware continues to evolve, so too do the payment options – allowing cyber criminals to capture a larger share of potential profits. The “Spora” strain, for example, includes payment options to entice users to make a partial payment if they do not need all of their files restored. Payment options range from decrypting two files for free, to the decryption of all files, removal of the malware, immunity against future attacks, or all of the above for varying prices. Criminals also consider the users’ expected geographic location to estimate how much that individual can realistically pay based on their region’s economic prosperity.

But what if a victim can’t pay the ransom at any price, even with the payment options? Criminals may offer yet another alternative – having the victim spread the ransomware on the attacker’s behalf. Especially nefarious, this technique essentially enlists the victim into a sort of pyramid scheme, opening new avenues of infection against traditionally more vigilant targets. This technique is used in the Popcorn Time strain of ransomware, which allows its victims to recover their files for free if they infect two more targets.

In part IV of this series, we will explore the evolution of the ransomware business, entrepreneurial cybercriminals, and even how market pressures affect the booming business of ransomware. Be sure to follow us on Twitter @NetCentricsCorp to hear about the next installment in this series on ransomware.