To say ransomware is on the rise would be an understatement. From 2015 to 2016, attacks spiked 6000% according to this article citing IBM. The reason for this explosive growth is simple – ransomware has one of the best business models in the game today.
When ransomware encrypts its target files it in effect “steals” them, rendering them inaccessible. Normally data theft is the creation of a copy that then needs to be sold to a third party, but in this case no information actually goes missing. By locking a target out of their data, ransomware “steals” the data and then sells it to a marketplace of exactly one – the target themselves. This is a key element to the success and growth of ransomware. It reduces the effort needed to profit from an attack.
Why does the ransomware work?
There is minimal barrier to entry
An experienced programmer or team of programmers can put together a ransomware product in relatively short order, providing they also have a means to break into a system. Alternatively, some hackers have created ransomware as a service (RaaS) operations, providing the means to extort others for incredibly low prices. According to this article on Threat Post, buying and using ransomware can cost between $39 - $3,000 for a lifetime license to the code. Considering that the most recent WannaCry outbreak charged $300 minimum for unlocking your data – there’s a huge potential for upside if you can infect even just a few computers.
Difficult to trace payment – Bitcoin and other cryptocurrency
With cash flow being the lifeblood and main draw of executing ransomware attacks, a clean and untraceable way to wire money is essential for a safe operation. Services such as Bitcoin allow for an anonymized payment system that can reliably be turned into untraceable cash or hard to follow money transfers. While Bitcoin is certainly striving to be a legitimate currency, it is to ransomware as PayPal is to eBay, a smooth way for money to flow. While the typical Internet user isn’t Bitcoin savvy, the ransomware can provide a link to an exchange where they can be bought by entering a credit card number.
Markets and prospects are well-defined – revenue easily modeled
Anyone who uses the internet and stores data on their computers is a potential “customer” for ransomware. Everyone has data they want to keep. The only barrier is the price being asked, which is often low enough to ensure that payment is considered viable (but unpalatable) option.
Similarly, any company or individual whose network is infected becomes a prospect, making it easy to model out potential revenues and profit based on the number of infected prospects and the percentage that will be willing to pay. By offering “stolen” data back to the original owner, a ransomware provider has instantly created a uniquely superior and highly-targeted product.
There isn’t much in the way of customer satisfaction to worry about when running a ransomware operation. Most of the overhead that other businesses run into are mitigated or nullified by both the simplicity and illegality of ransomware software. A ransomware operation doesn’t need to run customer support, doesn’t require marketing or PR and certainly doesn’t need salespeople.
That said, it is surprising what efforts hackers borrow to make their targeting and payment processes as sophisticated as commercial operations. This includes geo and language targeting, well designed usability for their ransomware, and clearly written calls to action with supporting documentation and FAQs. It is almost like a “real” business. One thing they do need is easy access to email lists for phishing; but these are readily available in the black market and tools exist that guess common email addresses using recognized patterns like, “email@example.com”. Remember that you don’t have to get it right every time since the cost to send an email is very low.
There are better career choices that don't involve going to jail
At the end of the day, a ransomware operator is setting up a business that has low overhead, an established and growing market, little barrier to entry and has an easily identifiable prospect list - everything an enterprising entrepreneur would jump at. Before you consider it, look at Security Week’s article how well paid these similar (but legit) career options are without the risk of jail time.
If you are concerned about ransomware affecting you or your business, the Internet Society has put out some good guidelines on how you protect yourself. For corporate protection CIRA offers our D-Zone DNS Firewall service which helps to block ransomware from its source. Read more about it on our website.