Ransomware The Business and How They Are Crushing It

Illegal, crippling, threatening, malicious – words many may use to describe ransomware and the affect it is having on businesses across the globe. Booming? Thriving? Successful? While these descriptors may not always make the list, they are just as true.

Before we dive into how this aspect of cybercrime is growing into an industry in and of itself, let’s take a look at the nature of the beast.

Ransomware by definition is malware planted illegally in a computer or mobile device that disables its operation or access to its data until the owner or operator pays to regain control or access. The first ransomware attack came on the scene in 1989 via 20,000 floppy disks which were distributed claiming to house programs for AIDS research. After 90 machine reboots, the ransomware was triggered and demanded $189 per machine to regain access, this attack became known as the AIDS Trojan. Since this first attack, the malware and demands have flourished in terms of sophistication and devastation.

So how has this form of cybercrime grown from a nuisance into the “thriving business” it is today?

A Booming “Economy”

Determining the total size of the ransomware economy is tricky ­– several entities report how many attacks take place in a year but there is a lot of variation among sources. This may be because of the different philosophies around how to handle ransomware. The FBI is very direct in advising against ransom payment, and instead recommends restoring from backups so as not to embolden the criminals behind the attack. This stance may negatively impact the number of cases reported to the FBI. For example, in 2017, the FBI recorded only 1,783 cases of ransomware.

In the private sector, the stance of never paying ransoms is not that simple. If businesses are attacked and do not have sufficient backups to restore from, they are essentially dead in the water. IBM reported that approximately 40% of businesses are deciding to pursue ransomware payment for decryption. For many business leaders, paying the ransom will result in a smaller financial loss when compared to the loss of downtime. Datto found that small- and medium-size businesses lost more than $8,500 per hour of downtime during a ransomware attack.

Further, the estimated costs to businesses because of ransomware imply that the number of ransomware attacks is much higher than that. Publisher Cybersecurity Ventures estimated that ransomware damages would cost $5 billion across the globe, a fifteen-fold increase from the $325 million they cited in 2015. Further yet, Cybersecurity Ventures projects ransomware attacks to take place every 14 seconds with total costs amounting to $11.5 billion in 2019.

Another private sector estimation comes from Carbon Black who conducted their own research and large, yet different numbers. “Comparing 2016 vs. 2017 YTD, the ransomware marketplace on the dark web has grown from $249,287.05 to $6,237,248.90, a growth rate of 2,502%. This economy extorts, according to the FBI, ransom payments that totaled about $1B in 2016, up from $24M in 2015.” 2018 and what we’ve experienced so far in 2019 tells us that those figures continue to rise.

If we look into the crystal ball, which Cybersecurity Ventures has done, cybercrime, including ransomware, is estimated to cost the world $6 trillion per year by 2021.

The bottom line? The exact numbers may differ but the threat is real and criminals are striking while the iron is hot.

Rapid and Stealthy Cashflow

“Back in the day” ransomware attacks may have demanded an amount of money from the victim in the form of bank transfer or prepaid gift cards. While ransomware attacks have been on the scene for nearly 30 years, a lot changed with the emergence of Bitcoin.

Rather than a traceable bank transfer, or waiting for a prepaid gift card, “ransomers” as our crew calls them, automate the process which cuts down on time and eliminates any “middle-man.” Bitcoin wallets are anonymous with the only information shown to the victim or observers of the Blockchain being a long, complex string of letters and numbers. Bitcoin is also irrefutable, so once a ransom is paid, there is no way to refund or reverse the transfer.

There is also an element of irony when it comes to the success of ransomware operations. The fact is that the very mechanisms that protect your privacy and anonymity on the web, cryptocurrency and VPNs, are go-to tools for ransomware attackers to cover their tracks. Their usage makes communication and payments involved in a ransomware attack incredibly difficult to trace.

Insane Profit Margins

So how is it growing so quickly and substantially? There are several reasons, one of which is how easy it is for cybercriminals to obtain a ransomware toolkit. Carbon Black estimates more than 6,300 dark web marketplaces pushing upwards of 45,000 ransomware product listings. Gone are the days of cybercriminals writing their own malware. Instead, they purchase hard-to-crack, off-the-shelf bundles that require little to no technical background to deploy. Carbon Black found that the prices for these bundles range from $0.50 to $3,000, with the median at $10.50.

With the average ransom amount up to over $12,000 (according to cases Coveware has worked on), the profit margin (based on Carbon Black’s research above) is at a minimum of 75%, a margin which many business leaders would be ecstatic about.

Similar to the conventional marketplace, some strains of ransomware have higher price tags. Ryuk, for example, demands a notoriously higher ransom with the average ransom paid to decrypt Ryuk ransomware landing at over $240,000.  That amount is still a drop in the bucket compared to some of the highest ransom payments recorded. Beazley, a cyber insurance carrier, reported the largest ransom payment by their insureds was just under $1 million.

“Attentive” Customer Service

One of the most shocking factors within the ransomware “business” is, for lack of a better term, the customer service mentality in place. Negotiating ransom amounts and obtaining decryptors follows the same model as a customer service help desk – upon emailing the address given in the ransom notice, “customer service” reps walk you through the process. When negotiating ransom amounts it is common for the point-of-contact to say he or she needs to check with the manager for approval of a lesser ransom. Some ransomware operations even have an instant chat feature for convenience and efficiency.

Once the ransom is paid and the victim gets the decryptor, the real kicker is when these operations offer “cybersecurity” services to help victims avoid this type of attack moving forward.

Email correspondence with entity behind ransomware attack

In this correspondence, the ransomware operation offers network security advice and offers troubleshooting with the decryption using the shorthand of “of course.”

Relentless “Business Development”

When you have secured a customer, it’s natural to evaluate if and how you can turn that customer into another. Ransomware attackers are doing the same thing through what’s known as “island hopping” which is when attackers infiltrate smaller vendors of larger organizations with the intent to spread throughout the supply chain. When attackers set their sights on large, high-revenue companies, they may attack smaller (and potentially less secure) vendors trusted by the large company such as HR, marketing or similar vendors. We saw this tactic in the large Target breach in 2013 when attackers first compromised their HVAC vendor and stole credentials to then access Target’s systems, leaving 40 million customers compromised.

Another alarming trend is attacks against IT Managed Service Providers (MSPs).  These trusted providers often have open access to critical networks, services, and systems of their remote customers. Once the MSPs are compromised, the attackers move on to all their customers (also attack backup mechanisms to prevent easy recovery by the affected victims).

Fierce “protection” of intellectual property

The main objective of businesses with a successful product or model is to protect what they’ve built. This may be through filing patents, trademarks, or leaking dummy campaigns information to throw competitors off the scent. For ransomware operations, some cover their tracks through the destruction of logs – vitally important information for incident response teams to evaluate the extent and process of attack.

An Unforgettable User Experience

Businesses strive to be memorable, whether it’s through an exemplary product, outstanding support, or just a catchy ad campaign. Ransomware may not strive for that status, but regardless they are achieving it.  A ransomware attack can bring a business to its knees costing thousands, if not millions, in lost productivity and reputation management.

It Doesn’t Need to Be This Way

Though ransomware has grown into a thriving business, there are many ways to avoid the devastating fallout many of its victim’s experience.

These three basic protections can really reduce your risk of an attack in the first place:

  • Use complex, unpredictable passwords in conjunction with multi-factor authentication
  • Train employees to spot even the most sophisticated phishing campaigns
  • Patch and update your systems regularly

If you do fall victim to a ransomware attack, your backups should be your best friend. The key is configuring your backups in such a way that the ransomware cannot affect them. We recommend using a backup client with separate and complex login credentials. The backup client should then backup to Network-Attached Storage which should then sync to a third-party cloud with again, separate and complex credentials.

Check out some related content on our blog: