If you were considering becoming a cybercriminal or were perhaps a traditional villain looking to upgrade your skills for the 21st century, I’m sure your business model of choice would be running a ransomware operation. You would, thanks to the simplicity of platforms like Ransomware as a Service and the willingness of victims to pay ransomware fees, be running a very successful business — albeit an illegal business — in a matter of days or weeks. Such is the ongoing success of ransomware as a means of extorting money from victims.
The main reason for the runaway success of ransomware as a malware attack vector is its effectiveness and ability to generate money for cybercriminals. Anonymous payment services like Bitcoin make ransomware payment simple for victims and risk free for the ransomware owners. Companies are even starting to keep a Bitcoin ransom ready in the event that they are affected and cannot recover from the attack.
Bitcoin isn’t the only way to pay the ransomware fees. Cybercriminals offer flexibility when it comes to settling your bill. Early ransomware and Lockerware (the old screen-locking style of malware) were primitive in terms of demanding payment: Premium rate SMS message extortion was common, as was the use of the now defunct Ukash voucher scheme. Today, Bitcoin remains the most popular payment method, but other cryptocurrencies like the more sophisticated Ethereum and less well known Litecoin and Dogecoin are also options. The latter two currencies trail behind Bitcoin in terms of transactions, but all of these cryptocurrencies can be easily laundered through the darknet, allowing the cashing out of funds easily and anonymously.
Recent research carried out by Google, Chainalysis, UC San Diego and the NYU Tandon School of Engineering found that ransomware has generated an income of more than $25 million over the last two years. Looking at 34 different types of ransomware and then tracking their ransomware payment methods through blockchain ledger entries, they were able to track and analyze the flow of Bitcoin ransom paid by victims. One of the most successful variants of ransomware is Locky, which is said to have earned its owners over $7 million.
If you’ve ever been affected by ransomware, you know the ransom demanded to gain access to your data is generally quite small. On average, the ransom is around $700, although it peaks at about $1,500. This low-pricing strategy is designed to make sure you can afford to pay the ransom rather than seeking likely more expensive recovery alternatives. Paying the ransom is designed by the malware authors to be the easiest option for you on purpose, so they can maximize their profits. There is solid economic theory here: Price elasticity of demand for one, but also the notion that low price, low input and high volume will be an easier payday for the ransomware owner over the higher priced and potentially higher risk alternative.
Reports of ransomware being able to alter its price based on the geographic location of the victim’s computer back up the economics of ransomware too. The Fatboy Ransomware as a Service platform is said to use The Economist’s Big Mac index to offer its victims an affordable way out of their predicament. The Big Mac index measures the differences in purchasing-power parity between global currencies to adjust the price of a burger. It is now utilized by ransomware authors to ensure that wherever their malware strikes, the price you see to regain access to your data is within your means relative to your location and currency.
It is important to note that we also see the price of ransomware set deliberately high in certain market segments, usually where there is a significant risk of not acting on the outcome of the attack. Hospitals, for example, have noted higher ransom payment demands when key or life-critical medical systems are affected. The morals of these ransomware attackers are clearly non-existent.
Paying the ransom, whether it’s by Bitcoin or another method, is always going to appear to be the easiest way out of the problem, but it’s never a guarantee that you’ll be able to resume normal operations. Firstly, the ransomware is unlikely to decrypt all of your data. You should expect about 80% of it back at most. Secondly, the ransomware is still resident on your system and could lead to further breaches or problems. And thirdly, understand that by paying the ransomware demands, you are effectively negotiating with terrorists and helping to fund the darkest, most sinister parts of human nature, such as terrorism, human trafficking, money laundering, drug running, prostitution and every type of criminal activity.
Of course, I understand that there may be times when you have no backup or no means of recovery from a ransomware attack, so you may have no choice but to pay the ransom. In enterprise environments, however, you have a choice and, therefore, no excuse. DO NOT PAY the ransom. Instead, rely on your protection and preparedness.
Stay safe out there.