Ransomware ROI from the criminal perspective

Print Friendly, PDF & Email

“Are we going to pay?”

This is how many conversations about ransomware get started, hopefully before falling victim to an attack.  In making that decision, companies will evaluate what goes into a ransomware defense program, what risk level they will accept, and how well the principle of not paying a ransom holds up against the business losses from downtime or a failed recovery.

Business managers and security professionals aren't the only ones doing the math.  The ransomware criminals also run the numbers so they can demand a ransom that will make them a profit but is still an amount that the company will pay.  This maxim does not apply to all ransomware criminals; some are state actors who have a greater motive than a ransom payment, and some are just using spam kits to distribute a high volume of low-dollar attacks.  But organized ransomware operations have different objectives; they understand their costs and they invest in technologies to grow the “business.”  They look after the balance sheet much like a legitimate company.

Organized ransomware operations understand their costs and they invest in technologies to grow the 'business.'  They look after the balance sheet much like a legitimate company.Click To Tweet

Ransomware as a business

Here are a few of the major investments that ransomware criminals put into their operations:

Infrastructure:  Even criminal professional operations have physical, software, and human infrastructure costs to consider.  Some companies hire translators, and many offer 24/7 tech support to help the victims through the process.  Some have their own developers creating new strains of ransomware to thwart defenses.  This can get expensive, but ransomware operators often leverage other networks for distribution or other coding.  While it's tough for an outsider to put a number on this, the 2018 Black-market ecosystem report gives the following monthly per-campaign estimates:

  • Average estimated operational cost: $1044
  • High estimated operational cost: $2625
  • Low estimated operational cost: $391
  • Components: Ransomware Payload + downloader + crypter + fast-flux BPH+ distribution method (spam/TDS/ Malware “loads” service/BruteForce)

Research and development.  In order for ransomware to remain profitable, the attack has to do enough damage to reduce the likelihood of a fast recovery.  This means that the criminals have to constantly improve their methods and software in order to stay ahead of ransomware defenses.  Some examples of this work:

Ongoing improvements in code:  polymorphic code, improved encryption, randomized attacks.  Ransomware would not be a credible threat today if not for the fact that the development has matured.  Polymorphic code allows the ransomware to change its signature slightly upon each infection, making it more difficult to detect.  Improved encryption makes it more difficult for researchers to develop ransomware decryption keys for the public.  The ongoing development efforts may also include exploit kits and other types of malware.

Subscription services:  This requires an additional type of infrastructure and support.  Organized operators allow others to start their own smaller operations by offering Ransomware-as-a-Service (RaaS).  Like any other ‘as-a-Service' operation, this gives newcomers access to large scale computing and up-to-date software, while expanding the footprint of the ransomware attack.  RaaS providers normally take a 10-40% cut of the ransom, and like many legitimate partner programs, there are performance incentives for participants.

Social engineering research.  Although criminals continue to use large-scale “spray and pray” tactics, Ransomware is frequently delivered through spear-phishing emails.  These attacks rely on social engineering research that allows the criminal to identify high-value targets and then construct an attack.  The time and effort invested in the research vary, but good research can pay off in a big way.

Moving beyond the PC.  Ransomware developers found unpatched Windows systems to be easy targets, but they didn't stop there.  The popularity of other devices and platforms has driven the development of new types of attacks.  MacRansom RaaS was the first widely reported ransomware that targeted Macs, and the 2019 Verizon Mobile Security Index reports that there is at least one form of ransomware targeting iOS devices.  Android ransomware dates back to 2014 and is more prevalent due to the way Android handles third-party apps.  IoT ransomware is also a growing threat, as criminals look for ways to lock owners out industrial control systems and other mission-critical networked devices.

Brand management.  We're not talking about big brand-management programs here, but professional ransomware organizations care about their reputations.  They want their victims and the cybersecurity industry to know that they will keep their end of the deal, so they generally respond immediately with a decryption key and they do not attack the customer again after the ransom has been paid.  According to Mark Rasch, a cybersecurity lawyer, “They want to be known as a trustworthy thief.”  To this end, they have systems in place to track which payments are tied to which computers.  Without this type of process, the criminal can't be sure who has paid the ransom.

Professional ransomware criminals want you to trust them enough to pay the ransom. Some even provide tech support and free trials of their decryptors. Click To Tweet



Return on Investment (ROI)

The organized operation will understand the business and risks well enough to know how much money they need to make.  This gives them the flexibility to negotiate or walk away from a transaction, or to create pricing tiers for different types of victims.

It may not be possible for outsiders to know exactly how much these organizations make, but this data gives us a picture of what we're up against:

It's clear that ransomware isn't going away anytime soon.  If anything, it will become more menacing as criminals leverage Artificial Intelligence to deploy smarter deepfake attacks.

There are several technologies available to protect your company from these ransomware organizations, including systems designed to train your workforce to recognize and help stop these attacks.  Visit our ransomware site to see how Barracuda can help protect your business and reputation from ransomware attacks.


Scroll to top