Many conversations about ransomware start with: “Are we going to pay?” Hopefully this happens before falling victim to an attack.
In making that decision, companies will evaluate what goes into a ransomware defence program, what risk level they’ll accept and how well the principle of not paying a ransom holds up against the business losses from downtime or a failed recovery.
Business managers and security professionals aren't the only ones doing the math. The ransomware criminals also run the numbers, so they can demand a ransom that will make them a profit, while at the same time being an amount that the company will pay.
This maxim doesn’t apply to all ransomware criminals – some are state actors who have a greater motive than a ransom payment and others are just using spam kits to distribute a high volume of low-dollar attacks.
But organised ransomware operations have different objectives. They understand their costs and they invest in technologies to grow the “business.” They look after the balance sheet much like a legitimate company.
Ransomware as a business
Here are a few of the major investments that ransomware criminals put into their operations:
Even criminal professional operations have physical, software and human infrastructure costs to consider. Some companies hire translators and many offer 24/7 tech support to help victims through the process. Some have their own developers creating new strains of ransomware to thwart defences.
This can get expensive, but ransomware operators often leverage other networks for distribution or other coding.
2. Research and development
For ransomware to remain profitable, the attack has to do enough damage to reduce the likelihood of a fast recovery. This means that criminals have to constantly improve their methods and software to stay ahead of ransomware defences. This includes:
- Ongoing improvements in code – polymorphic code, improved encryption and randomised attacks. Ransomware would not be a credible threat today if not for the fact that the development has matured. Polymorphic code allows the ransomware to change its signature slightly upon each infection, making it more difficult to detect.
- Subscription services – This requires an additional type of infrastructure and support. Organised operators allow others to start their own smaller operations by offering Ransomware-as-a-Service (RaaS). This gives newcomers access to large scale computing and up-to-date software, while expanding the footprint of the ransomware attack.
RaaS providers normally take a 10-40% cut of the ransom. Like many legitimate partner programs, there are performance incentives for participants.
- Social engineering research – Although criminals continue to use large-scale “spray and pray” tactics, ransomware is frequently delivered through spear phishing emails. These attacks rely on social engineering research that allows the criminal to identify high-value targets and then construct an attack. The time and effort invested in research vary, but good research can pay off in a big way.
- Moving beyond the PC – Ransomware developers found unpatched Windows systems to be easy targets, but they didn't stop there. The popularity of other devices and platforms has driven the development of new types of attacks, such as MacRansom RaaS, which was the first widely reported ransomware that targeted Macs.
3. Brand management
Professional ransomware organisations care about their reputations. They want their victims and the cybersecurity industry to know that they’ll keep their end of the deal, so they generally respond immediately with a decryption key and don’t attack the customer again after the ransom has been paid.
They have systems in place to track which payments are tied to which computers. Without this type of process, the criminals can’t be sure who has paid the ransom.
4. Return on Investment (ROI)
The organised operation will understand the business and risks well enough to know how much money they need to make. This gives them the flexibility to negotiate or walk away from a transaction, or to create pricing tiers for different types of victims.
It may not be possible for outsiders to know exactly how much these organisations make, but the average ransom paid in 2019 Q1 is $12,762, compared to $6,733 in 2018 Q4, according to cybersecurity company Coveware. The now-defunct GandCrab affiliate program made over $2.8 million in the month of February this year.
It's clear that ransomware isn't going away anytime soon. If anything, it will become more menacing as criminals leverage artificial intelligence (AI) to deploy smarter deepfake attacks. This involves AI cyberattacks leveraging voice swapping, enabling attackers to gain access to corporate networks and convince employees to authorise a money transfer.
There are several technologies available to protect your company from the growing range of ransomware attacks, but the best defence is to make users aware of the threats and techniques used by criminals
Implement a simulation and training program to improve security awareness for your users, to help them recognise subtle clues to identify ransomware attempts. Regularly train and test all employees to increase security awareness. Staging simulated attacks for training purposes is by far the most effective method.
About the author
Andrew Huntley is the regional director for ANZ and the Pacific Islands for Barracuda Networks. For more information, visit: https://www.barracuda.com/