sb-as logo
Story image

Why business is looking good for ransomware criminals

22 Nov 2017

New findings from a report that Carbon Black has just released show it is easier than ever for criminals to extort money from victims through ransomware. Our report ‘The Ransomware Economy’, shows that the market from this insidious form of malware is an estimated $1 billion.

Investigations by our Threat Analysis Unit (TAU) found that cyber criminals are increasingly seeing opportunities to enter the market and looking to make a quick buck via one of the many ransomware offerings available via illicit dark web marketplaces. In addition, the basic appeal of ransomware is simple: it is turnkey. Unlike many other forms of cyber attacks, ransomware can be quickly and brainlessly deployed with a high probability of profit.

As a result, the amount of money being extorted by ransomware is much higher than it’s ever been.  Payments associated with ransomware went from $24 million to $1 billion from 2015 to 2016.

The size of the market is allowing criminals to specialise within the ransomware ecosystem. When the market was $24 million, criminals had to do it all themselves. There was no way they were going to let someone else take a piece of their $24 million. But when you’re talking about a billion dollars criminals are happy to settle for as smaller piece of a very large pie.

What this means is that there is specialisation, with dedicated groups of people focusing in on one piece of the problem and getting really good at solving it. This means they are much more likely to succeed.

The other issue with the increasingly specialised nature of ransomware is that individual criminals don’t need to have all the skills necessary to mount a ransomware attack. So the barrier to entry becomes a lot lower because they can simply buy the services they don't know how to do themselves. This ease of access has been the main driver behind the growing frequency of ransomware attacks.

Notes from underground

The increase in specialisation witnessed by our firm and the IT security industry in general has created an underground economy that allows the attacks that are conducted to be more successful because there are people specialising in their piece of it, spending much more time, money and effort on clearing hurdles.

One of the biggest hurdles to ransomware becoming a billion-dollar business was payment. Getting malware on to a computer is not that difficult for criminals, however the advent of bitcoin has allowed them to access payment facilities more easily.

In the past, criminals had to rely on either wire transfers or credit card payments; both have advantages and disadvantages. A wire transfer was hard for victims to initiate, making them less likely to pay up in this way. Credit cards were easier, but for criminals there was always the risk of the victim phoning up the credit card company and cancelling the payment.

Bitcoin is the ‘middle ground’ for criminals. It's like a wire transfer in the sense that once it has happened, the payment has been made and can’t be reversed by the victim. Bitcoin is easier to set up than a wire transfer and it is in the victim’s realm of convenience: they’d rather pay up via bitcoin than get a new computer.

Crime and punishment

Another problem in tackling cyber criminals is jurisdiction. With normal crime, both victim and criminal are in the same jurisdiction. Ransomware attacks are borderless and often the victim and perpetrator are in different countries.

Who is supposed to prosecute? The victim is in London, but the crime was actually committed in China. The lack of clarity over international cyber-policing makes this an incredibly difficult problem to solve, and it’s a situation that heavily favours the criminals.

Those behind ransomware can be split into three tiers: the authors of the malicious code; those that leverage the malware (by offering ransomware-as-a-service), and the distributors. In order to confront this problem, it needs to be tackled upstream and we need to limit the incentives for malware authors.

This means using a predictive security cloud model that identifies the most dangerous threats facing an organisation. This combines big data analytics with information from within an organisation’s systems to identify potential attacks, threats and other indicators that can protect infrastructure before it ever falls victim to an attack. This helps security specialists within the organisation predict what could happen based on accurate data and makes the task of confronting ransomware authors and attackers that much more difficult and less lucrative.

In the absence of an international legal cyber-deterrent, this kind of proactive defence on the part of potential ransomware targets is the most effective way to disrupt the booming ransomware economy.

Article by Mike Viscuso, Carbon Black CTO and co-founder.

Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
IT leaders prioritising automation, Zero Trust and API-based security investments
"The study shows that a cocktail of multiplying threats, the proliferation of hybrid and cloud architectures, blended with a pandemic-fuelled explosion in distributed and remote work has created a perfect storm for network security teams."More
Story image
Zscaler and CrowdStrike release integrations for end-to-end security
This collaboration between the two cloud-native security companies provides joint customers with adaptive, risk-based access control to private applications.More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More
Story image
Video: 10 Minute IT Jams - Who is Okta?
Okta is an identity and access management company, specialising in secure user authentication. It's an enterprise-grade identity management service, built for the cloud, but compatible with many on-premises applications.More
Story image
Claroty discovers vulnerabilities in Ovarro TBox RTUs
The vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.More