New findings from a report that Carbon Black has just released show it is easier than ever for criminals to extort money from victims through ransomware. Our report ‘The Ransomware Economy', shows that the market from this insidious form of malware is an estimated $1 billion.
Investigations by our Threat Analysis Unit (TAU) found that cyber criminals are increasingly seeing opportunities to enter the market and looking to make a quick buck via one of the many ransomware offerings available via illicit dark web marketplaces. In addition, the basic appeal of ransomware is simple: it is turnkey. Unlike many other forms of cyber attacks, ransomware can be quickly and brainlessly deployed with a high probability of profit.
As a result, the amount of money being extorted by ransomware is much higher than it's ever been. Payments associated with ransomware went from $24 million to $1 billion from 2015 to 2016.
The size of the market is allowing criminals to specialise within the ransomware ecosystem. When the market was $24 million, criminals had to do it all themselves. There was no way they were going to let someone else take a piece of their $24 million. But when you're talking about a billion dollars criminals are happy to settle for as smaller piece of a very large pie.
What this means is that there is specialisation, with dedicated groups of people focusing in on one piece of the problem and getting really good at solving it. This means they are much more likely to succeed.
The other issue with the increasingly specialised nature of ransomware is that individual criminals don't need to have all the skills necessary to mount a ransomware attack. So the barrier to entry becomes a lot lower because they can simply buy the services they don't know how to do themselves. This ease of access has been the main driver behind the growing frequency of ransomware attacks.
Notes from underground
The increase in specialisation witnessed by our firm and the IT security industry in general has created an underground economy that allows the attacks that are conducted to be more successful because there are people specialising in their piece of it, spending much more time, money and effort on clearing hurdles.
One of the biggest hurdles to ransomware becoming a billion-dollar business was payment. Getting malware on to a computer is not that difficult for criminals, however the advent of bitcoin has allowed them to access payment facilities more easily.
In the past, criminals had to rely on either wire transfers or credit card payments; both have advantages and disadvantages. A wire transfer was hard for victims to initiate, making them less likely to pay up in this way. Credit cards were easier, but for criminals there was always the risk of the victim phoning up the credit card company and cancelling the payment.
Bitcoin is the ‘middle ground' for criminals. It's like a wire transfer in the sense that once it has happened, the payment has been made and can't be reversed by the victim. Bitcoin is easier to set up than a wire transfer and it is in the victim's realm of convenience: they'd rather pay up via bitcoin than get a new computer.
Crime and punishment
Another problem in tackling cyber criminals is jurisdiction. With normal crime, both victim and criminal are in the same jurisdiction. Ransomware attacks are borderless and often the victim and perpetrator are in different countries.
Who is supposed to prosecute? The victim is in London, but the crime was actually committed in China. The lack of clarity over international cyber-policing makes this an incredibly difficult problem to solve, and it's a situation that heavily favours the criminals.
Those behind ransomware can be split into three tiers: the authors of the malicious code; those that leverage the malware (by offering ransomware-as-a-service), and the distributors. In order to confront this problem, it needs to be tackled upstream and we need to limit the incentives for malware authors.
This means using a predictive security cloud model that identifies the most dangerous threats facing an organisation. This combines big data analytics with information from within an organisation's systems to identify potential attacks, threats and other indicators that can protect infrastructure before it ever falls victim to an attack. This helps security specialists within the organisation predict what could happen based on accurate data and makes the task of confronting ransomware authors and attackers that much more difficult and less lucrative.
In the absence of an international legal cyber-deterrent, this kind of proactive defence on the part of potential ransomware targets is the most effective way to disrupt the booming ransomware economy.