Ransomware Economics: Why the Threat is Here to Stay

Written by

Ransomware has been hitting the headlines for the past few years, snaring new victims who face the dilemma on whether to stand strong. Dan Raywood looks at the rising cost of a ransom payment, and how much the size of the target affects the financial demand

The concept of extorting a victim for money is nothing new; in fact it’s older than the internet by many centuries. Over the years, however, malware has evolved from spying on users and harvesting information, to promoting malicious links for clickbait, to the current straight forward tactic of ‘give us your money’.

Arguably, the most surprising factor of ransomware is that it took so long to appear as mainstream malware. After all, the factors that enable ransomware exist openly: encryption; drive-by download; users clicking on attachments; and a willingness to pay when victims feel there is a genuine threat of losing their data.

After the iCloud hacks of 2014, people are warier of backing up their data to the cloud. Ransomware can infect network-attached storage so that is not an option, and removable storage has shrunk in physical size and is easy to lose. Perhaps this is why nobody backs up their data anymore, and why ransomware is a success for the attacker time and time again.

Nothing New Here

Ransomware is nothing new though; consultants were talking more than five years ago about ransomware infecting their clients’ networks, and just this year, reports were made of hospitals being hit by ransomware and locking down their networks and access to patient data.

According to a Freedom of Information Act request by NCC Group this year, 47% of NHS Trusts had been subject to a ransomware attack in the last 12 months. A total of 60 of 155 Trusts responded, and of those, 31 withheld information, 28 said they had been a victim and one said they had not.

Research carried out by Andrew Hay, CISO of DataGravity, on the financial impact of the ransomware upon five US hospitals, showed that the average revenue lost varied from $1000 up to $10,000. Hollywood Presbyterian Medical Center featured at the top end of the scale. Hay demonstrated that it had a total revenue of $970,317,733, a net income of $20,979,948, and an average revenue per day of $2,658,405.

With the ransomware active for four days, the downtime cost was above $10,000. He also reported that the ransom demand was $17,000 due to a daily cost of $4,250.

Speaking to Infosecurity, Hay says that in the cases of the hospital infections he did not believe it was a complete shutdown that prevented them from conducting business as usual, but rather a lack of access to required files. “For the case of the Hollywood Presbyterian Hospital, the affected data included patient files and electronic access to said files,” he adds

Can a business operate when hit by a ransomware infection, or does it mean a total shut down? “It depends entirely on their line of business,” Hay says. “For example, if the organization is a completely online business storefront, the inability to access customer, inventory and distribution information would likely grind all dealings to a halt.

“There are businesses, however, that could fall back to pen and paper for some of their tasks. Though sub-optimal, the business could limp along for some time until a resolution can be found.”

To Pay or Not to Pay

One of the interesting points about the FOI request was that it demonstrated that infected businesses were not always paying the ransom. Hay explains that as some ransomware variants are not able to provide the decrypted files, even after the ransom is paid, he is not surprised that some organizations are choosing not to take the risk.

“The simple act of paying the ransom, however, does provide an indicator to the attacker that the victim was willing to pay before and may pay again in the future.” According to research by Malwarebytes, 40% of 540 companies hit by ransomware paid the attackers in order to retrieve their data.

Another poll of 300 UK businesses by Trend Micro found that 65% of UK companies infected with ransomware end up paying out. The average amount of ransom requested in the UK was $722, although 20% of companies reported ransoms of more than $1300.

Steven Malone, director of security product management at Mimecast, says: “The price point dilemma is at the heart of ransomware’s success. For smaller businesses, the ransom is often pitched at $400 to $1,000. Yet organizations that get hit also face considerable employee downtime and productivity loss, the inability to service customers with significant costs and time to recover.”

Another Freedom of Information study by SentinelOne found that of 71 universities questioned, 60% had been hit by ransomware, of which 65% were targeted multiple times.

Jeremiah Grossman, chief of security strategy at SentinelOne, tells Infosecurity that people are making a lot more money from ransomware than before, and often the attackers do not discriminate about the target, sending ‘mass blast’ emails hoping to infect multiple victims, while others target to get a larger payout.

“The target is dependent on the group and where they feel most confident,” he says. “It looks like the vast majority of attackers are indiscriminate in their target selection, where they are spamming everybody or using malvertising as it takes more effort to go after a single target. If there were larger payments being made for ransomware I think we would see it, but we don’t have that many cases of large ransomware payouts, or there are just not a lot of them being reported.”

The Role of Bitcoin

The fluctuation of Bitcoin impacts the typical ransomware payment amount, says Grossman, who tells Infosecurity that a common payout for an average person was between $500 to $2000, or five bitcoins. “On the larger ones, it is probably more like $15,000 so there is a big jump there.”

So how is the amount to be paid evaluated? Grossman argues it usually comes down to negotiation, as a lot of the time the indiscriminate operators have no idea what data they have so they aim for the maximum that they can get and what the person is willing to spend. That is why you get those very low numbers, as everything is negotiable in that space.

Recent research from Symantec suggested that the average ransom demand is now $679, up from $294 at the end of 2015, while Trend Micro figures suggested the average ransom demanded is $722 – although the payment is usually requested in Bitcoin.

Hay adds: “Businesses are assessing the risk on a case- by- case basis. It really comes down to how much pain the business can endure by not paying...and for how long.”

In terms of ransomware economics, the amount that is being paid is rising but not in large leaps. Kevin Epstein, vice-president of the threat operations center at Proofpoint, confirms that ransom amounts have tended to be relatively fixed between $300 and $1000 per machine, but ransoms typically need to be paid in a short timeframe so attackers can ask for differing amounts with each attack.

“The amount attackers are demanding seems to correlate more closely to the value of decrypting individual machines,” Epstein says. “There is little evidence that attackers are basing their per-machine ransom demand on total perceived value per company divided by the likely infection rate. Big companies haven't yet been charged orders of magnitude per machine more than individuals.”

So the money you need to spend when recovering from a ransomware infection is not massive, but it does depend on the size of your business, when the attacker realizes that they have caught a ‘big fish’ and how much they are willing to negotiate to extract the maximum cash.

Defend to Survive

A simpler solution, of course, would be to not get infected at all. Chris Hodson was a security leader at a number of large retailers, and is now EMEA CISO at Zscaler, and he advises organizations to get secure, and fast.

“With cybercrime establishing itself as a profitable business, the bad guys get greedy quickly and seek to maximize revenue wherever possible,” he says. “However, in order to do this, the criminals need to make sure that their malware payloads evade controls. The most appropriate first step to take is to implement a defense-in-depth architecture, one which has the ability to provide dynamic and behavioral analysis of malware. I’d also advise businesses and CIOs in particular to no longer rely just on signatures.”

Does that mean security teams should consider putting budget aside to potentially cover a ransomware payment, or is that a defeatist stance? “With ransomware so prominent in today’s cyber-space, it almost feels like organizations are waiting to get hit, rather than proactively seeking defense mechanisms,” says Hodson. “In terms of putting budgets aside to cover the damage, this is not something I would recommend. As ransomware matures, attacking more personal identifiable information, it is hard to put a figure on your data.

“At the end of the day, paying up or not depends entirely on a plethora of circumstances so such predications cannot be made. Instead of worrying about the financial damage, organizations and CIOs should be more concerned with getting their cyber-defenses tightened, ensuring such attacks do not happen in the first instance.”

Protection methods which use people, processes and technology combined may be the best solution in the fight against ransomware, while initiatives like ‘No More Ransomware’ will enable decryption. The issue is that a lack of access to critical files can lead to a lack of productivity as a best case scenario, or loss of life as a worst.

Businesses can do their best to protect and survive, but if the amount typically demanded for a ransomware payment doubled from 2015 to 2016, 2017 could bring worse news.

What’s hot on Infosecurity Magazine?