Researchers at Carbon Black examined the ransomware market and discovered some interesting facts about the booming criminal economy. Mirroring some of the legal technology markets, such as those for software development, the market for Ransomware is dominated by unique custom solutions and turnkey offerings.
For two months researchers at Carbon Black studied how ransomware and developed and sold to criminals on the darknet. As one would expect, there are thousands of products (45,000) on offer from hundreds of sellers.
If you consider the prices of the ransomware products being pitched, the overall ransomware economy has grown more than 2,500-percent, from about $250,000 to $6.24 million from 2016 to 2017.
However, while those figures come from the base price for ransomware offerings themselves. It's hard to account for customization and tailored services, and it doesn't take into consideration that some ransomware products simply don't sell.
So, what happens after the ransom is paid? Does the person running the ransomware campaign just collect funds and move on? It's easy to assume that's the case, but the reality is completely different.
While some sellers are making more than $100,000 a year off ransomware, others are barely breaking even. Usually those not making a tidy profit are bottom feeders who have way too much overhead, or those who haphazardly throw together a list of potental targets in the hopes of getting payments made.
Developers of ransomware are making a killing too, because they can create customized solutions – where the real money is – and functional kits that require little to no experience, training, or infrastructure (turnkey solutions).
Ransomware a thriving market
Ransomware offerings range from basic $10 offerings to targeted offerings on Android ($250) and even customized offerings for $1400. The more customization that's required, the higher the price. The most expensive ransomware offering observed by Carbon Black was $3,000, but the entire kit was completely customized and used for targeted campaigns.
When it comes to customization, ransomware authors offer a number of options including encryption level, file targeting or copying, the ability to delete files if the system is rebooted, malware persistence, or even a forced timer that will delete files every 24 hours if the ransom demand isn't met.
A wide selection of options is just one of the reasons the economy tied to ransomware has flourished. Another reason is availability. With very little investment and overhead, anyone has the opportunity to run a decently sized campaign.
"Not only have the dark web marketplaces evolved to better support high-risk, low-trust transactions through escrow systems, but the requirement for ransoms to be paid over the Tor network has ensured there’s no centralized endpoint to investigate with traditional geo-based law enforcement approaches," Carbon Black's researchers explained.
Finally, the victims themselves are a key reason for such maturity in the ransomware market. They keep paying to recover their files. In 2016, the FBI estimated that more than $1 billion USD in ransom payments were made. If such payments didn't happen, criminals would move on to other lucrative targets. Instead, ransomware is where the money is.
Organizations that lack backups or a sound recovery plan are often faced with a tough challenge once ransomware strikes – lose the files or give in and pay off the attacker. When Carbon Black asked participants in a recent study if they'd pay to recover files during a Ransomware incident, 52 percent said they would.
How the ransomware supply chains work
The ransomware market isn't too complex. It's like any other when you get down to its core. Ransomware developers create the product and then offer add-ons and support, so there is a need for strong code skills. The authors can sell direct exclusively, earning a higher payout as a result, but that limits their market reach. Instead, they often develop a base kit and sell that while pushing customization.
Another option is to develop the ransomware and the hosted environment needed to run campaigns and sell access that way, or ransomware as a service (RaaS).
With RaaS, the barrier to entry is cheap and few, if any, skills are required to operate a ransomware campaign. In fact, for a cut of the ransom payment (pre-determined before the campaign starts), most ransomware developers will provide some level of custom work and support.
There are two levels in RaaS, trusted or verified clients (those who have other confirmed criminals vouch for them) and general (bottom feeder) clients. Reputation matters. The better your reputation among fellow criminals, the more money you get to keep as the split on ransoms is smaller.
In addition, most RaaS offerings have extensive metrics so that campaigns can be graded of effectiveness and profit. In this setting, the ransomware author has the most protection, as the distributor assumes most of the risk.
Stopping ransomware and killing the market
"The silver lining when it comes to breaking the ransomware supply chain is that defenders have an inherent advantage. If defenders can break or interrupt even one link of the chain, the entire attack falls apart," Carbon Black's report explained.
"Taking down distributors and operators is chasing the tail of the problem. To begin to put a dent in the underground ransomware economy, efforts should be enacted to disrupt the supply chain upstream and change the incentive for malware authors. By decreasing the ROI for attackers, defenders can decrease the financial incentive for the crime."
The key to this is to stop making payments. That is one of the biggest keys to the ransomware market, and those operating campaigns focus their efforts on geographic locations and organization types that are likely to pay.
Earlier this month, Salted Hash highlighted one administrator who overcame the problem of ransomware simply by having properly tested and managed backups. "As an industry, we are often getting the fundamentals of security wrong. In too many instances, we are failing to do the basic blocking and tackling of security such as backing up files and systems, testing restorations, patching, having adequate, enterprise-wide visibility, and [updating] outdated prevention measures, such as legacy antivirus," wrote Carbon Black's Rick McElroy, one of the report's authors.