Security Experts:

Inside the Ransomware Economy

The trouble with ransomware is well known at this point.

From Egregor to Doppelpaymer to Ryuk, it continues to command headlines. Pandemic-fueled phishing scams, the lack of visibility across remote endpoints, and lax attitudes have been a boon for ransomware groups over the last year. Worst of all, ransomware no longer discriminates. It dominates small towns and municipal offices, video game makers, and shamelessly, healthcare organizations and school systems already pushed to the brink by the COVID-19 pandemic.

The threat could still become more pervasive over the next two to three years, not because ransomware is effective in and of itself but because of other players in the game – insurance companies, brokers, and even attorneys – that continue to fan the flames.

Unfortunately, many victims don’t understand why this this is the case.

To understand the world of ransomware, it’s important to conceptualize it as an economy: Attackers deploy malware and demand a ransom to facilitate their business model. Once established, these operations – usually cottage industries – can be updated and adjusted to meet their needs.  

Like any industry, when it comes down to it, the goal of ransomware is to get paid. This is where the business model comes in. 

The suppliers, usually cybercriminals peddling ransomware-as-a-service (RaaS) solutions, have demonstrated a knack for growing their business. Being a ransomware operator doesn’t necessarily require technical skill; it’s more about being an entrepreneur. 

Recent reports claim ransomware gangs earned at least $350 million in 2020, a staggering 311% increase over the previous year. Ryuk, which has been around for years, has managed to stay profitable because it targets organizations big enough to pay up. How much? According to reports, the average ransom demand for Q4 last year was around $154,000, a figure that’s up from $111,000 six months prior. Reports from January suggest the Ryuk gang has already made more than $150 million thanks to payments in the hundreds of thousands range.

As the numbers indicate, victims wind up paying handsomely – not just the ransom itself but for the downtime their organizations experience, the bad press, and regulatory fines too. As we've seen, these costs can skyrocket depending on the scenario – NotPetya famously cost shipping giant Maersk over $200 million in 2017. Forward Air, a trucking company, said earlier this year a recent attack cost it $7.5 million; CWT, the travel management company, said it paid $4.5 million to hackers following a ransomware attack last summer.

Affected organizations pay incident response firms as well. If a novel strain of ransomware is deployed, incident response consultants may be able to determine how the actor was able to gain access to the victim organization’s infrastructure. Firms that specialize in digital forensics, called on in the wake of a ransomware attack, address the issue and attempt to decrypt or recover files. 

There's another player here: the ransomware broker. Not every organization that’s hit with a ransomware attack is familiar with the fiduciary demands of an attacker, like how cryptocurrency such as Bitcoin works. This particular service provider can be hired by organizations, or their legal counsel, to negotiate a reduction in the ransom or to handle the process for paying the ransom. 

The cyclical nature of ransomware, especially of late, has been advanced by insurance providers. Traditionally, providers that specialize in cyber insurance offer coverage for losses incurred as a result of a ransomware infection, which includes company operation downtime. Depending on the case, some insurers encourage paying a ransom when it’s likely to minimize costs by restoring operations quickly. While this allows victim organizations to obtain a decryption key faster and stop the bleeding, it isn’t solving the overarching problem here.

The 2019 ransomware attack on New Orleans forced the city to budget more than $7 million in financial damage, more than the city’s $3 million cyber insurance policy. To compensate, the city raised their policy to $10 million. While it might buy the city peace of mind, it results in a higher paycheck for the insurance company and a potentially bigger pay day for cyber criminals in the future. 

Legal counsel – yet another player in the ransomware economy – has a role to play too. Hired to be the “go-between” and manage the relationship with the broker and the insurance provider, the legal counsel, working in tandem with IT and forensic experts, can decide whether organizations should pay and whether notifying parties involved – employees, investors, and regulators – is necessary. 

At the top of the food chain, even threat actors themselves – the actual authors of the ransomware – are taking new and interesting steps to ensure their malware gets out there and more importantly, that they get their fair share. Attackers using the Clop ransomware of late have targeted top managers, executives who have direct access to sensitive data. Others are targeting senior managers connected to bank accounts who can authorize payments.

As long as these increasingly splintered entities from both sides of the law – authors, developers, brokers, legal aid, and insurers – keep making a profit, ransomware will continue to survive the test of time. It’s a win-win for everyone but the victim.

view counter
Tim Bandos is the Chief Information Security Officer & VP of Managed Security Services at Digital Guardian with more than 15 years of experience in information technology and securing mission-critical data. Tim joined Digital Guardian in 2016 as VP of Cybersecurity and successfully built the company’s Managed Detection & Response program from ground up. Prior to Digital Guardian, Tim ran a global security team for Dupont company where he was responsible for overseeing internal controls, incident response and threat intelligence.