The ransomware marketplace has grown by a phenomenal 2,502% from 2016 to 2017. This is the amount of money spent by criminals on ransomware software. It is a market fueled by the technical simplicity of the malware, the rise of Ransomware-as-a-Service, the guaranteed return on investment for criminals, the availability of Tor and crypto currencies to hide tracks; and a lack of fundamental security controls among victims.
Carbon Black’s researchers monitored 21 of the largest dark web marketplaces trading ransomware (out of an estimated 6,300+ dark web marketplaces doing so) during August and September 2017. The results are astonishing, with more than 45,000 current listings. Prices range from Android lockscreen ransomware for $1.00 to custom code for more than $1000. The median cost of a ransomware offering is just $10.50.
The total amount of money involved is equally astonishing. According to FBI figures, ransom payments in 2016 were around $1 billion dollars; up from $24 million in 2015. According to Carbon Black’s research, ransomware developers can expect to earn approximately $100,000 (tax free) per annum. This compares to an average salary of $69,000 (before tax) for legitimate software developers. The difference is even greater in many east European countries where much malware is thought to be developed. Ransomware sales on the dark web have grown from less then $400,000 in 2016 to around $6.25 million in 2017.
“The underground ransomware economy is now an industry that resembles commercial software — complete with development, support, distribution, quality assurance and even help desks,” notes the report. Carbon Black’s security strategist Rick McElroy expects this underground business to evolve and develop much like legitimate industries. “I expect that we will see consolidation between the developers and their products,” he told SecurityWeek.
The simple reality is that the ransomware industry is growing because it is profitable. Dismantling the industry must therefore concentrate on removing that profitability. Carbon Black describes the industry as having a five-point supply chain: creation, distribution, encryption, payment and command and control. “If defenders can break or interrupt even one link of the chain,” it suggests, “the entire attack falls apart.”
Disrupting the creation will be impossible while young coders are unable to find legitimate jobs, and can earn attractive sums through developing ransomware. Distribution disruption is equally difficult when the marketplace can be hidden within the dark web. Encryption is similarly impossible to control — powerful encryption systems are readily available in the public domain. Payment is the weakest link. In the supply chain it is the collection and tracking of ransoms paid — but if no ransom is paid, then the entire industry will collapse.
“We need to STOP paying ransoms“, says the report. “The system only works if victims choose to pay. Until people decide not to pay, this problem will only continue to grow.” McElroy agreed in conversation that this is a difficult ask. Nevertheless, he believes that if enough victims in either a particular country, or target industry, refuse to pay, the criminals will simply target different areas or industries where the returns will be greater. It doesn’t solve the problem, but it simply exports it elsewhere.
Preventing the need to pay a ransom would have a similar effect. This could relatively easily be achieved by improved security controls — but ensuring that people and organizations have those controls in place is difficult if not impossible to achieve.
Against this background, the ransomware industry will continue to grow — and it will continue to evolve. So far, ransomware has largely been in the hands of relatively unskilled coders; sophistication has not been necessary. Carbon Black sees this changing. To a certain extent the signs are already visible: WannaCry and NotPetya are examples. In the former, the ransomware was unsophisticated while in the latter decryption was never intended. However, the distribution of the ransomware via leaked NSA exploits was a new development.
Carbon Black describes this use of ransomware as a false flag. A closely related new development it expects will be the malware’s use as a smokescreen. “Using already existing techniques of deleting Volume Shadow Copies, which deletes potential file backups, and the deletion of Windows event logs, adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated.” The ransomware — or more specifically the encryption element of ransomware — will be used to hide and obfuscate traces of more traditional cyber thefts and cyberespionage.
All of this is likely as the ransomware industry evolves. McElroy told SecurityWeek he expects to see consolidation. The effect is likely to concentrate ransomware into the hands of more sophisticated coders. One effect of paying a ransom is that it tells the attackers that the victim can be coerced. Carbon Black expects to see more sophisticated developers employing more advanced morphing and persistence techniques to remain on the victim’s network after decryption — so that they can extort a second time in the future.