Inside The Ransomware Economy

The plight of ransomware — the dilemma organisations face over whether or not to pay the ransom, the increase in municipal ransomware hitting local governments — is well established at this point.

It’s abundantly clear that ransomware is and will continue to be a serious issue into and past 2020. It can be argued the threat will only become more pervasive over the next two to three years, not because ransomware is effective in and of itself, but thanks to other players in the game — like insurance companies, brokers, and even attorneys — that continue to fuel the fire.

Unfortunately, many victims don’t understand why this is the case.

To understand the world of ransomware, it’s important to conceptualise it as an economy: Attackers deploy malware and demand a ransom to facilitate their business model. Once established, these operations — usually cottage industries — can be updated and adjusted to meet their needs.

Like any industry, when it comes down to it, the goal of deploying ransomware is to get paid. This is where the business model comes in.

The suppliers, usually cybercriminals peddling ransomware-as-a-service (RaaS) solutions, have demonstrated a knack for growing their business. Being a ransomware operator doesn’t necessarily require technical skill. It’s more about being an entrepreneur. In 2016, the group behind Cerber claimed to make $200,000 a month via Bitcoin ransoms; developers of the GandCrab RaaS boasted making more than 12 times that: $2.5 million a week. Modern day campaigns that rely on Emotet, which drops the TrickBot trojan and goes on to steal data and download the Ryuk ransomware, can be just as effective as it is profitable.

Naturally, many victims wind up paying handsomely — for the downtime their organisations experience, in addition to regulatory fines, and if necessary, the ransom itself. As we’ve seen, these costs can skyrocket depending on the scenario – NotPetya famously cost shipping giant Maersk over $200 million in 2017.

Incident response firms no doubt get paid too. Firms that specialise in digital forensics, called on in the wake of a ransomware epidemic, address the issue and attempt to decrypt or recover files.

Serious players in the ransomware scene don’t use malware for which decryption tools are publicly available, however. At this point, incident response consultants may be able to determine how the actor was able to gain access to the victim organisation’s infrastructure but that is heavily dependent upon factors like the actor’s “dwell time” (how long they were in the infrastructure before deploying the ransomware) and activities that occurred immediately following the infection, etc. In these instances, a root cause analysis (RCA) — a systematic approach to identify the underlying cause of the incident — may not be something the customer is willing to pursue, nor to address.

There’s another player here: the ransomware broker. Not every organisation that’s hit with a ransomware attack is familiar with the fiduciary demands of an attacker; including how cryptocurrency like Bitcoin works. Enter yet another service that acts as an intermediary: the broker, a service provider that can be hired by organisations, or their legal counsel, to negotiate a reduction in the ransom or to handle the process for paying the ransom.

One such firm, Coveware, which bills itself as a “ransomware recovery first responder,” helps facilitate payments but also claims it collects and shares data it gleans with law enforcement and security researchers. A handful of other firms, like Gemini Advisory and Cytelligence, have emerged of late as well.

The cyclical nature of ransomware, especially of late, has been advanced by insurance providers. Traditionally, providers that specialise in cyber insurance offer coverage for losses incurred as a result of a ransomware infection. As ProPublica recently discovered, some insurers have encouraged paying a ransom when it’s likely to minimise costs by restoring operations quickly. While this allows victim organisations to obtain a decryption key faster and stop the bleeding, it’s hard to argue that by doing so, these providers aren’t fanning the flames of the problem.

Legal counsel — yet another player in the ransomware economy — has a role to play too. Hired to be the “go-between” and manage the relationship with the broker and the insurance provider, legal counsel, working in concert with IT and forensic experts, can decide whether organisations should pay and whether notifying parties involved — employees, investors, and regulators — is necessary.

At the top of the food chain, even threat actors themselves — the actual authors of the ransomware — are taking new and interesting steps to ensure their malware gets out there and more importantly, that they get their fair share.

Authors behind the Maze strain of ransomware were spotted in Fall 2019 using exploit kits, thought to have fallen out of favor with cybercriminals, to proliferate their payload. While exploit kits certainly aren’t new, the fact that ransomware authors are exploring new avenues to spread their wares, like the Fallout and Spelevo exploit kit, shows a willingness to diversify their tactics.

To guarantee ransoms are paid, actors have taken to blaming and shaming victims, too.

Attackers — also behind the Maze ransomware variant — have begun to publicly punish companies refuse to pay. For example, in a public website, the crew recently shared company names, websites, and even stolen data from victim companies. Last November, the group released what amounted to 10 percent of the data it reportedly stole after the company failed to pay a $2.3 million ransom. Another ransomware strain, Snatch, has recently been spotted bypassing security measures and with the help of a data stealing module, exfiltrating sensitive information as well.

If a report by Coveware earlier this year is to believed, there’s too much money at stake for ransomware attacks to relent. The report found that the average ransom payment increased by 184 percent, from $12,762 to $36,295, from Q1 to Q2 alone.

As long as these increasingly splintered entities from both sides of the law — authors, developers, brokers, legal aid, and insurers — keep making a profit, ransomware will continue to survive the test of time.

It’s a win-win for everyone but the victim.