sb-eu logo
Story image

Why business is looking good for ransomware criminals

22 Nov 2017

New findings from a report that Carbon Black has just released show it is easier than ever for criminals to extort money from victims through ransomware. Our report ‘The Ransomware Economy’, shows that the market from this insidious form of malware is an estimated $1 billion.

Investigations by our Threat Analysis Unit (TAU) found that cyber criminals are increasingly seeing opportunities to enter the market and looking to make a quick buck via one of the many ransomware offerings available via illicit dark web marketplaces. In addition, the basic appeal of ransomware is simple: it is turnkey. Unlike many other forms of cyber attacks, ransomware can be quickly and brainlessly deployed with a high probability of profit.

As a result, the amount of money being extorted by ransomware is much higher than it’s ever been.  Payments associated with ransomware went from $24 million to $1 billion from 2015 to 2016.

The size of the market is allowing criminals to specialise within the ransomware ecosystem. When the market was $24 million, criminals had to do it all themselves. There was no way they were going to let someone else take a piece of their $24 million. But when you’re talking about a billion dollars criminals are happy to settle for as smaller piece of a very large pie.

What this means is that there is specialisation, with dedicated groups of people focusing in on one piece of the problem and getting really good at solving it. This means they are much more likely to succeed.

The other issue with the increasingly specialised nature of ransomware is that individual criminals don’t need to have all the skills necessary to mount a ransomware attack. So the barrier to entry becomes a lot lower because they can simply buy the services they don't know how to do themselves. This ease of access has been the main driver behind the growing frequency of ransomware attacks.

Notes from underground

The increase in specialisation witnessed by our firm and the IT security industry in general has created an underground economy that allows the attacks that are conducted to be more successful because there are people specialising in their piece of it, spending much more time, money and effort on clearing hurdles.

One of the biggest hurdles to ransomware becoming a billion-dollar business was payment. Getting malware on to a computer is not that difficult for criminals, however the advent of bitcoin has allowed them to access payment facilities more easily.

In the past, criminals had to rely on either wire transfers or credit card payments; both have advantages and disadvantages. A wire transfer was hard for victims to initiate, making them less likely to pay up in this way. Credit cards were easier, but for criminals there was always the risk of the victim phoning up the credit card company and cancelling the payment.

Bitcoin is the ‘middle ground’ for criminals. It's like a wire transfer in the sense that once it has happened, the payment has been made and can’t be reversed by the victim. Bitcoin is easier to set up than a wire transfer and it is in the victim’s realm of convenience: they’d rather pay up via bitcoin than get a new computer.

Crime and punishment

Another problem in tackling cyber criminals is jurisdiction. With normal crime, both victim and criminal are in the same jurisdiction. Ransomware attacks are borderless and often the victim and perpetrator are in different countries.

Who is supposed to prosecute? The victim is in London, but the crime was actually committed in China. The lack of clarity over international cyber-policing makes this an incredibly difficult problem to solve, and it’s a situation that heavily favours the criminals.

Those behind ransomware can be split into three tiers: the authors of the malicious code; those that leverage the malware (by offering ransomware-as-a-service), and the distributors. In order to confront this problem, it needs to be tackled upstream and we need to limit the incentives for malware authors.

This means using a predictive security cloud model that identifies the most dangerous threats facing an organisation. This combines big data analytics with information from within an organisation’s systems to identify potential attacks, threats and other indicators that can protect infrastructure before it ever falls victim to an attack. This helps security specialists within the organisation predict what could happen based on accurate data and makes the task of confronting ransomware authors and attackers that much more difficult and less lucrative.

In the absence of an international legal cyber-deterrent, this kind of proactive defence on the part of potential ransomware targets is the most effective way to disrupt the booming ransomware economy.

Article by Mike Viscuso, Carbon Black CTO and co-founder.

Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Video: 10 Minute IT Jam – F-Secure talks APTs and the Lazarus Group
We spoke to F-Secure's director of detection and response, Matt Lawrence.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More