The economics of ransomware

Long gone are the days of the full-stack cybercriminal sole proprietor, or as Hollywood would say the “lone hacker.”

Today, organizations face not just individuals or small, unorganized criminal gangs phishing for random victims and conducting virtual smash-and-grabs, but an entire cybercriminal industrial complex buoyed by thriving darknet marketplaces peddling criminal-to-criminal products and services. A shadow global economy has emerged, complete with verticalized supply chains and skill specialization, all of which are simultaneously normalizing and commoditizing cybercrime, making attacks cheaper, easier, and more numerous. Its engine of growth is ransomware.

Ransomware originally began as a nuisance cybercrime more akin to a virtual pickpocket than the alarming national security threat that it is today. Back then, it was sheer volume, not sophistication, that was the key to success for cybercriminals who sent out thousands upon thousands of generic and low-quality phishing emails hoping to lure a small percentage of us into clicking on a malicious link.

For the few who did click, rogue code would immediately encrypt the files on their computer and lock up their system, accompanied by a splash screen demanding a standard ransom amount. It was essentially a low-margin retail operation with limited ability to scale. And all of this could theoretically be defeated by simple anti-virus technologies (assuming they were installed and kept updated) and fundamental security awareness because the basic economics of ransomware at scale essentially still favoured the defender.

Today, however, the ransomware racket has evolved beyond its consumer-focused roots to become a low-cost, high-margin, immensely scalable and automated cybercriminal business model with very low barriers to entry and incredible ill-gotten profits to be made. The tools, techniques and procedures have also become much more sophisticated, and cybercriminals are increasingly targeting businesses, government agencies, and critical infrastructure victims to maximize profits.

Ransomware gangs now act more like professional intelligence operations than their common criminal predecessors. Once they gain access, rather than immediately mounting an attack, they perform detailed research on their target victims including reviewing financial documents and insurance policies to determine an optimal ransom demand and then use exfiltrated data as extra leverage or for additional extortion opportunities and profits.

While the complexity of ransomware attacks has increased, the associated costs and barriers to entry have actually fallen to next to nothing. Today, an aspiring cyber-criminal mastermind whose lack of technical skills is holding them back can simply tap into the booming criminal-to-criminal market where the average price of a compromised PC is only $0.13 to $0.89 and passwords are a steal (pardon the pun) at just $0.97 per 1,000 or $450 for a bulk purchase of 400 million, as detailed in our latest Microsoft Digital Defense Report.

Ransomware has become so easy and so lucrative that many cybercriminal gangs now operate with budgets similar in size to that of nation states.

Some are even rumoured to be so flush with cash that they are acting as illicit venture capitalists, investing in new cybercriminal startups and business models.

So, what is the best way to stop ransomware? Its success is driven by economics that favour the attacker, therefore the best way to stop it is to change the economics.

A great place to start for any organization is by implementing Zero Trust, which is a security strategy that has gained considerable adoption and momentum since the start of the COVID-19 pandemic and can be implemented rapidly and effectively leveraging cloud-based platforms along with proven frameworks and maturity models.

It includes three main principles:

Verify explicitly: Make it harder and more expensive for cybercriminals to get in by always authenticating and authorizing based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

Use least privileged access: Limit cybercriminal returns by restricting user access with just-in-time and just-enough-access. Apply and enforce risk-based adaptive polices and data protection to help secure both data and productivity.

Assume breach: If and when cybercriminals do get in, minimize the damage they can do by segmenting access and verifying end-to-end encryption as well as using analytics to provide better visibility, drive threat detection and improve defences.

Implementing a Zero Trust strategy immediately begins to impact cybercriminals where it hurts the most — their own bottom lines. When augmented by a highly skilled and aptly trained security team as well as a cyber-aware leadership and a cyber-vigilant workforce, a Zero Trust strategy can significantly increase the security posture of an organization, making it more difficult, time-consuming and expensive for an attacker to attempt a breach.

As more and more organizations begin to adopt this model, the pickings become slimmer and slimmer for cybercriminals which in turn begins to change the fundamental economics of cybercrime to favour the defender once again.

Kevin Magee is chief security and compliance officer at Microsoft Canada (www.microsoft.ca).