Advanced ransomware—malicious software designed to take control of a computer system and hold it hostage until the victims pay for its release—is one of the fastest-growing areas of cybercrime. Another closely related threat is cyberextortion, where attackers threaten to cause harm to a company by releasing sensitive information to the public or sustaining distributed denial-of-service attacks and demanding payment to stop.
The Appeal of Ransomware: High Payoff, Low Risk
From an attacker’s perspective, advanced ransomware is highly lucrative and relatively risk-free. According to CNN Money, these criminal campaigns collected an estimated $209 million in the first quarter of 2016 alone. To get an appreciation for this reality, let’s look at the payoff from a single ransomware campaign using findings from recent reports.
Assume, for instance, that a cybercriminal is targeting consumers and mounts an advanced ransomware campaign in which 1 million users are exposed to a fateful decision: to click or not to click. To be clear, this means several multiples of this number were launched—these are temptations that have successfully run the gauntlet of email security, Web security, and other preventive controls.
From this point, a simple Monte Carlo model quantifies the payoff from such a campaign:
- The probability of successful ransomware infection is between 0 percent and 10 percent, with a most likely value of around 4 percent.
- The victim’s willingness to pay ransom to recover his or her data is between 30 percent and 60 percent, with a most likely value of around 45 percent. Presumably, these users do not have a current backup of their valued data.
- The amount of ransom that victims are willing to pay is between $200 and $600, with a most likely value of around $300. Unsurprisingly, the Bitdefender study found that consumers place the highest value on their personal documents and photos and a lower value on work-related documents.
Using these assumptions, the math yields the following insights:
- The median payoff for an advanced ransomware campaign is about $6 million.
- The attacker has a 90 percent likelihood of a payoff greater than $2.5 million and a 10 percent likelihood of a payoff greater than $10.5 million.
These findings can be seen in the following chart—combine this level of return with the significant reduction in risk provided by the use of Bitcoin for payment, and it’s easy to understand the growth in this criminal activity:
The Value of an Advanced Ransomware Campaign
Corporate Ransomware Attacks
In a corporate scenario, the analysis is a bit more complex. For one, the impact of a data breach can be significantly higher. Strategic factors regarding policies on negotiating with bad actors also come into play—companies must consider the likelihood that attackers will renege on the bargain as well as the chance that compliance will encourage attackers to commit repeat offenses.
In many ways, this is an example of the decision-making scenario known as the “Prisoner’s Dilemma,” in which the optimal strategy is for the attackers to cooperate—to live up to their end of the bargain in exchange for payment—if they want to run campaigns repeatedly. To renege would be to damage their reputation, which would result in a higher percentage of future victims refusing to pay.
In addition to the most obvious step—diligent backup and recovery processes for enterprise data—organizations can prepare for advanced ransomware and cyberextortion attacks by focusing on the foundational capabilities of protection, combined with rapid threat detection and incident response.