Ransomware operators can make a tidy living without much technical expertise or legwork.

Sara Peters, Senior Editor

November 4, 2014

3 Min Read

Good news, everyone: it's getting easier to pay ransoms. Bad news: it's getting easier to run ransomware campaigns.

Although CryptoLocker -- the biggest, baddest ransomware of them all -- was largely taken down by the sting that disrupted the Gameover Zeus botnet in June, there are many other ransomware schemes taking its place, including CryptoWall, TorrentLocker, Simplocker, and Koler.

The infection vectors are expanding -- Koler spreads through SMS text messages and CryptoWall uses malvertising -- but email phishing messages are still the most common method of ransomware distribution. The techniques don't need to be too sophisticated, because the attacks are not targeted.

"It's a numbers game," says Joram Borenstein, vice president of marketing for NICE Actimize. Ransomware is not generally being used by nation-states, he says. It's generally just used to make money.

Ben Johnson, chief security strategist for Bit9 and Carbon Black, adds that the attackers are not distinguishing between a corporate user or a home user, a rich person or a poor person. An email address is an email address, a device is a device. The more devices they infect, the more ransoms they get, the better.

Managing relationships with so many victims could be quite a lot of work -- not just infecting a system, but issuing the ransom request, accepting payment, returning or decrypting stolen files, and all the "customer" service communications required in between. Yet, ransomware operators don't have that problem now.

"They set up these [automated] infrastructures," says Johnson, so the entire process, from infection to cash-out to decryption, might be carried out and "maybe there was never a human involved."

The ransomware underground is becoming more of a business. Malware authors issue better software with regular updates. Anonymity services get wrapped into the offerings. Cash-out mechanisms are simpler. Even the ransoms themselves are simple. They identify a good price point -- one that's high enough to be worthwhile, but not so high that an average home user won't pay it -- and charge everyone the same. The logistics of operating a ransomware scheme are not too challenging anymore.

"The threshold to become a cybercriminal who wants to run a ransomware campaign has been dropping," says Borenstein, "both in terms of price... and the technical capabilities required."

"The lower the bar gets," says Johnson, "the more people who can pick up the baton and run with it."

But making things easy for the operator is only one half of the ransomware business model; the other part is to make things easy for the victims.

While Bitcoin is the main go-to currency for ransoms -- largely because of the anonymity it provides -- some criminals are providing victims with a wider variety of payment options, including PayPal, wire transfers, MoneyPak, Ukash, and paysafecard.

Johnson says that some criminals will even provide tech support to victims who have paid their ransom but have not been able to recover access to their systems and files.

On the other hand, there are some cases in which people promptly pay the ransom and never get their stuff back. Yet, both Johnson and Borenstein say that is not the norm.

If the ransomware operators don't hand over the decryption key, says Johnson, "it's a macro-economic gamble on their part." If enough people pay and get nothing in return, nobody will continue paying at all.

"For the most part criminals tend to keep their word," says Borenstein. However, what worries him is "just because the machine or information has been decrypted, it doesn't mean that the crumbs aren't still lying around. Is that device still infected... and is that going to be used for another attack later?"

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights