Ransomware industry has been constantly evolving. According to the statistics, the marketplace has grown by a 2,502% over the past year. This is the amount of money which hackers have spent on ransomware software.
Security experts from Carbon Black observed 21 of the largest dark web marketplaces trading ransomware (out of an estimated 6,300+ dark web marketplaces doing so) during August and September, this year.
According to more than 45,000 listings, the prices range from Android lockscreen ransomware for $1.00 to custom code for more than $1000. At the same time, the median cost of a ransomware offering is only $10.50.
The FBI statistics shows that last year, the ransom payments were around $1 billion dollars; up from $24 million in 2015.
The Carbon Black’s research reads that ransomware developers can expect to earn approximately $100,000 (tax free) per annum. This compares to an average salary of $69,000 (before tax) for legitimate software developers. In many European countries where much malware is thought to be developed, the difference is even greater.
This year, ransomware sales on the dark web have increased from less then $400,000 in 2016 to approximately $6.25 million in 2017.
“The underground ransomware economy is now an industry that resembles commercial software — complete with development, support, distribution, quality assurance and even help desks,” the report reads.
The truth is that ransomware industry is growing because it is profitable. For that reason, dismantling the industry must concentrate on removing this profitability.
The Carbon Black team describes the industry as having a five-point supply chain: creation, distribution, encryption, payment and command and control.
“If defenders can break or interrupt even one link of the chain,” it suggests, “the entire attack falls apart.”
While young coders are unable to find legitimate jobs, and can earn attractive sums through developing ransomware, disrupting the creation will be impossible. Distribution disruption is equally difficult when the marketplace can be hidden within the dark web.
Encryption is similarly impossible to control — powerful encryption systems are readily available in the public domain. Payment is the weakest link. In the supply chain it is the collection and tracking of ransoms paid — but if no ransom is paid, then the entire industry will collapse.
“We need to STOP paying ransoms”, the report states. “The system only works if victims choose to pay. Until people decide not to pay, this problem will only continue to grow.”
By now, ransomware has largely been in the hands of relatively unskilled coders; sophistication has not been necessary. According to Carbon Black, this is changing.
To a certain extent the signs of change are already visible: WannaCry and NotPetya are examples. In the former, the ransomware was unsophisticated while in the latter decryption was never intended. However, the distribution of the ransomware via leaked NSA exploits was a new development.
Carbon Black describes this use of ransomware as a false flag. A closely related new development it expects will be the malware’s use as a smokescreen.
“Using already existing techniques of deleting Volume Shadow Copies, which deletes potential file backups, and the deletion of Windows event logs, adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated.”
This happens because the ransomware industry evolves. One effect of paying a ransom is that it tells the attackers that the victim can be coerced. Considering this fact, the Carbon Black experts hope to see more sophisticated developers employing more advanced techniques to remain on the victim’s network after decryption — so that they can extort a second time.
