"Ransomware is the Walmart of cybercrime. They just have decided to automate the whole process," Sjouwerman says. "And they are massively phishing as many email addresses and companies as they possibly can. For them, they have figured out that the business model is: some people will have backups, some people won't. Of the people that don't, it has to be a no-brainer."
The cybercriminals behind these attacks are concerned with maximizing the likelihood of their victims paying the ransom. Theoretically, they could increase the payout for cases where they've encrypted more valuable data. But the key is to make sure they pay up, and keeping the price within a reasonable range will increase the chances that more victims will pay.
Honor among thieves
Along these lines, many of the people behind ransomware have focused on creating a trustworthy reputation on the Internet, honoring all ransom payments and leaving victims alone once the exchange has been made. In December, Sjouwerman told CSO about a new strain of ransomware called OphionLocker that was designed to recognize the devices it had infected in the past so that it doesn't hit the same victims repeatedly. And in his experience working with ransomware victims, Sjouwerman says every victim that has paid the required ransom amount did receive their decryption key, most of them within an hour of sending the payment.
The objective is to make the decision as easy as possible for ransomware victims -- if they pay up, they will receive access to their files and can put the entire ordeal behind them. "If they are not prepared and they are hit, most of them will pay," Sjouwerman says.
So it's not much of a surprise that ransomware has grown so rapidly since CryptoLocker, the now-defunct ransomware strain that brought this model to the internet, was released in September 2013. Symantec estimated in September (PDF) that CryptoLocker-style ransomware grew 700% in 2014. McAfee recently reported (PDF) a 155% growth of ransomware in the fourth quarter of 2014.
The IT security community may advise against paying the ransom as a means of removing the incentive for cybercriminals to engage in this kind of scam. But that is usually the last thing on the minds of IT decision makers who just want to get their files back and get back to work. For an organization that faces losing weeks' or months' worth of data, they can write off the expense as a learning experience.
"This is in jest and more ironic than anything else, but you almost have to be grateful to the Eastern European cyber mafia to send you a social engineering audit that tests both your employees and your IT department for being click-happy, and also if best practices are being implemented or done," Sjouwerman says. "It's a really cheap audit, for $500."
Sign up for CIO Asia eNewsletters.