Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How does ransomware work? Understanding the economics

Paul Rubens | July 28, 2017
Operating ransomware is a business. Deciding whether to pay a ransom should be a business decision too.

Credit: Thinkstock

The WannaCry ransomware exploded onto the scene in mid-May, bringing computer systems in organizations as diverse as FedEX and the U.K.'s National Health Service to a grinding halt. There's no indication that its authors targeted these organizations specifically, and the malware will happily infect any vulnerable computer system that it comes across in order to hold the data stored on it to ransom.

In other words, WannaCry is an unscrupulous money-making tool, and its purpose is to make whoever is behind it rich. Operating a piece of ransomware like WannaCry is really just a business. An illegal business, but a business none the less.

The purpose of any business is to maximize profits, and to do that it is important to charge the right price. When it comes to ransomware, the amount demanded as a ransom is effectively the price. The dilemma for the criminal behind the ransomware is whether to set the ransom relatively low in the hope that a large number of victims will  pay up, or to set the ransom much higher to get a smaller number of big payments. Which pricing strategy yields higher revenues depends on what economists call the price elasticity of demand.

It turns out that the average ransom demanded is about $700, although in about 20 percent of cases the ransom may be as high as $1300, according to research carried out by security software vendor Trend Micro. "If you look at the demands they are relatively low — they are in the ballpark of what people can afford to pay," says Bharat Mistry, a Trend Micro cybersecurity consultant. That would suggest that ransomware criminals believe the price elasticity of demand is relatively high: a small increase in the ransom demanded will lead to a much greater fall in the people willing or able to pay it, resulting in less overall profit.

But the fact that there is such a variation between the average and the highest ransom demands  suggests that ransomware criminals are still testing the market to see what level of ransom produces the highest profit. It may even be that some criminals are carrying out A/B tests, sending out variants of the same ransomware that differ only in the ransom demanded in order to establish the optimum ransom to maximize profits.

It's not be proven that ransomware criminals are engaging in this type of behavior, but they are certainly using other established business practices to maximize profits. For example, Recorded Future, a threat intelligence company based in Massachusetts, recently discovered a piece of ransomware called Fatboy that alters the ransom demanded based on the geographic location of the victim's machine. It uses the Economist's Big Mac Index, which measures the purchasing power parity between two currencies, to try to ensure that the ransom is "affordable".


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.