Finally, the victims themselves are a key reason for such maturity in the ransomware market. They keep paying to recover their files. In 2016, the FBI estimated that more than $1 billion USD in ransom payments were made. If such payments didn't happen, criminals would move on to other lucrative targets. Instead, ransomware is where the money is.
Organizations that lack backups or a sound recovery plan are often faced with a tough challenge once ransomware strikes – lose the files or give in and pay off the attacker. When Carbon Black asked participants in a recent study if they'd pay to recover files during a Ransomware incident, 52 percent said they would.
How the ransomware supply chains work
The ransomware market isn't too complex. It's like any other when you get down to its core. Ransomware developers create the product and then offer add-ons and support, so there is a need for strong code skills. The authors can sell direct exclusively, earning a higher payout as a result, but that limits their market reach. Instead, they often develop a base kit and sell that while pushing customization.
Another option is to develop the ransomware and the hosted environment needed to run campaigns and sell access that way, or ransomware as a service (RaaS).
With RaaS, the barrier to entry is cheap and few, if any, skills are required to operate a ransomware campaign. In fact, for a cut of the ransom payment (pre-determined before the campaign starts), most ransomware developers will provide some level of custom work and support.
There are two levels in RaaS, trusted or verified clients (those who have other confirmed criminals vouch for them) and general (bottom feeder) clients. Reputation matters. The better your reputation among fellow criminals, the more money you get to keep as the split on ransoms is smaller.
In addition, most RaaS offerings have extensive metrics so that campaigns can be graded of effectiveness and profit. In this setting, the ransomware author has the most protection, as the distributor assumes most of the risk.
Stopping ransomware and killing the market
"The silver lining when it comes to breaking the ransomware supply chain is that defenders have an inherent advantage. If defenders can break or interrupt even one link of the chain, the entire attack falls apart," Carbon Black's report explained.
"Taking down distributors and operators is chasing the tail of the problem. To begin to put a dent in the underground ransomware economy, efforts should be enacted to disrupt the supply chain upstream and change the incentive for malware authors. By decreasing the ROI for attackers, defenders can decrease the financial incentive for the crime."
Sign up for CIO Asia eNewsletters.