Considering that most cybercrime is financially motivated, tactics will evolve that streamline the route from compromise to cashout. Reselling stolen assets is reliable, but it’s far from the only way to turn a profit.
This article is the fifth in a series summarizing the findings of our new report:
Today, we’re examining the modern cybercriminal's best friend—ransomware—and how it has revolutionized the economics of cybercrime.
The Economics of Ransomware
In 2021 Erick Galinkin, a Rapid7 researcher, published an academic study titled: “Winning the Ransomware Lottery: A Game-Theoretic Approach to Preventing Ransomware Attacks.” In it, he provides a mathematical analysis of the ransomware business model that does a lot to explain its meteoric rise.
A typical ransomware attack relies on four things: access, commodity malware, an exploit kit, and vulnerable services (e.g., RDP). According to Deloitte research, each of these requirements can be purchased at a relatively low cost:
$0.50 - $3,000 (median $10.50)
$3 - $4,000 (highest average monthly cost $800)
Initial access (usually credentials)
$70 - $400 per 1000 machines
Based on these costs, Galinkin estimates the cost of a ransomware attack using the highest values for each requirement: $3,000 + $400 + $800 = $4,200. He also assumes, based on Sophos research, that only 54% of ransomware attacks successfully encrypt data.*
Based on his calculations, Galinkin suggests the minimal ransom an attacker must request to remain profitable is $13,888.89. However, the average payout is estimated at between $170,404 - $312,493, roughly 12-22X the viable amount.
This highlights why ransomware is so popular with cybercriminals. Not only does it cut out the need to monetize stolen assets via resale, they can easily buy everything needed to conduct the attack. And, right now, the numbers are stacked very comfortably in their favor. Until something happens to change the equation—Galinkin suggests reducing victims’ willingness to pay ransoms is the realistic option—we can expect to see a continued rise in the frequency and professionalism of ransomware attacks.
* This figure rose to 65% in the 2022 report, stacking the odds even more heavily in cybercriminals’ favor.
While it’s fair to say ransomware is enjoying its heyday, it’s important to understand that (in the Data Breach Investigations Report's words) it’s just another way to monetize access.
It works extremely well, particularly in flat networks that don’t effectively prevent lateral movement (*cough* like Colonial Pipeline and the UK NHS). It also has the added bonus of a built-in monetization strategy that doesn’t require reselling data. This makes it effective even when compromised systems don’t contain data with external value but which an organization needs to operate.
In this sense, ransomware is a predictable extension of a typical cybercriminal group’s objective—to make money in the easiest and most reliable way possible. From a cybercriminal’s perspective, however, ransomware is just another way to get paid for “work”.
This is an important point to understand. Most cybersecurity discussion understandably focuses on protecting sensitive assets and data. However, the truest deterrent for cybercriminals is taking away their ability to turn a profit reliably. For a typical organization—which naturally doesn’t have control over whether other organizations choose to pay ransoms—this most likely involves aiming to become more resilient to monetizable threats than similar targets.
Get the Full Cybercrime Story
A cybercrime report could be anything from one page to a hundred pages long. As simple as saying, “Cybercriminals go where the money is,” or as complicated as digital forensics and malware analysis.
In our new report, we’ve striven for a happy medium that gives insight into current, past, and possible future cybercrime trends without getting bogged down in unnecessary details. We’ve also included the most important steps to protect against cybercrime over the next decade.
Download the report to learn:
- Why cybercriminals have moved away from payment card data and towards credentials and PII.
- Why hacktivism and grudge attacks have dropped significantly, and what’s replaced them.
- Where cybercrime will definitely go over the next few years—plus longer-term predictions from industry veterans Dr. Zero Trust (Chase Cunningham) and Dan Schaupner.
May 30, 2023