While plenty of industry data and new stories confirm ransomware gangs are raking in tens-to-hundreds of thousands per successful attack, is the business of ransomware profitable?
All we ever hear about cybercriminal gangs is the “glamorous” part of their work - where they compromise an organization’s network, hold much of it for ransom, and are paid a sum of money to make it all go away. But having worked in the software space for decades, I can tell you there are a lot of costs that go into building a commercially-ready piece of software that’s bug free and works consistently as expected. And, don’t forget to add in the affiliate fees (which is estimated to average around 75% of the ransom collected). All these costs can get pretty hefty, despite how much the ransom paid is.
Even when we consider how much ransomware gangs are taking in on each attack ($136K on average, according to Coveware), it begs the question...is ransomware as a legitimate business profitable?
AI Researcher Erik Galinkin over at Rapid7 has does some math playing with ransomware probabilities where he uses the following formula (which I’ve augmented a bit):
[P (Payment Success) * P (Attack Success) * Ransom Amount] – Cost = Profit
P represents the relevant corresponding probability of attack and payment success (as not every attack attempt will compromise a network, let alone see a ransom paid).
I’d further suggest putting this calculation into an As-a-Service model, where we look at this from the perspective of an affiliate, yielding the following:
(Affiliate % * P (Payment Success) * P (Attack Success) * Ransom Amount] – Costs = Affiliate Profit per attack
He goes on to cite stats that estimate the probability of payment at 56% and attack success at 54%. I’d add that the average affiliate fee of 75%. Plugging this into the calculation, we get:
(.75 *.56 * .54* 136,000] – Costs = Affiliate Profit per attack
Simplifying this we get:
$30,844 – Costs = Affiliate Profit per attack
So, what are the costs an affiliate incurs? There are costs around performing necessary diligence to identify and target specific companies and individuals within, potentially coding the emails to look legitimate, time spent in negotiation with the victim, and in some cases, all of the “normal” costs of doing business including rent, computers, benefits, etc.
While it’s impossible to put an estimate to those costs, it’s evident that the higher the number of successful attacks, the more profit the affiliate makes.
Galinkin goes on to make a really good point that applies to both affiliates and “direct-to-consumer” ransomware gangs:
The more difficult you can make it for an attack to be successful, the lower the probability of successful attack, the lower the likelihood of a paid ransom – and in the spirit of the calculation, which looks at the value of an attack over a multitude of attacks, the lower the average profit per attack.
So, what can you do to reduce that probability of a successful ransomware attack? The industry data is clear on this, for the last few years: ransomware comes in either via vulnerability, RDP, or phishing. A mature vulnerability management program in place reduces the first attack vector’s success rate, killing externally-accessible RDP does so for the second, and educating users via continual Security Awareness Training demolishes the chances of the third.
Are ransomware gangs and their affiliates profitable – most certainly. Think you can’t stop them? You can - just do the math.
Here's how it works:
