Is Being a Ransomware Affiliate Profitable? The Math Says it is!



Ransomware Affiliate ProfitWhile plenty of industry data and new stories confirm ransomware gangs are raking in tens-to-hundreds of thousands per successful attack, is the business of ransomware profitable?

All we ever hear about cybercriminal gangs is the “glamorous” part of their work - where they compromise an organization’s network, hold much of it for ransom, and are paid a sum of money to make it all go away. But having worked in the software space for decades, I can tell you there are a lot of costs that go into building a commercially-ready piece of software that’s bug free and works consistently as expected. And, don’t forget to add in the affiliate fees (which is estimated to average around 75% of the ransom collected). All these costs can get pretty hefty, despite how much the ransom paid is.

Even when we consider how much ransomware gangs are taking in on each attack ($136K on average, according to Coveware), it begs the question...is ransomware as a legitimate business profitable?

AI Researcher Erik Galinkin over at Rapid7 has does some math playing with ransomware probabilities where he uses the following formula (which I’ve augmented a bit):

[P (Payment Success) * P (Attack Success) * Ransom Amount] – Cost = Profit

P represents the relevant corresponding probability of attack and payment success (as not every attack attempt will compromise a network, let alone see a ransom paid).

I’d further suggest putting this calculation into an As-a-Service model, where we look at this from the perspective of an affiliate, yielding the following:

(Affiliate % * P (Payment Success) * P (Attack Success) * Ransom Amount] – Costs = Affiliate Profit per attack

He goes on to cite stats that estimate the probability of payment at 56% and attack success at 54%. I’d add that the average affiliate fee of 75%. Plugging this into the calculation, we get:

(.75 *.56 * .54* 136,000] – Costs = Affiliate Profit per attack

Simplifying this we get:

$30,844 – Costs = Affiliate Profit per attack

So, what are the costs an affiliate incurs? There are costs around performing necessary diligence to identify and target specific companies and individuals within, potentially coding the emails to look legitimate, time spent in negotiation with the victim, and in some cases, all of the “normal” costs of doing business including rent, computers, benefits, etc.

While it’s impossible to put an estimate to those costs, it’s evident that the higher the number of successful attacks, the more profit the affiliate makes.

Galinkin goes on to make a really good point that applies to both affiliates and “direct-to-consumer” ransomware gangs:

The more difficult you can make it for an attack to be successful, the lower the probability of successful attack, the lower the likelihood of a paid ransom – and in the spirit of the calculation, which looks at the value of an attack over a multitude of attacks, the lower the average profit per attack.

So, what can you do to reduce that probability of a successful ransomware attack? The industry data is clear on this, for the last few years: ransomware comes in either via vulnerability, RDP, or phishing. A mature vulnerability management program in place reduces the first attack vector’s success rate, killing externally-accessible RDP does so for the second, and educating users via continual Security Awareness Training demolishes the chances of the third.

Are ransomware gangs and their affiliates profitable – most certainly. Think you can’t stop them? You can - just do the math.


Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 21 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/ransomware-simulator

Topics: Ransomware

Subscribe To Our Blog


Cybersecurity Awareness Month Resource Kit




Get the latest about social engineering

Subscribe to CyberheistNews