By Eric Howes, KnowBe4 Principal Lab Researcher.
As we have documented numerous times in this space over the past few years, the bad guys have proven to be relentless innovators, especially in the ransomware space.
Ransomware has quickly become the most successful cyber criminal business model for extracting value from compromised PCs. As a result, the ransomware space has attracted an increasing number of malicious parties as well as the development of new technologies and processes designed to extract the maximum value from ransomware victims.
Personalized Pricing
The latest process innovation in ransomware comes straight from the playbook of online retailers: price discrimination. For those unfamiliar with the term, Wikipedia provides a concise definition: Price discrimination is a microeconomic pricing strategy where identical or largely similar goods or services are transacted at different prices by the same provider in different markets.
In particular, the "differential pricing" strategy used involves the "practice of charging different prices to different buyers for the same quality and quantity of a product." When differential pricing is employed at the individual level, sellers are effectively setting the price for products and services based on the buyer's ability and willingness to pay (along with some other factors).
This kind of "personalized pricing" (also known as "one-to-one marketing") is driven by data on market conditions and, more importantly, individual buyers in those markets. A wealthy buyer with a strong need for a particular product or service can be charged a higher price than a less affluent buyer without such a strong need for the same product/service.
Market Research, Bad Guy Style
So, what are the bad guys selling these days? In the case of ransomware, they're selling your own data and files back to you. And where earlier variants of ransomware typically offered uniform pricing to victims (usually around $500 in Bitcoins), the bad guys are now starting to gather data on their targets before setting the ransom. And they're using malware to do it.
In a blog piece published two days ago, Kaspersky researchers lay out their dissection and analysis of Shade, a ransomware variant currently targeting victims in Russia and the rest of the CIS. Expect it in Europe and America soon.
Once on the PC, Shade begins scouting the target, looking for signs that it's landed on a machine used by someone with access to banking applications or financial accounts. If the malware determines that the victim PC does have such access, it pulls down a Teamviewer-based RAT (remote access trojan) to gather still more data on the victim organization's finances.
Put simply, the RAT is being used to determine the victim's ability to pay. Organizations flush with cash can expect to encounter a higher ransom demand once the encryption process concludes than organizations with fewer financial resources.
Of course, if the installed RAT can pull the right credentials to access the victim organization's financial accounts, the bad guys might elect to simply drain those accounts.
Ransomware: A Seller's Market
This kind of development is further evidence that sophisticated, malicious actors have seized on ransomware as a successful business model for criminal revenue generation and have settled in for the long haul.
The bad guys are aiming to get every advantage in making the market work for them. And when the market is your own data and files (to say nothing of your company's reputation and standing), you simply cannot afford to become an unlucky buyer.
Ransomware Hostage Rescue Manual
Get the most complete Ransomware Manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware.
PS: Don't like to click on redirected buttons? Cut/Paste this link straight into your browser: