Cyber Extortion Is No Way to Get Rich
Once upon a time, a regular hacker could make decent money in the world of ransomware, malicious software that locks up parts of a victim’s computer and demands payment to restore access.
Now those days are gone. I blame globalization.
Ransomware has only recently entered the public consciousness, thanks to the high-profile extortion of a Los Angeles hospital and breathless warnings from cyber-security companies. Yet its history goes back decades, to a quainter time of homemade attacks aimed at individual computers.
The first known incident involved an anthropologist who mailed 20,000 floppy diskettes labeled "AIDS Information" to the subscribers of multiple business journals and the delegates of an international AIDS conference. It was 1989, the height of the epidemic, and victims threw away everything they knew about safety to insert an unsolicited floppy with nary a virus scan. The files on their computer drives were then encrypted, with a message demanding that $189 or $378 be mailed to a PO Box in Panama. The perpetrator was quickly apprehended.
Floppy-disk attacks never caught on. The initial outlay was too large, and the chances of being traced too high. Even after the internet lowered distribution costs, ransomware remained a domain of one-off hacks. National differences and a fragmented payment system complicated cross-border extortion: American malware demanded payment in e-gold or MoneyPak; Europeans preferred Paysafecard; Russians wanted mobile phone credits.
The riskiest part of ransomware was always the distribution, because it entails multiple contact points: Attempts to infect a computer, communication of ransom, and payment collection.
The rise of a universal digital currency -- Bitcoin -- changed everything. Enterprising developers created ransomware-as-a-service, in which they license or sell their ransomware to operators. The operators then recruit affiliates to act as distribution partners all around the world. Affiliate networks specialize in local markets or modes of infection.
Ransomware aimed at Americans sometimes features a fake message from the FBI demanding a fine for viewing degenerate porn 1 . A Japanese variant shows a cartoon official politely requesting 4,000 yen in Bitcoin. For a country that adopts adorable prison mascots, I can see how this character might be compelling:
By working through affiliates in foreign jurisdictions, ransomware creators avoid prosecution by local authorities. Russian-made malware, for example, often exempts internet addresses in former Soviet republics.
Distributors handle the tough job of getting the malware onto victims’ computers. They do this through email attachments, ad networks, or compromised websites. Ransom payment goes to the operators, who transfer a commission of 50 percent to 70 percent to the distributor.
The new structure entails radically different economics. To turn a profit, an operator needs to attract a steady supply of distribution affiliates. Some offer incentives: Cerber, the largest ransomware network, offers affiliates a 5-percent payout boost for each new recruit 2 . The media also provide plenty of free advertising. Each fresh report of corporations making big ransom payments reinforces the notion that fortune lies in the bottomless pockets of private capital.
A recruitment ad:
Wow. I can see how it might be tempting for aspiring hackers to quit their day jobs (probably because they didn’t have one to begin with, but still). I, too, want to reallocate money by working from home!
Except those millions of dollars aren’t really there to be made. The Hollywood Presbyterian Medical Center paid only $17,000, not $3.6 million. That could still be an attractive prospect for a second-world hacker -- if you didn't have to multiply it by the near-zero odds of actually gaining control of a hospital computer system. In reality, most ransomware distributors don't make anything approaching a living wage.
A recent study of Cerber estimates that the operator does pretty well, earning $78,000 in the month of July. The average affiliate, by contrast, brought in $726 in revenue. From that, subtract operating expense. The affiliate needs to buy an exploit kit -- a piece of software that scans a victim’s machine for known security holes. Before the kit can be delivered to a victim, it must pass through a crypter, which modifies malware to get it through virus filters. Both exploit kits and crypters must be updated every few weeks to stay ahead of security experts. Between tools of the trade and email spam campaigns, an attack could cost more than the expected income before a single ransom payment comes in 3 .
Increasing ransom demands isn’t really a revenue-boosting option: Higher taxation leads only to lower collection rates. Worse, there's no guarantee that the revenue will keep coming. Ransomware groups disappear all the time. Last month, a benevolent hacker broke into the server of a German ransomware network and released their source code and decryption keys, which antivirus companies used to disable the ransomware. The hacker then invited the orphaned distributors to join his new affiliate network.
The cutthroat competition could be a sign that the market is near saturation. For all the reports of attacks on hospitals and financial institutions, the reality is that cybercriminals with dreams of striking it rich far outnumber vulnerable corporations. It's like a pyramid scheme, constantly sucking in gullible recruits to maintain the flow of money to the originators. Only in this case the Federal Trade Commission probably won’t be coming to the rescue.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
In this case, the victim reportedly did possess child porn, and went to the local police station to turn himself in. Hint: The FBI never issues fines in bitcoin.
This affiliate program even invites victims to join as a distribution partner after becoming infected. I can’t imagine they get very good conversion rates through this channel, unless it’s somehow like being jumped into a drug gang.
Exploit kits cost $400 per month. Crypters start at $100 per month. Malicious email campaigns have a market rate of $10 for every million emails, via rented botnet. Email address databases go for $50 per million. Researchers estimate that spammers get one click per 2000 outbound messages. Of the targets who download an email attachment, only a small subset are running a machine susceptible to the exploit kit (between 10 and 25 percent). Of those who download the exploit and have vulnerable software, only 0.3 percent pay the ransom. So if we assume a 25 percent exploitation rate among those who open the email attachment, the average distributor has spent $887 before seeing a dime.
To contact the author of this story:
Elaine Ou at firstname.lastname@example.org
To contact the editor responsible for this story:
Mark Whitehouse at email@example.com