Try A 1,425 Per Cent Profit Margin
Figures from infosec firm Trustwave show the blackhats who are enjoying what appears to be a current boom can score outrageous amounts of money by using the off-the-shelf hacking kits to deliver ransomware, trojans, and ad stealers to victims using exploit kits.
"We're showing what the motivation for and value of a cybercrime is," says Charles Henderson, vice president of managed security testing at Trustwave. "To my mind, if you're going to defend against cybercrime, you need to understand" the attackers' motivation.
Trustwave's report is based on study of the black market cybercrime economy and direct investigations of 574 data breaches across 15 countries in 2014.
Trustwave calculated the ransomware ROI based on the following:
- Costs of a ransomware payload (CTB Locker in this example), infection vector (RIG exploit kit, which was most common), camouflaging services (encryption), and traffic (20,000 visitors) totaled $5,900 per month.
- Earnings for a 30-day campaign, assuming a 10 percent infection rate, a payout rate of 0.5 percent, and a $300 ransom, would total $90,000.
- That's a profit of $84,100 and a ROI of 1,425 percent.
"The black market is very transparent," says Henderson. "You can look for a good deal ... just as any mercantile or purveyer of goods."
"That’s an exceptional, albeit unethical and illegal, investment," the company says in its annual report [PDF].
Trustwave says of its example that RIG will snag one in ten victims visiting a booby-trapped web page, of whom half of one per cent will cough up a ransomware payment, on average $300.
The margins are a clear indicator of the commoditisation of crimeware, removing the need for blackhats to be jack-of-all-trades and facilitating rapid specialisation.
Exploit kits are popular off-the-shelf hacking tools for its ability to target a range of the latest patched and zero-day vulnerabilities in platforms including Adobe Flash, Java, and Silverlight
Ransomware too is sold in shiny tins, often to be paired with exploit kits. The commodotisation means ransomware code is now harder to reverse engineer with writers focusing on foiling system administrator efforts to backup files.
Trustwave determines the profit margin based on an average ransom payment of $300, a figure which often blows out to $5,000 and beyond for smaller scale and more targeted attacks.
Industry security types told this writer, at the recent AusCERT conference, about retail chains and hotels that have paid up to $10,000 in single ransoms after important files were encrypted. Common advice is to pay the attackers and move on.
