Ransomware is a form of malware that encrypts a victim’s files and demands a ransom payment in order to decrypt them. The first ransomware attack was documented in 1989, but ransomware saw explosive growth starting around 2005. According to TechTarget, ransomware affected 66% of organizations in 2023, up from 37% in 2020. Ransomware works by infiltrating a computer system, either through phishing emails, drive-by downloads, or by exploiting vulnerabilities. Once inside the system, it encrypts files and displays a ransom note demanding payment, usually in cryptocurrency. Payment is no guarantee that files will be recovered. Ransomware has emerged as a lucrative criminal business model, with estimated global costs in the tens of billions of dollars annually.
Payment Methods
Most ransomware attackers demand payment through cryptocurrencies like Bitcoin because of their anonymity and difficulty to trace or reverse transactions. Bitcoin has become the preferred currency of ransomware attackers, though some also accept Monero and Ethereum (Investopedia). Payment is usually demanded within a set timeframe, often just a few days, before the ransom amount increases or files are deleted. Some attackers provide instructions for setting up a cryptocurrency wallet to make payment.
Besides cryptocurrency, attackers may also request payment through online payment systems like PayPal or wire transfers through Western Union, though these make tracking easier (NetDiligence). Prepaid gift cards have also been used as ransom payments since they offer a degree of anonymity. However attackers receive payment, the process often involves complex chains of money laundering and cashing out cryptocurrency to make tracing difficult.
Affiliate Programs
Many ransomware operators run affiliate programs, also known as Ransomware-as-a-Service (RaaS). These programs allow affiliates to use the ransomware code and infrastructure in exchange for giving the operators a cut of any ransom payments. The affiliate model allows ransomware gangs to scale up their operations and makes it easier for new cybercriminals to get involved in ransomware campaigns.
One prominent example is the DarkSide ransomware group, which launched an affiliate program in late 2020 according to security analysts. DarkSide’s program offered affiliates up to 90% of ransom proceeds. Another major ransomware strain, REvil, offers affiliates 60-70% of ransoms. Profit-sharing arrangements give affiliates strong financial incentives to compromise targets and deploy ransomware.
RaaS affiliate programs have proliferated in recent years and allow ransomware gangs to rake in profits while offloading some risk onto affiliates. By leveraging networks of affiliates, ransomware operators can cast a wider net and attack more victims across different geographies and industries.
Targets
Ransomware operators often look for targets that are more likely to pay the ransom demand. Some of the most common ransomware targets include businesses, governments, and individuals. According to a report on ransomware statistics by Cloudwards, the most common ransomware targets in 2021 were in the education and retail sectors, with 44% of attacks targeting education organizations (Source).
For businesses, ransomware attackers look for larger organizations where there is more to lose from downtime and data loss. They may also target businesses that handle sensitive data like healthcare organizations or ones that provide critical services. According to BeyondTrust, ransomware attackers often look for unsecured and open ports on internet-facing systems as an initial access point (Source).
Government organizations are also prime targets for ransomware attacks, with high-profile incidents against cities and agencies making headlines in recent years. Attackers see government entities as having both sensitive data and the budget to potentially pay large ransoms if operations are disrupted.
On the individual level, everyday computer users can be impacted by ransomware spread through phishing emails, compromised websites, or infected external drives. Ransomware operators may see home users as easy targets who are likely to pay smaller ransom amounts to regain access to personal files and devices.
Negotiation
Ransomware operators often negotiate with victims to try to extract the maximum payment. According to Forbes, victims should establish a crisis management structure and assess the scope of the attack before deciding whether to pay. Negotiators may start with a high decryption fee, often in cryptocurrency, and threaten consequences for non-payment.
The FBI recommends not paying ransoms. However, according to BC Training, if victims decide to negotiate, they can try tactics like asking for more time or promising a partial payment upfront. Negotiators often use pressure and make threats, but victims can attempt to “play hardball” by questioning the criminals’ incentives if they fail to decrypt systems. The decryption key may be the only leverage ransomware operators have.
Anonymity
Ransomware hackers go to great lengths to remain anonymous and avoid being traced. Many use cryptocurrencies like Bitcoin to receive ransom payments, as these provide more anonymity than traditional payment methods. Cryptocurrency transactions are difficult to trace back to individuals. The hackers also routinely use The Onion Router (Tor) network to mask their identities and locations when operating ransomware campaigns. Tor obscures their IP addresses and activities. Additionally, money muling services are sometimes used to launder the illegal proceeds from ransom payments. These money mules help move the funds through multiple accounts and jurisdictions until the source is obscured.
According to an article on BlackFog, “Ransomware attack tools used to hold organizations to ransom are often available on the Dark Web.” [1] The anonymity of the Dark Web makes it appealing for ransomware hackers to buy and sell tools as well as collaborate.
Strong passwords and proper cybersecurity measures are important to guard against ransomware, as explained in a Quora response. “Use strong and unique passwords that are difficult to guess and avoid using the same password for multiple accounts.” [2]
Evasion
Ransomware developers use various techniques to evade detection and analysis. One common method is code obfuscation, which makes the ransomware code difficult to understand and reverse engineer. For example, the makers of CatB ransomware use complex obfuscation to disguise key parts of their code, according to a report by The Hacker News [1].
Ransomware also employs anti-analysis tactics to hinder efforts to study how it works. CatB ransomware was found to check for common tools used in malware analysis like virtual machine software and debugging tools. If it detects them, it will stop encrypting files to avoid being analyzed. Some ransomware families like REvil have timed delays before encryption starts, as another anti-analysis technique.
Reinvesting Profits
Ransomware groups typically reinvest a significant portion of their profits back into funding further development and operations. According to one source, many ransomware developers use their earnings to fund research and development of new malware strains and attack techniques (https://www.graphus.ai/blog/who-makes-money-from-ransomware/).
Ransomware-as-a-Service (RaaS) models in particular allow cybercriminals to easily scale up their operations using ransom profits. The RaaS model provides ransomware kits, infrastructure, and support to affiliates who then execute attacks and receive a cut of any ransom payments. This revenue-sharing approach provides strong financial incentives for participation and enables rapid expansion of ransomware operations (https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/).
By reinvesting profits into improving malware and infrastructure, ransomware groups can increase the sophistication, scale, and profitability of future attacks. This cycle allows many ransomware operations to grow rapidly if left unchecked.
Future Outlook
As ransomware continues to evolve, experts predict several key trends in the future landscape of attacks. Many analysts believe ransomware groups will increasingly target critical infrastructure like healthcare, energy, and transportation sectors (https://heimdalsecurity.com/blog/ransomware-trends/). Attackers may also utilize more sophisticated encryption methods and expand their targets to smart devices and operational systems (https://www.linkedin.com/pulse/understanding-threat-in-depth-analysis-ransomware-segun-dtvlc).
In response, cybersecurity firms are developing more advanced defenses using AI, machine learning, and analytics. Companies are also improving training for employees, implementing rigorous backup procedures, and deploying layered security solutions (https://www.techradar.com/features/what-is-the-future-of-ransomware-attacks-and-how-could-security-companies-respond). Many experts caution that ransomware will likely persist as a prominent threat, necessitating continued vigilance and proactive security measures.
Conclusion
In conclusion, ransomware is a highly profitable online criminal enterprise that has encrypted millions of computer systems and extorted billions of dollars from victims. While some ransomware groups present themselves as merely opportunistic entrepreneurs taking advantage of security vulnerabilities, most function more like organized crime groups – professional, calculated, and often ruthless in their high-tech shakedowns. Even as companies and law enforcement agencies have improved their defenses, these criminal networks have innovated with new strains of malware, anonymous payment systems, and evasion techniques.
The challenge of eliminating ransomware is immense, but there are concrete steps we can take to fight back. Companies must invest in cybersecurity training for employees, keep systems patched and updated, maintain offline backups of critical data, deploy endpoint detection software, and have an incident response plan ready. Governments can prioritize prosecuting ransomware groups, sanction countries that harbor them, and collaborate to strengthen cyber defenses across borders. Individuals should be vigilant through steps like using strong passwords, recognizing phishing scams, and keeping regular backups.
Ransomware presents a complex technological and geopolitical dilemma without easy solutions. But through greater awareness, investment, cooperation, and vigilance across the public and private sectors, we can work to mitigate the impact of ransomware and deter further criminal profiteering in cyberspace.