Ransomware, a form of malicious software that encrypts files on a victim’s computer and demands payment for decryption, has become an increasingly prevalent cyber threat in recent years. But is launching ransomware attacks actually a profitable criminal enterprise? There are arguments on both sides of this issue.
The case for ransomware being highly profitable
There are several reasons why ransomware can be an attractive money-making scheme for cybercriminals:
- Ransom payments are often made in cryptocurrency, which is difficult to trace. This allows attackers to more easily collect payments without being caught.
- The average ransom payment has increased dramatically, making each successful attack more lucrative. The average ransom payment increased from $294 in 2015 to $1,400 in 2019 according to Coveware.
- Attacks are increasingly targeting high-value victims like businesses, hospitals, and government agencies. These victims have more incentive to pay larger ransoms to regain access to critical systems and data.
- Ransomware kits and ransomware-as-a-service have lowered the barrier to entry, allowing less sophisticated attackers to launch campaigns.
- Many victims end up paying the ransom, even against the advice of law enforcement, simply because they have no alternative to recover their encrypted data.
Some statistics illustrate how ransomware can result in large profits for attackers:
- The WannaCry ransomware attack in 2017 infected over 200,000 computers across 150 countries. The attackers earned over $140,000 in bitcoin payments.
- Ryuk ransomware targeted hospitals and health care providers in 2018 and 2019 and reportedly earned over $61 million in ransom payments.
- Sodinokibi ransomware targeted MSPs, vendors, and technology providers in 2019 and extracted over $150 million in ransom payments within just a few months according to cybersecurity firm Coveware.
Based on these trends, ransomware appears to be a lucrative endeavor for cybercriminals who have the technical skills to carry out campaigns. The high ransom payment amounts combined with the increasing success rate make it financially rewarding.
The case against ransomware being highly profitable
However, there are also arguments that launching ransomware campaigns may not be as profitable as it seems:
- Developing and maintaining ransomware requires considerable upfront investment. Coding custom ransomware or licensing ransomware kits comes with high costs.
- It can be challenging to launder and cash out cryptocurrency payments from ransomware campaigns.
- Many victims refuse to pay the ransom, even when facing significant data loss. In 2020, only around one-third of victims paid the ransom according to Sophos.
- There are substantial costs associated with developing, managing, and promoting ransomware-as-a-service programs for less sophisticated attackers.
- Law enforcement is cracking down on ransomware operations, working with international partners to seize payments and arrest perpetrators.
There are also risks associated with running ransomware operations:
- Failed attacks can result in wasted resources and no payout.
- Going after high-value targets increases chances of being detected and shut down.
- Publicity from an attack may spur greater law enforcement activity against the ransomware program.
- Targets may invest more in cybersecurity after an attack, preventing future infections.
These factors can quickly eat into the theoretical profits from ransom payments. The costs of sustaining ransomware campaigns and risks of failure may make it less profitable than it appears.
Metrics for estimating ransomware profitability
Given the arguments on both sides, how can we gauge whether ransomware campaigns are highly profitable or not? There are a few key metrics that provide insight into the profitability of ransomware:
- Infection rate – The percentage of attacks that successfully infect the target and encrypt files. A high infection rate results in more opportunities to collect ransom payments.
- Payment rate – The percentage of infected victims that end up paying the ransom. This metric indicates how likely payments are to materialize.
- Average ransom amount – The average size of ransom demands made to victims provides a benchmark for potential revenue per infection.
- Operational costs – Estimated costs for ransomware operators related to development, hosting, payment processing, etc. High costs eat into profit margins.
- Revenue sharing – For ransomware-as-a-service, the split of ransom payments between affiliate and operator. Less revenue for operators decreases profitability.
These key variables can be used to model the overall profitability of ransomware campaigns. Unfortunately, precise data is difficult to obtain for these metrics. Ransomware groups do not publicly share detailed financials or data on their operations. However, we can make reasonable estimates based on available ransomware research to identify trends and get a sense of the overall profitability.
Modeling ransomware profitability
As a hypothetical example, we can plug in estimated values for these key metrics to model profitability:
| Metric | Value |
| Number of attacks | 100 |
| Infection rate | 30% |
| Number of infections | 30 (100 * 30%) |
| Payment rate | 33% |
| Ransoms paid | 10 (30 * 33%) |
| Average ransom | $500,000 |
| Total ransom revenue | $5,000,000 (10 * $500,000) |
| Operational costs | $1,000,000 |
| Net revenue | $4,000,000 ($5,000,000 – $1,000,000) |
Based on this hypothetical model, malware operators would earn $4 million in net revenue on 100 attacks. That equates to $40,000 in net profit per attack – a sizable payout. Of course, changing the assumptions and estimates would affect the bottom line profitability. But with average ransomware payments frequently in the six figures, it’s easy to see how ransomware can be highly profitable on a per attack basis.
Real-world ransomware profit estimates
It’s challenging to objectively quantify the profitability of real-world ransomware campaigns. Ransomware operators hide their activities and avoid sharing data. However, cybersecurity researchers have developed estimates based on observed attacks and payment amounts.
For example, analysts at Flashpoint examined three ransomware variants (Cerber, Locky, and Spora) over a six-month period in 2016. They estimated:
- Total ransom amounts paid exceeded $25 million.
- Average payment amount was $1,077.
- Campaigns conducted over 20,000 attacks during the period.
- Average campaign earned $90,000 after operational costs.
- Top campaigns earned over $200,000.
These estimates indicate ransomware campaigns can generate tens or even hundreds of thousands in net profit over a short period. That suggests it can be a worthwhile criminal enterprise.
With ransomware payments reaching into the millions of dollars in many recent attacks, profitability has likely increased significantly since 2016. The Ryuk and Sodinokibi campaigns raked in tens of millions within months according to cybersecurity analysts.
However, these large payouts also increase visibility and the likelihood of law enforcement intervention. The DOJ was able to track and seize over $6 million in bitcoin paid to DarkSide ransomware operators after the Colonial Pipeline attack.
Factors impacting ransomware profitability
Based on available estimates, ransomware appears capable of generating significant profits in many campaigns. However, there are several complex factors that ultimately determine profitability:
- Target selection – Targeting organizations with critical data and systems increases likelihood of payment. Focusing on hospitals, infrastructure, and major corporations can elevate profits.
- Ransom amounts – Demanding larger ransoms maximizes revenue but also reduces payment rate. The “right” ransom balance needs to be struck.
- Negotiations– Flexibility on ransom pricing during negotiations can help ensure payments materialize.
- Reinvestment – Continually reinvesting a share of profits into better TTPs and ransomware improves outcomes over time.
- Affiliates – Recruiting skilled affiliates increases success but reduces per-payment profit margins.
- Cryptocurrency – Usage of anonymous and less traceable cryptocoins improves payment collection.
These factors illustrate why some ransomware gangs are able to drive up profits dramatically while others struggle to break even. It requires business savvy as well as technical skills to operate ransomware successfully at high profit levels.
The future of ransomware profitability
Given the rapid evolution of the ransomware threat landscape, it is difficult to predict whether profits will continue increasing in the future. There are some potential trends that could impact future profitability:
- Greater adoption of cyber insurance may increase regularity of ransom payments. But insurance providers may also limit payout amounts.
- Expanded crackdown by law enforcement could dismantle more operations or deter new entrants.
- New international regulations could hinder access to cryptocurrency and ransom payments.
- Shift to “leakware” extortion tactics may be less profitable than encryption-based ransomware.
- Improved security like multi-factor authentication could drive down infection rates.
- Standardization of ransom negotiations could stabilize or lower payment amounts.
Predicting the trajectory of the ransomware threat is difficult. But the current state of ransomware certainly suggests it remains a profitable criminal enterprise. Ransomware operators are likely to continue evolving their TTPs and business models to sustain profits in the face of improving security controls and law enforcement actions.
Conclusion
In summary, ransomware appears capable of generating significant profits for cybercriminals, especially with recent trends like targeting high-value organizations and demanding larger ransom amounts. Estimates suggest some ransomware campaigns earn tens or hundreds of thousands in profits. Factors like target selection, ransom demands, negotiations, and cryptocurrency usage heavily influence the profitability. However, costs and risks associated with ransomware operations likely make it less profitable than raw ransom numbers would suggest. Ongoing investment and business savvy is required for ransomware groups to consistently profit. The future of ransomware profitability will depend on the ongoing battle between cybercriminals, the security community, and law enforcement. But for now, ransomware continues to be a lucrative endeavor for attackers that successfully infect high-value targets and collect cryptocurrency ransoms.
