CyberWarfare / ExoWarfare

Ransomware: Big paydays and little chance of getting caught means boom time for crooks

File-encrypting malware is proving to be extremely lucrative for cyber attackers, who can continue large-scale ransomware campaigns – making hundreds of thousands of dollars – almost risk-free.

Ransomware will continue to plague organisations in 2020 because there’s little risk of the cyber criminals behind the network-encrypting malware attacks getting caught; so for them there’s only a small amount of risk, but a potentially large reward.

During the last year, there’s been many examples of ransomware attacks where victims have given into the extortion demands of the attackers, often paying hundreds of thousands of dollars in bitcoin in exchange for the safe return of their networks.

In many cases, the victims will pay the ransom because it’s seen as the quickest – and cheapest – means of restoring the network.

“From a criminal perspective, if I want to make $100,000, how many users do I have to infect individually and how many of those will pay me, compared to going for a hospital or a global organisation and demanding a big amount? I have a higher guarantee of getting a high payment, and that drives development in ransomware,” said Jens Monrad, head of intelligence for EMEA at FireEye.

But what makes ransomware really appealing for cyber criminals is that not only are the attacks relatively simple to carry out, and have the potential to be extremely rewarding, but there’s very little chance of them being held account for their actions.

“It’s still an area where there’s little risk of being caught or arrested – and it’s still a lucrative business,” said Monrad.

There have been a handful of cases where cyber criminals launching ransomware campaigns have been brought to justice but it’s the exception, rather than the norm.

In the majority of cases, those pushing ransomware don’t need to worry about being put in prison for their actions – especially if they’re launching attacks against organisations on the other side of the world.

For example, it’s common for ransomware launched from Russia and Eastern Europe to terminate itself if it finds itself on a system configured to the Russian language. That’s because the authorities there will often turn a blind eye to attacks being launched against individuals or companies far away.

“Certain types of malware won’t execute in Eastern Europe – you don’t want to create a disturbance in your backyard to alert local agencies,” said Monrad.

It’s not the only example of the difficulties of policing the ransomware at an international level. Two Iranian men that the US Department of Justice has accused of creating and distributing SamSam ransomware are highly unlikely to be sent to the US by Tehran. The US has also issued an indictment for a North Korean man who they say is responsible for the global WannaCry ransomware outbreak and other attacks – but Pyongyang has said the man doesn’t exist.

So as ransomware continues to be a lucrative and relatively risk-free form of cybercrime, the epidemic is only going to continue as we move into 2020.

“The risk and repercussions still aren’t there,” Monrad said.