The ransomware business model

In 1989, the AIDS Trojan horse was released into the unsuspecting world using floppy disks sent through snail mail, demanding recipients send $189 to a PO Box in Panama. However, the attack was largely unsuccessful since few people used computers back then and the internet was only really used by science and technology experts.

Ransomware then took a back seat throughout the 1990s and early 2000s before re-emerging in the form of misleading applications and software. The first wave appeared around 2005 with attacks masquerading as legitimate software, for example, PC optimisation programmes and disk cleaners.

Fake antivirus programmes followed, with cyber criminals mimicking popular market products. Then came Locker ransomware and it’s more commonly known variant, CryptoLocker.

>See also: The evolution of ransomware: what lies ahead?

CyrptoLocker ransomware – the type we see hitting the headlines today – emerged in 2012 with hackers disabling access and control of a machine in return for a ‘fine’ or fee. In a business scenario, this is particularly severe as the volume of data that can potentially be lost is greater, causing all manner of business continuity issues.

From the first targeted attacks to the new wave of cyber threats requiring only minimal skill, it’s these attacks which really fuel the ransomware business model.

Financial viability

Recent research has discovered that almost half (48%) of global businesses suffered a ransomware attack in the last year, of which 65% reported paying the ransom – an average of £540.

From this, it’s easy to see why ransomware is a bountiful business: using these figures, if an attacker targets 1,000 businesses at £540 each, and 65% pay up, that’s a return of more than £350,000. And that’s just for a few minutes of work.


As businesses become adept at decrypting data, the creators of ransomware need to be more creative. The business of ransomware is evolving, with ransomware itself becoming the commodity item, either as-a-service or in the form of a DIY kit which can be customised to fit the attacker’s needs.

Hackers understand that this is a big business opportunity. One cryptoware programme called Stampado – which sold on the darknet for $39 – even had a YouTube video promoting the ransomware-as-a-service (RaaS) model.

>See also: How to minimise the impact of ransomware

The ability to buy ransomware at incredibly cheap prices means that just about anyone – even those with little or no IT experience – can hold companies to ransom. Clearly ransomware developers have seen the significant commercial advantages afforded by taking advantage of franchising models.

This allows them to reach much greater scale with less risk to themselves and, as long as they balance the reward against the percentage retained by their franchisee, they will achieve significantly greater returns.

Ransomware of the future

Predicting where ransomware will strike next and how the techniques will change is not an exact science; we can only look at the patterns of the past and speculate what might happen in the future.

For example, a year or two after reaching a peak, cybercriminals typically switch their focus to a different malware variant. However, with the prevalence of smart, connected devices, it’s no surprise that these are highlighted as a potential target.

All of these can potentially be hijacked by attackers, locking a user out until a ransom is paid. Imagine being locked out of your smart house, or being taken for an unscheduled detour whilst in your smart car. With analysts forecasting there will be 20.8 billion things connected worldwide by 2020, the opportunities for hackers are endless.

>See also: 30% of NHS Trusts were victims of ransomware attacks

Ransomware is here to stay, providing a profitable business model for cyber criminals. But that’s not to say we all have to become victims – there are ways in which an organisation can protect itself.

Use a product which offers a guarantee for its protection technology. SentinelOne, for example, will reimburse customers if it is unable to block or remediate the effects of a ransomware attack.

Go beyond signature-based detection. Malware creators know their code is more often than not identified based on its structure and will adjust their ‘end product’ accordingly. Invest in behavioural detection instead, which will identify the malware’s path and actions before taking steps to protect.

Implement a regular backup process. Using frequent backups – set at intervals appropriate to the mechanisms in use – can provide insurance in the event of an attack.

Educate users on the ransomware business model, particularly RaaS. Businesses and individuals will continue to see ransomware attacks throughout 2017 and the first line of defence is a knowledgeable workforce.

Ransomware is a worldwide problem and doesn’t discriminate when choosing its victims. And until this tried and tested model is disrupted, organisations will continue to be held hostage.


Sourced by Tony Rowan, chief security consultant, SentinelOne

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...