Examining Ransomware Payments From a Data-Science Lens
In partnership with: Erin Burns, Eireann Leverett of Waratah Analytics
Ransomware has come a long way since the Internet’s pre-cryptocurrency days. The advent of cryptocurrency was an important turning point in the evolution of this cyberthreat, as malicious actors are now no longer confined to available local or regional payment options when collecting ransom payments.
The operation costs and monetization models of a ransomware group can be telling of its persistence methods, the tactics, techniques, and procedures (TTPs) in its arsenal, and the qualifications of its members — all valuable insights for defenders if they are to mount a defense strategy that can hold out against increasingly sophisticated ransomware attacks. Previously, we explored how analyzing CVE data through data-science approaches can guide cybersecurity teams’ patching priorities — one of many data sources that organizations can turn to as a means of understanding the inner workings of the ransomware ecosystem. In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups’ ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision-Makers Need to Know About Ransomware Risk.”
Ransomware groups profile potential victims to calculate the ransom amount
Several factors contribute to the ransom amount that attackers initially demand from their victims and later, over the course of negotiations with them, the minimum amount for which malicious actors are willing to settle. The victim’s revenue is one of the attacker’s top considerations. Based on Conti’s leaked internal chat logs, we observed that the historic ransomware group, which had its own dedicated open-source intelligence (OSINT) team that collected information on their potential victims, profiled companies and kept tabs on their financial state using business information that was publicly available online.
The contents of the data stolen in a ransomware attack — including sensitive financial information like any recent monetary transactions, bank statements, and tax reports — might also factor into the negotiation process: If the victim claims an inability to pay when the ransomware actors are aware of contract payments or available funds found on their systems, the attackers might retaliate by hiking up the ransom amount or publishing the victim’s data.
Their business model determines a ransomware group’s operational costs
Ransomware groups need to cover the costs of their operations if they are to turn a profit and prove their business model effective. Some groups demand a fixed amount from all their victims, while others set the ransom based on a detailed profile of the victim. Knowing how the attackers operate and the size of the ransom can help security teams distinguish targeted from non-targeted ransomware campaigns. Case in point, being able to tell the difference is important, as circumventing these attacks will require specific defense strategies.
Operational costs vary across ransomware groups and depend largely on the business model of the attackers. If the ransom amount is negotiable for ransomware actors, the costs that they incur in an attack designed for a particular victim might be used as a lower-bound estimate for the ransom.
For ransomware groups whose business model involves adjusting the ransom size to the victim, we observed that ransom payments vary greatly in size, as was the case for the ransomware-as-a-service (RaaS) Cerber (Figure 1). On the other hand, the likes of the DeadBolt ransomware, which are focused on volume-based attacks, will show little variation (Figure 2). Indeed, groups like Cerber will calculate the initial ransom size and the threshold of the negotiated amount based on the individual target because the costs that go into organizing and carrying out an attack on a victim might need additional personnel and infrastructure.