Descending into Cybercrime
More than an year ago (and before crazy and scary things like WannaCry and Petya happened) I had an idea for a research about the darkest shade of wearing a black hat, by the mean of getting some piece of information and statistics and write an analysis. Not a technical one, but something more like a financial analysis of the cybercrime business model and now I’m going to publish the results (it’s even more present now than an year ago…).
First things first, basically I started thinking about how much money one man have to invest to start a new business and what Is the best investment in terms of gain.
As of the end of March 2016, 93% of all the phishing emails contained a ransomware. – PhishMe
I focused my researches on ransomware as they were gaining popularity and their Software as a Service (SaaS) versions were growing in stability. As a first step, there is the need to find the ransomware, these types of malware can be easily “sourced” online in two “shape”:
- Attacker go in an underground market and buy one.
- Attacker can just download the source code of one of the leaked malware in the past and after that he will have to reengineer it.
For this research, I supposed an attacker with practically none technical skill and a low budget of money to invest, so he chooses to buy the malware sold in the marked. Their price can vary from something between 50$ (for some basic feature) to more than 1k$ for some more advanced things.
The Stampado ransomware was offered for sale with a lifetime license that goes for just $39.
The next problem is making the malware undetectable by antivirus and security solutions, so again, an attacker with technical skill will build a crypter but in this case the attacker just need going back to the market and searching for a crypter. Their price can range between 10$ to more than 50$/month
In this case, since an undetectable (FUD) ransomware is something really needed, every investor would choose the quality, choosing the most expensive one (50$/m).
After that, the attacker need to find a service that allow him to spread and run the ransomware, these services can range something around 25-200$ (500-5000 install). I will consider the expense of 200$ for 5000 infected computers.
Now he should have to buy a cheap VPS to put behind Tor (The Onion Routing) using it as a Command and Control (C&C) for the ransomware. He can buy this service for something around 30-50$/m. Again, since the C&C is another critical step he will chose to buy it for 50$.
All the above statists are coming from, the now defunct section, of HackerForums and some other underground communities.
Now a small recap and some stats, he had spent 350$ until now.
When the traffic is bought, it usually consists into running the malware on machines that were already compromised. The installs are coming from computers without a proper AV or from machine with a misconfigured security solution, usually from poorer countries and most of the time the installs are resold to multiple clients, for these reasons I will count 1000 infected machines out of 5000, just to add some realism.
On all the 1000 machine the attacker will be able to run the ransomware but, only for a subset of those people will pay. Official statistics say that globally, 34% of victims end up paying ransom. American victims, however, pay at a rate of 64%, according to Norton.
According to a recent BitDefender study, about 50% of ransomware victims have paid their extortionists and another 40% percent of people said that they would pay if it happened to them.
One year ago, the average price for a ransom was something around 300$ but now is more than doubled with an average spike request of 600/700$.
Let’s put in the worst-case scenario, 34% on 1000 infected computers is 340 that we have to multiply for a low ransom price, let’s say 200$.
Results are quite astonishing, in a scenario like the one just described, a bad actor can gain up to 68000$ in BTC.
|N. of Infected PC||34%||64%||34%||64%||lowest rate of 3% for RaaS|
(Ransomware as a Service: RaaS)
Of course, from this number we must subtract the expenses incurred until now (350$): 67650$.
The Return on Investment (ROI) is 19328.57% [Of course, this is a specific example and not an average case of investment and its relative ROI.], all of these with a very small investment, can you imagine how much the attacker can gain with a proper investment and consequently a professional grade ransomware, crypter and tools?
I will bring some examples:
- CryptXXX Ransomware gang made around $49,700 from 61 payments of ransoms between June 4 and June 21, 2016, the money were all collected through the same Bitcoin address.
- Researchers from the Talos team have determined that a single Angler instance was responsible for half of all Angler activity that they observed and is likely generating more than $30 million annually. This revenue was mainly generated through the distribution of Ransomware (CryptoWall0 and TeslaCrypt 2.0), more than 60% of compromised devices were infected by this family of threats.
- This is the bitcoin address used by the NotPeyta ransomware, they had 46 transactions, for a total of 3.99 BTC (~10.000$)
Even with higher investment the ROI is still amazing:
Ransomware are a perfect example on how people can easily monetize with cybercrime, is low-risk high-gain investment. Ransomware provides a way to get paid directly by the victim with little or no risk of exposure.
There’s also little fear of law enforcement tracking operators down. Ransomware attacks goes unreported to law enforcement, especially when the targets are companies. Now, I’m not suggesting everyone to start with the cybercrime business nor I endorse any of the malware that I have spoken about but do not get surprised if people with some technical skills (especially youngsters) find this side attractive and, in poorer country, cybercrime is a subsistence method and a job.