A recent ransomware research study has shown the individuals running ransomware campaigns do not actually earn that much money and the success rate of attacks is relatively low. However, the threat from attacks cannot be ignored due to the volume of individuals now running their own ransomware campaigns.

For the ransomware research study, web intelligence company Flashpoint trawled underground forums and marketplaces and monitored communications over a period of five months. The purpose of the ransomware research study was to improve understanding of how ransomware campaigns are run, to learn about the players involved, and the tactics they used to run campaigns and infect end users. It helps to know thy enemy when forming a defense strategy against attacks.

For its ransomware research study, Flashpoint investigated Russian ransomware campaigns from December 2015. The attacks were predominantly carried out on organizations and individuals in the West.

Ransomware Research Study Shows Campaigns are Not as Profitable as Many People Think

Considering the disruption caused and the money lost by victims of ransomware attacks, many people believe the criminals behind the campaigns are making big bucks, but that is not necessarily the case. In fact, even “ransomware bosses” – the individuals offering ransomware-as-a-service – are not raking in anywhere near as much money as many people think.

The majority of cybercriminals who run ransomware campaigns earn well under $10,000 a month. According to the ransomware research study report, only one in five individuals who run ransomware campaigns admitted to earning in excess of this figure. The report suggests that the average monthly earnings from this type of campaign is around $600 per month.

The typical ransom is around $300 per infected computer, although the people who run the campaigns have to give the ransomware bosses 60% of their earnings. They are allowed to keep the remaining 40%, suggesting most of the people running these campaigns only get 2-3 ransoms per month.

The ransomware research study data suggest that far from allowing criminals to obtain big money from ransomware campaigns, the attacks only yield similar returns to other forms of cybercriminal activities. The only difference being the attackers can usually get their hands on money faster. Stealing data such as credit card numbers or healthcare data requires the attacker to find a buyer for those data before any money is received.

The report suggests that the typical infection rate from a campaign is between 5% and 10%, yet few of the victims end up paying the ransom. Many ransomware victims are protected having made backup copies of important files and some are able to unlock the infections using tools from security companies. Others are willing to lose data rather than pay the ransom.

Ransomware bosses that push ransomware-as-a-service using an affiliate model can make around $7,500 per month, which equates to around $90,000 a year – approximately 30 ransom payments per month for the bosses.

Most Ransomware Campaigns are Run by Novices

While there are criminal gangs and highly skilled cybercriminals who invest a lot of time and effort into their ransomware attacks, the report suggests that the majority of attackers are novices; not skilled hackers. The report suggests that many individuals choose to run campaigns using ransomware-as-a-service in the hope that they will get lucky and get a big payout. These individuals tend to run spamming campaigns based on quantity rather than quality, and send high numbers of spam emails using botnets.

Flashpoint’s ransomware research study shows just how easy it is to start sending out ransomware campaigns. This is why so many individuals choose to give it a try. All that is needed is a very small injection of capital to get started, a lack of morals about how money is earned online, and a modicum of knowledge to allow individuals to send out mass spam emails.

Adverts for ransomware-as-a-service are easy to find with the Tor browser and advice on distribution is not difficult to find. Would-be criminals with no experience are recruited with a promise of a big payout, even though the reality is that for most people the payouts will be low.

More experienced and skilled individuals send phishing emails directing victims to websites containing exploit kits, which probe for vulnerabilities and automatically download the ransomware. Another popular method of infection is to sneak adverts containing malicious links onto legitimate advertising networks.

Only a small percentage of attackers are highly skilled. These individuals tend to send out targeted campaigns. These attackers target organizations and businesses with the aim of infecting multiple machines and infiltrating networks causing widespread disruption.

These campaigns tend to involve a considerable amount of planning, and require the attacker to research targets and design targeted emails that have a high change of eliciting the desired response. According to Flashpoint’s director of Eastern European Research and Analysis, Andrei Barysevich, “The success rate of this type of operation is significantly higher, enabling criminals to earn upwards of $10,000 a month or more.”

For organizations infected with ransomware the costs can be severe. Add up the cost of disruption to the business, the time and resources required to remove infections and restore files, and the cost of implementing more robust security measures, and the cost of a ransomware attack could be tens of thousands of dollars.

With no shortage of takers for ransomware-as-a-service, and ever more sophisticated ransomware being developed, organizations must develop a host of defenses to prevent attacks from being successful.