The Evolution of the Ransomware Business Model

Ransomware attacks are one thing that I have started to see and hear more and more of lately. This type of malicious software, designed to block access to a computer system until a sum of money (ransom) is paid, is wreaking havoc for partners and their customers.

Recently I was trying to get hold of a colleague at an SMB focused reseller. He was however flat out restoring or rebuilding desktops & servers, and generally fixing a number of Ransomware incidents at several of his client sites. This piqued my interest and led me to ask a range of questions. How did these clients get infected? Did they pay the ransom and if so how much? Did it work? Is Ransomware on the increase, and can you prevent an attack, or at worst limit the damage?

Is Ransomware On The Increase?

Firstly, yes, it seems there are more Ransomware attacks taking place. The primary reason for this increase appears to be because it is now easier and cheaper than ever for potential criminals to get access to malware. They are now packaged as a complete toolkit including exploit malware, encryption and key management software.

Also Ransomware kits are now extremely inexpensive. They are being sold for anywhere between US$3,000 for source code (including support and customisation options) to $40 for “try before you buy” demo single use versions. There is now even Ransomware as a Service that operates on a flat fee/commission per victim or profit share model! This means that not only is Ransomware now cheaper and more accessible; it is also available in a range of versions so potential criminals can make a selection based upon their budget and their intentions.

This leads us to the question… if you are unfortunate enough to become compromised by Ransomware do you pay, and if so, does it work? The current ransom amount appears to be around US$500 (payable only via Bitcoin). Further to this, anecdotal evidence from some local resellers suggest that paying the ransom has worked for their clients in cases where they absolutely had to get their data access back. There is however, still the risk that it may not work, despite paying the ransom, for a variety of technical reasons.


The pricing model of the ransom is something that has changed over past few years and I believe will continue to do so. When this type of attack first began, the ransom was much higher i.e. $4,000. As the bad guys business model has matured however, it is now a higher volume and lower cost play. The model is now based around Infecting more machines but making the ransom lower. This lower ransom is now an amount that people are more willing to risk compared to alternatives. Recently the pricing model has evolved again. The latest round of ransom demands have an initial price set at $500 (for example), but for every 24 hours after first going to your unique decrypt instruction page a clock starts ticking and the ransom doubles! I.e. in 48 hours it will be $1,000, so act promptly!

An interesting by-product of the pricing model evolution is that as the Ransomware model has matured, it is now in the criminals’ best interest that the decryption “works as advertised”! I.e. Follow the instructions, pay only $500 and you will get your files back tomorrow. If it did not work, victims would stop paying the ransom and the business model would be completely flawed. As bizarre as it sounds, this model actually calls for you to trust the criminals and their customer service.

Ransomware Target Market and Prevention

So who is getting infected and locked, and what can be done about it? It appears that Ransomware attacks are more prevalent in SMBs, as they generally have less sophisticated security mechanisms and policies in place than larger organisations. This is compounded by the fact that SMBs have limited IT resources and that among these resources there is not likely to be a Security Specialist.

Despite this statistic it is worth mentioning that phishing attacks targeting anyone and everyone are becoming more and more sophisticated through very realistic looking ‘bait’ emails. The Australia Post phishing attack is one such example, as is the more recent Telstra billing notification attack that even included a personal name and a realistic payment date.

In terms of preventing infection, client education is the most critical component. If something looks suspicious DO NOT OPEN the attachment or click on the link. It is imperative that not only management but more importantly staff are taught about the risks of Ransomware attacks. In particular, users need to be educated on how to recognise the tell-tale signs in phishing scams that lull people into believing an email is legitimate. If in doubt it is important they don’t open an email.

Secondly having a comprehensive backup and recovery system is essential. If things do go pear shaped, then at least a rebuild and restore process is an option for restoring critical data and getting your business up and running again.

Finally educating clients that end point AV programs by themselves are next to useless is critical. Clients need to know that they should be investing in a more comprehensive security architecture with supporting IT policies and resources (potentially as a service) to help to minimise their risk.


The Ransomware business model is now very sophisticated and continues to morph through social engineering techniques, and unfortunately these Ransomware attacks are unlikely to diminish in 2016. This means it is critical to educate your customers and staff about the very real risks that Ransomware presents to your and your client’s business. In addition to education, it is imperative that you and your clients have a reliable back up and restore solution and process in place in case an attack occurs.

Thanks to Cisco, WatchGuard, Intel Security & number of resellers for their assistance in researching this article.