In
partnership
with:
Erin
Burns,
Eireann
Leverett
of
Waratah
Analytics
Ransomware
has
come
a
long
way
since
the
Internet’s
pre-cryptocurrency
days.
The
advent
of
cryptocurrency
was
an
important
turning
point
in
the
evolution
of
this
cyberthreat,
as
malicious
actors
are
now
no
longer
confined
to
available
local
or
regional
payment
options
when
collecting
ransom
payments.
The
operation
costs
and
monetization
models
of
a
ransomware
group
can
be
telling
of
its
persistence
methods,
the
tactics,
techniques,
and
procedures
(TTPs)
in
its
arsenal,
and
the
qualifications
of
its
members
—
all
valuable
insights
for
defenders
if
they
are
to
mount
a
defense
strategy
that
can
hold
out
against
increasingly
sophisticated
ransomware
attacks.
Previously,
we
explored
how
analyzing
CVE
data
through
data-science
approaches
can
guide
cybersecurity
teams’
patching
priorities
—
one
of
many
data
sources
that
organizations
can
turn
to
as
a
means
of
understanding
the
inner
workings
of
the
ransomware
ecosystem.
In
this
entry,
we
discuss
case
studies
that
demonstrated
how
data-science
techniques
were
applied
in
our
investigation
of
ransomware
groups’
ransom
transactions,
as
detailed
in
our
joint
research
with
Waratah
Analytics,
“What
Decision-Makers
Need
to
Know
About
Ransomware
Risk.”
Ransomware
groups
profile
potential
victims
to
calculate
the
ransom
amount
Several
factors
contribute
to
the
ransom
amount
that
attackers
initially
demand
from
their
victims
and
later,
over
the
course
of
negotiations
with
them,
the
minimum
amount
for
which
malicious
actors
are
willing
to
settle.
The
victim’s
revenue
is
one
of
the
attacker’s
top
considerations.
Based
on
Conti’s
leaked
internal
chat
logs,
we
observed
that
the
historic
ransomware
group,
which
had
its
own
dedicated
open-source
intelligence
(OSINT)
team
that
collected
information
on
their
potential
victims,
profiled
companies
and
kept
tabs
on
their
financial
state
using
business
information
that
was
publicly
available
online.
The
contents
of
the
data
stolen
in
a
ransomware
attack
—
including
sensitive
financial
information
like
any
recent
monetary
transactions,
bank
statements,
and
tax
reports
—
might
also
factor
into
the
negotiation
process:
If
the
victim
claims
an
inability
to
pay
when
the
ransomware
actors
are
aware
of
contract
payments
or
available
funds
found
on
their
systems,
the
attackers
might
retaliate
by
hiking
up
the
ransom
amount
or
publishing
the
victim’s
data.
Their
business
model
determines
a
ransomware
group’s
operational
costs
Ransomware
groups
need
to
cover
the
costs
of
their
operations
if
they
are
to
turn
a
profit
and
prove
their
business
model
effective.
Some
groups
demand
a
fixed
amount
from
all
their
victims,
while
others
set
the
ransom
based
on
a
detailed
profile
of
the
victim.
Knowing
how
the
attackers
operate
and
the
size
of
the
ransom
can
help
security
teams
distinguish
targeted
from
non-targeted
ransomware
campaigns.
Case
in
point,
being
able
to
tell
the
difference
is
important,
as
circumventing
these
attacks
will
require
specific
defense
strategies.
Operational
costs
vary
across
ransomware
groups
and
depend
largely
on
the
business
model
of
the
attackers.
If
the
ransom
amount
is
negotiable
for
ransomware
actors,
the
costs
that
they
incur
in
an
attack
designed
for
a
particular
victim
might
be
used
as
a
lower-bound
estimate
for
the
ransom.
For
ransomware
groups
whose
business
model
involves
adjusting
the
ransom
size
to
the
victim,
we
observed
that
ransom
payments
vary
greatly
in
size,
as
was
the
case
for
the
ransomware-as-a-service
(RaaS)
Cerber
(Figure
1).
On
the
other
hand,
the
likes
of
the
DeadBolt
ransomware,
which
are
focused
on
volume-based
attacks,
will
show
little
variation
(Figure
2).
Indeed,
groups
like
Cerber
will
calculate
the
initial
ransom
size
and
the
threshold
of
the
negotiated
amount
based
on
the
individual
target
because
the
costs
that
go
into
organizing
and
carrying
out
an
attack
on
a
victim
might
need
additional
personnel
and
infrastructure.
About Author
