At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Is Being a Ransomware Affiliate Profitable? The Maths Says it is!

    Ransomware Affiliate Profit

    While plenty of industry data and new stories confirm ransomware gangs are raking in tens-to-hundreds of thousands per successful attack, is the business of ransomware profitable?

    All we ever hear about cybercriminal gangs is the “glamorous” part of their work – where they compromise an organization’s network, hold much of it for ransom, and are paid a sum of money to make it all go away. But having worked in the software space for decades, I can tell you there are a lot of costs that go into building a commercially-ready piece of software that’s bug free and works consistently as expected. And, don’t forget to add in the affiliate fees (which is estimated to average around 75% of the ransom collected). All these costs can get pretty hefty, despite how much the ransom paid is.

    Even when we consider how much ransomware gangs are taking in on each attack ($136K on average, according to Coveware), it begs the question…is ransomware as a legitimate business profitable?

    AI Researcher Erik Galinkin over at Rapid7 has does some math playing with ransomware probabilities where he uses the following formula (which I’ve augmented a bit):

    [P (Payment Success) * P (Attack Success) * Ransom Amount] – Cost = Profit

    P represents the relevant corresponding probability of attack and payment success (as not every attack attempt will compromise a network, let alone see a ransom paid).

    I’d further suggest putting this calculation into an As-a-Service model, where we look at this from the perspective of an affiliate, yielding the following:

    (Affiliate % * P (Payment Success) * P (Attack Success) * Ransom Amount] – Costs = Affiliate Profit per attack

    He goes on to cite stats that estimate the probability of payment at 56% and attack success at 54%. I’d add that the average affiliate fee of 75%. Plugging this into the calculation, we get:

    (.75 *.56 * .54* 136,000] – Costs = Affiliate Profit per attack

    Simplifying this we get:

    $30,844 – Costs = Affiliate Profit per attack

    So, what are the costs an affiliate incurs? There are costs around performing necessary diligence to identify and target specific companies and individuals within, potentially coding the emails to look legitimate, time spent in negotiation with the victim, and in some cases, all of the “normal” costs of doing business including rent, computers, benefits, etc.

    While it’s impossible to put an estimate to those costs, it’s evident that the higher the number of successful attacks, the more profit the affiliate makes.

    Galinkin goes on to make a really good point that applies to both affiliates and “direct-to-consumer” ransomware gangs:

    The more difficult you can make it for an attack to be successful, the lower the probability of successful attack, the lower the likelihood of a paid ransom – and in the spirit of the calculation, which looks at the value of an attack over a multitude of attacks, the lower the average profit per attack.

    So, what can you do to reduce that probability of a successful ransomware attack? The industry data is clear on this, for the last few years: ransomware comes in either via vulnerability, RDP, or phishing. A mature vulnerability management program in place reduces the first attack vector’s success rate, killing externally-accessible RDP does so for the second, and educating users via continual Security Awareness Training demolishes the chances of the third.

    Are ransomware gangs and their affiliates profitable – most certainly. Think you can’t stop them? You can – just do the math.

    Free Ransomware Simulator Tool

    Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

    KnowBe4’s “RanSim” gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

    RansIm-Monitor3

    Here’s how it works:

    • 100% harmless simulation of real ransomware and cryptomining infections
    • Does not use any of your own files
    • Tests 21 types of infection scenarios
    • Just download the install and run it 
    • Results in a few minutes!
    Get RanSim!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/ransomware-simulator-tool-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top