If there were a business degree for criminals, I’m sure that the evolution of the ransomware business model would be a key case study. The original concept was elegantly simple: deploy malware onto a target company’s devices, encrypt the hard drive and then demand a ransom payment to provide the decryption key. The ransom demands were generally pitched at an affordable level. Then the criminals worked out that reputation would be important, and that reputation depends on their victims having a good experience, so they put in place help-desk services that enabled victims to get back up and running quickly and efficiently – thus making the payment of the ransom an easier way to respond.
A good business needs to diversify its routes to market – and ransomware criminals now support affiliates and make ransomware packages available on a partnership basis to help less experienced criminals widen the range of attacks.
And, finally (so far), ransomware criminals have also realised the benefit of diversifying their income streams. The first step was to exfiltrate as much valuable data as possible, prior to initiating the ransomware attack – and the exfiltrated data can then be the basis of a second ransomware demand and/or sold to the highest bidder on the dark web. The second step is to sell information about a successful ransomware attack to financial share traders, who can then short the share ahead of the attack being revealed – which also puts further pressure on the victim to pay the ransom in order to protect the share price!
It’s not surprising that ransomware is the fastest-growing segment of the cyber crime market place!