If you’ve been paying any attention for the past few weeks, you know what ransomware is. It’s a pretty massive pain for anyone who gets it, and in some cases, it was a matter of life and death.
It’s easy to understand what makes this stuff scary, but there’s another angle most haven’t caught on to yet, and it’s not a pleasant train of thought.
Firstly, let’s consider a few thing.
- Getting rid of malware is expensive
- Recovering from a compromise is even more expensive
- Ransomware has a clear and speedy ROI
- Normal people don’t have a ton of important data
So let’s start with #1 and #2. If you are compromised in some way, even if it’s just some malware, it’s going to cost a lot to clean up the mess. Probably magnitudes more than the current ransom. It’s cheaper to pay than to clean up the mess. This will remain true as there isn’t an incentive for the authors to price themselves out of business. The ransomware universe is econ 101. If you’re an economics PhD student and you want to look impressive, write your thesis about this stuff; you’ll probably win some sort of award. We’ll get back to the economics of this shortly.
If we think about #3 it’s pretty obvious. You write some malware, it literally pays you money. This means there is going to be more and more of this showing up on the market. Regular old malware can’t compete with this. Ransomware has a business model, a really good one, except for that whole being illegal and really unethical part. Non ransomware doesn’t have such an impressive business model. This is a turning point in the malware industry.
To date most of the ransomware seems to have been targeted at normal people. The price was a bit too high I thought, $400 is probably more than the average person will or can pay. The last few we’ve heard about hit hospitals though, and they charged a higher fee. This is basic economics. A hospital has more money than a person, and the data and infrastructure means the difference between life and death. Paying the fee will cost less than hiring a security professional. And when you’re in the business of keeping people alive, you’ll pay that fee if it means getting back to whatever it is you do.
If the ransomware knows where it is and what sort of data it has, the price can fluctuate based on economics. Some businesses can afford a few days of downtime, some can’t. The more critical the data and system is to your business, the more you’ll be willing to pay. Of course there is a ceiling on this, if the cost of hiring some security folks is less than the cost of paying the ransom, anyone with a clue is going to pay the expert to clean up the mess. This is the next logical step in the evolution of this business model.
If we keep thinking about this and bring the ransomware to its logical conclusion, the future versions are going to request a constant ongoing payment. Not a one time get out of jail free event. Why charge them once when you can charge them over and over again? Most modern infrastructures are complex enough it will be hard to impossible to remove an extremely clever bit of malware. It’s going to be time for the good guys to step it up here, more thoughts on that some other day though.
There is even a silly angle that’s fun to ponder. We could imagine ransomware that attacks other known malware. If the ransomware is getting a constant ongoing payment, it would be bad if anything else could remove it, from legitimate software to other ransomware. While I don’t think antivirus and ransomware will ever converge on the same point, it’s still fun to think about.