The Business Model of Ransomware Networks

Copyright: jaizanuar
Extortion of money from companies through ransomware has become a successful business model. In 2021, an estimated 2000 companies were affected with an estimated total ransom of $52M, rising fast. The ransomware business is an extortion economy with its own ecosystem of developers, marketplaces, users, and even courts. To see what we can do to reduce ransomware attacks, we must understand the business model of this ecosystem.

Classical business modeling techniques ignore the network of partners needed to implement a business idea, and they are not exact enough to predict the effect of an intervention to reduce the attractiveness of a business model. Ransomware however is a network phenomenon and requires network-level reasoning to predict the effect of an intervention.

For example, in 2018 Putnam, Abhisthta and Nieuwenhuis described a business model for botnets that quantified revenue streams but could not relate the numbers to the network required to set up a botnet [1]. Below I present this network. It shows at a glance where and how law enforcement should fight ransomware network: By increasing cost of key players in the ransomware ecosystem.

The boxes in the following diagram represent actors in the botnet ecosystem, the arrows represent services. The dollar values in the diagram have been collected from the paper by Putnam, Abhisthta and Nieuwenhuis  [1].

A botnet is a network of computers and other computing devices controlled by a botmaster, which can use the capacity of the net to perform attacks. However, instead of performing the attacks themselves, they can rent out the botnet as a service to a botnet user, who then uses it to extort ransom from victims.

The malware to create and run a botnet is developed by developers and can be rented or sold to a botmaster. The devices needed to create the botnet are infected by malware distributors against a cost of less than 10 cents per infection. Data stolen from victims is stored by bulletproof hosting providers.

Actors below the line provide services to any or all of the actors above. Payments in the network may be done anonymously in cryptocurrencies, but at the end of the day the actors want fiat money, and exchanges and banks provide their services too. The actors cooperating to create a botnet meet in hacker forums and marketplaces on the dark web. Disputes are resolved in hacker courts on the dark web.

What does the network reveal about ransomware botnets? First, that malware development requires a considerable investment so that malware developers require a continuing stream of customers. Second, infection is ridiculously cheap to achieve, which reflects the low level of security of many devices. Third, hosting and payment providers are actors who probably do legal business, but additionally provide essential services for the illegal ransomware economy.

These touchpoints with the legal economy are the handles to fight ransomware botnets. Law enforcement can trace ransom payments through payment providers and retrieve at least part of the ransom, as the DOJ did with the Colonial Pipeline ransom payment. Device manufacturers should be forced to make infection by botnet malware more expensive. Regulation can be created to prevent hosting providers to support illegal activities. Last but not least, victims should get help making their computer systems more resilient against ransomware attacks.

These insights are not revolutionary and network business models do not provide a silver bullet to combating ransomware attacks. But they are a visual support for following cash flows in ransomware ecosystems and for identifying the nodes where fighting the networks will be most cost-effective.