The hackers behind recent high-profile ransomware attacks on U.S. hospitals are using business methods that might be familiar to some Silicon Valley start-ups.
Cybercriminal gangs are attacking large markets with rich customers. They offer a product with a clear value proposition (giving you back your seized data) that alleviates a specific pain point (the inability to run your business). They act with agility and stealth enabling them to outwit the competition. They are also scrappy, often bootstrapping their illicit businesses.
"It is an economic business system, it is just perpetrated at a criminal level," said Matt Devost, CEO of FusionX, a unit of Accenture. "There are a lot of analogies between that and a start-up environment."
What started as a basic scam — extorting, say, a $300 ransom from a grandmother wanting to get family photos back — has escalated. Last year there was a "reported loss of more than $24 million as a result of ransomware attacks," according to the FBI, a figure that surely massively underrepresents the scale of the problem due to the unwillingness of many victims to report.
The start-up costs for an illicit ransomware business are minimal. The hackers write their own code or buy ransomware as a service on the black market, often as part of a suite of other products.
Many groups are already operating other cybercriminal businesses, so getting into the ransomware business is just another way of leveraging existing talent and infrastructure. It requires minimal investment, is relatively low risk and the returns are potentially massive.
Enterprise victims frequently have no choice but to pay up, since hackers are often able to seize backup data as well, said Denise Anderson, president of the National Health Information Sharing and Analysis Center. "So if they need to stay in business, they are paying it."
With the recent attacks on U.S. hospitals, the assailants are expanding beyond consumer to enterprise "customers" — their victims — and adjusting pricing accordingly. For example, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 in bitcoin in February. Other enterprises are likely paying a lot more than that already, said experts. (The FBI does not condone payment of ransom, an agency official told CNBC.)
"I imagine it will hit into the millions of dollars, if they are able to infect some of the right types of targets in an enterprise environment," said Devost.
Like smart start-up CEOs, the hackers are testing the market and refining the business model. As the vast majority of attacks are likely settled without going public, more research is needed to figure out just how profitable the business really is, said experts. Unlike the criminal networks, which often share information freely, many of the victims do not.
"The cybercriminals collude when their business model merits it," said Anderson. "Shame on us for not working together to protect against them."
The most lucrative potential victims have a specific set of characteristics. They hold critical information and infrastructure, have immature and vulnerable security programs and the ability to pay the ransom. Small- to medium-sized U.S. hospitals have proven to be a sweet spot in ransomware because of their often poor security infrastructure as well as the willingness to pay to retrieve patient data, get back online quickly and prevent reputational damage.
"We will see much more successful attacks in other industries," said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro.
Law firms, which protect confidential and valuable information about their clients, and venture-backed start-ups that have invested in developing intellectual property are two targets criminals may increasingly go after, he said.
The black market for high-value trade secrets or intellectual property is a lot more lucrative than the market for personally identifiable information, which is fairly saturated after numerous data breaches, said Devost. It is also a lot riskier, potentially exposing hackers attempting to sell their ill-gotten goods to law enforcement.
Within businesses, it is almost always employees at the top and bottom of the pyramid who represent the best "leads" for attackers. Often, hackers will specifically target C-level executives with high-level access to an entire corporate network, or find success when low-level employees click on something they should not, said Vinny Troia, CEO of cybersecurity consulting firm Night Lion Security.
In a perhaps counterintuitive twist, some ransomware criminals actually want to make their attacks "user friendly" for their victims. Like legitimate businesses, they want to maintain a five-star rating, said experts. Some will offer the opportunity for victims to "try before they buy," unencrypting a small portion of the files held hostage to prove they can deliver the product — a decryption key to get their files back.
They are creating user interfaces with sleeker designs and, in some cases, even providing customer support to make it easier to for victims to pay, said Devost. That makes it easier for even low-level victims — i.e., the grandma who just wants her photos back, and who has never heard of bitcoin — to make a payment.
"To the extent that you have a support apparatus to help your victims pay tells me there is a lot of money being made," said Cabrera.
On the back end, the hackers continue to innovate to make ransomware more robust, and to stay one step ahead of cybersecurity companies and law enforcement. When the "good guys" discover a decryption key, they often release it to enable victims to decrypt their own data, undercutting the attackers' business.
An example of how nimble these illicit enterprises are is shown by the rapid product evolution of CryptoWall, first released in 2014. CryptoWall is one of the most widely used forms of ransomware, and has been updated several times to make it stronger, said cybersecurity and threat intelligence firm Webroot in its 2016 Threat Brief.
CryptoWall 3.0 is smarter, more secure and stealthier than previous generations. The malware generates unique encryption keys instead of using one key for all infections, secures the master key itself to prevent unauthorized access, and conceals the location of the servers containing the decryption keys and payment mechanisms, among other things.
"In late 2015, CryptoWall 4.0 was released, with numerous enhancements to help sidestep security software," said Webroot.
The next evolution of CryptoWall will likely more aggressively try to encrypt attached network storage devices, Devost said.
The software is largely operated by criminal gangs, many with ties to organized crime, often located in Eastern Europe and Russia.
"Whenever it comes to malware that is written with the focus of strictly making more of a profit, it has typically come out of that region of the world," said Brian Calkin, vice president of operations at the Center for Internet Security.
For example, the architect believed to be behind CryptoLocker, Evgeniy Mikhaylovich Bogachev, remains at large, and is suspected to be in Russia. "Many of the most sophisticated cybercriminal actors are located in jurisdictions that do not cooperate directly with the United States," said the U.S. Department of Justice on March 4 in response to an inquiry by Sen. Tom Carper (D-Del.) about the challenges in bringing the suspected criminals behind these types of ransomware attacks to justice.
"If all individuals and businesses backed up their files, ransomware that relies on encrypting user files would not be as profitable a business for cybercriminal actors," said the DOJ.
The business of backing up data is also booming thanks in part to the recent high-profile ransomware attacks, with cybersecurity companies crowding the market. For example, Code42 provides a backup and real-time recovery solution. The company counts 37,000 organizations — including Lockheed Martin, Mayo Clinic and Kohl's — as customers.
"If you had our solution you certainly would not have to pay for ransomware," said Rick Orloff, chief security officer at Code42. "The flip side of the coin is, here is a thousand types of vulnerabilities, do you want to pay to be protected from all of them?"
"Companies need to align around what types of attacks do they want protection from," he said.