Why Ransomware? Why Now?

How Intelligence Would Address Infosec Questions

Jeremiah Grossman has asked an interesting question and proposed one hypothesis for a solution. Personally, I think the hypothesis is incomplete.

We had a brief discussion, but obviously there is no way to answer this question by speculating on Twitter.

How To Answer Questions About Adversaries

The question we want answered is laid out fairly well: Why is ransomware exploding now, and not years ago? Following the basic Intelligence Cycle we have our Tasking, and now we need to plan our Collection. What data will help us answer this question? How do we get that data?

Intelligence is data plus analysis.

Timeline of Events

It will be critical to have a timeline of events around ransomware malware, showing the start, the spread, including key innovations and the dissemination of the practice across criminal groups.

Timeline the Spread of Ransomeware Innovation:

  • When was the first ransomware released?
  • When was the first Bitcoin based ransomware released?
  • When was the second family of Bitcoin based ransomware released?
  • When was the third family of Bitcoin based ransomware released? (etc.)


An excellent point was raised about technical solutions for money transfer pre Bitcoin. The process for acquiring and transferring eGold or Liberty Reserve was about as complex as the process for Bitcoin (assuming a non technical “average” user.) So why wasn’t ransomware a serious problem a decade ago when computers were more vulnerable and there was an existing technical solution to transferring electronic money.

  • Was there ransomware that used eGold, Liberty Reserve or other early digital currencies?
  • If not, was there any specific operational issues related to those digital currencies which prohibited them from being used for ransom payments?
  • If there was pre Bitcoin digital currency ransomware, where do they fit on the timeline?
  • What happened to the malware? Did it have a large number of evolutionary iterations? Long duration?
  • Were there multiple families of ransomware? How many? Timeline them.
  • What happened to the criminal groups that developed and deployed them? Did they abandon ransom for other strategies, did they cease to exist, or what?
  • How lucrative was ransomware compared with alternative malware monetization strategies at the time? Real figures for the criminals.
  • Where there missing ransomware support infrastructure or services that inhibited the growth of early malware? For example, no exploit kits or traffic sales to help drive growth?

One hypothesis for the lack of earlier ransomware growth would be that at the time existing monetization strategies were sufficiently lucrative that there was no need to invest in innovation. As a business, committing to a new and unproven strategy is highly risky and not something likely to happen there’s an existing successful plan in place.

Ecosystem Adjustments

Attackers have finite resources. If they are delivering a ransomware malware payload they are displacing an alternative payload, such as a spam relay bot, bank fraud or credit card theft malware, etc. etc. Attackers will, in theory, invest their resources into the most profitable attacks they have the capability to execute.

Malware is a Business

The rise of ransomware will therefore be reflected by other changes in the malware based criminal ecosystem. There will be a rise on ransomware support services (such as call centers), but has there also been a change in other more traditional malware attack payloads? Are there fewer banking trojans, or not? That is, has ransomware displaced other malware variants (and if so, which ones?), or has it simply augmented and added to the number of active threat actors?

Has Ransomware Affected Other Attacks

  • What percentage of malware is ransomware?
  • How has that changed over time? (Link to ransomware innovation timeline)
  • Has the overall quantity of malware changed during that timeframe? Is that linked, and in what way, to the rise of ransomware?

Adversarial Evolution and Adaptation

The innovation of ransomware is to provide a better monetization mechanism for a compromised system. The majority of boxes that are pwned in malware campaigns are of very low value. Your family photos have great value for you, but they are completely worthless to a random criminal. Ransomware’s great innovation was to realize that those “worthless files” are actually extremely important to at least one person, the owner, and to monetize that value directly.

The knowledge of this value has existed for decades (see Jeremiah Grossman’s tweet), but clearly several key supporting factors were not in place until recently. One of those support factors was very obviously Bitcoin, but Bitcoin is itself several years old. What made criminal groups invest resources in developing Bitcoin based ransomware when they did, and not before? My hypothesis is that a reduction in revenue from other vectors forced a search for new streams. Cashing out credit cards is annoying, difficult, hard, and I suspect it is less profitable than it used to be.

Criminal Group Sensemaking

  • What do we know about criminal group revenue during the ransomware timeline? (Real actual cash money the member receive, not the bullshit estimates of bajillions of lost monies touted by industry frauste^Wmarketers)
  • Who developed the idea of BTC ransomware and when?
  • Who learned about BTC ransomware, and how?
  • Who created the innovation of targeted attacks (e.g. hospitals, police stations) over random drive by infections?

Collecting the information about the criminal groups generating the ideas for BTC ransomware, disseminating the innovation across the criminal underworld, and innovating new ways of increasing monetization would require a developing sources within the malware criminal community. There are people who have such sources and could probably provide a reasonably complete timeline of events regarding ransomware’s spread from the point of view of the malware criminal community.

Good Analysis Requires Experience (and Great Data)

With the data outlined above it will be possible to begin to understand why ransomware has become more prevalent now than it was years ago (e.g. why didn’t BTC ransomware rise at the same time as Silk Road? Both were criminal enterprise that relied on Bitcoin.)

In addition to the data sources, there needs to be a rigorous analysis of alternative competing hypotheses (ACH) along with other proven analysis techniques. (Aside: most useful analysis technique? years of experience in the domain being analyzed.)

Conclusion: Intelligence Isn’t Data Dumps

This is how Intelligence could provide awareness about the changing threat landscape that is the Internet we all use. The deliberate attempt to illuminate an issue by targeted data collection and rigorous analysis is what real intelligence can provide.

Anti virus firms will have the data to answer the majority of these questions. I hope they have the trained analysts to process and synthesize the data into actual intelligence. And I really hope that someone does this and disseminates the resulting intelligence product to the community. Any takers?