Exploit kit traders and ransomware slingers are in one of the most profitable industries in the world, landing a whopping 1,425 percent profit margin for raiding legitimate trade.
Figures from infosec firm Trustwave show the blackhats who are enjoying what appears to be a current boom can score outrageous amounts of money by using the off-the-shelf hacking kits to deliver ransomware, trojans, and ad stealers to victims using exploit kits.
The company recommends says crims could clear a conservative $84,000 a month for a $5,900 outlay for the CTB Locker ransomware, the RIG exploit kit, stolen web traffic, and malware crypting packer services.
Net scum stand to make even more if they invest in co-current ransomware exploit kit campaigns.
"That’s an exceptional, albeit unethical and illegal, investment," the company says in its annual report [PDF].
"In addition, we have largely chosen conservative figures for this exercise, and there’s nothing stopping a criminal from simultaneously managing several campaigns."
Crims need to pay $3,000 for the ransomware, $1,800 for a hacked high traffic site, $500 for RIG, and $600 for anti- anti-virus crypters over a month to hit their profit targets.
Trustwave says of its example that RIG will snag one in ten victims visiting a booby-trapped web page, of whom half of one per cent will cough up a ransomware payment, on average $300.
The margins are a clear indicator of the commoditisation of crimeware, removing the need for blackhats to be jack-of-all-trades and facilitating rapid specialisation.
Exploit kits are popular off-the-shelf hacking tools for its ability to target a range of the latest patched and zero-day vulnerabilities in platforms including Adobe Flash, Java, and Silverlight
Ransomware too is sold in shiny tins, often to be paired with exploit kits. The commodotisation means ransomware code is now harder to reverse engineer with writers focusing on foiling system administrator efforts to backup files.
Trustwave determines the profit margin based on an average ransom payment of $300, a figure which often blows out to $5,000 and beyond for smaller scale and more targeted attacks.
Industry security types told this writer, at the recent AusCERT conference, about retail chains and hotels that have paid up to $10,000 in single ransoms after important files were encrypted. Common advice is to pay the attackers and move on.
The crime profit margins help keep hackers in the top 10 most profitable criminal enterprises, trailing behind drugs, human trafficking, and illegal weapons trading, but decimating dentists which eke out a meagre 101 per cent return on equity. ®