Beyond the Hyperbole: A Realistic Look at the Financial Payout of Ransomware

Joao Correia

December 14, 2023 - Technical Evangelist

Discussions about cybersecurity often unfold amidst grandiose and alarming narratives: ‘high impact,’ ‘critical,’ ‘most dangerous vulnerability‘ – phrases designed to catch headlines. The conversation floats at a lofty level, warning organizations of a complex, risky business environment where, in an instant, they could be brought to a standstill and suffer significant financial losses due to a breach.

Yet, while these warnings are grounded in truth, the surrounding hyperbole often induces fatigue. It’s always portrayed as ‘the end of the world’ or the ‘worst thing ever,’ yet without providing much-needed context or a realistic gauge of the actual impact.

So, today, let’s delve into an updated CISA/FBI advisory, focusing on a familiar name in the threat landscape – Royal (now BlackSuit) Ransomware – and the financial incentives driving its activities.

Historically, we’ve discussed how this group operates and some activities attributed to them. They thrive in the ransomware domain, duping employees of various organizations into clicking links to attacker-controlled resources (phishing emails), subsequently deploying payloads within the organization’s internal systems.

Here’s where their approach diverges from the norm. Standard ransomware encrypts systems and demands a bitcoin or equivalent as ransom – a few thousand dollars’ worth of inconvenience, at most, for a large company. This restrained ransom amount often leads organizations to consider, and regrettably sometimes pay, to resolve the situation swiftly and with fewer complications.

However, Royal Ransomware operates on a grander scale. Per the CISA/FBI advisory, since September 2022, they have demanded over 275 million dollars in ransoms from various organizations – a stark contrast to a modest bitcoin. Of course, not all those ransoms have been paid, but even a minimal percentage of payments amounts to a considerable profit for such an illegitimate activity.

Interestingly, they have steered clear of the ransomware-as-a-service model, a common evolution for experienced threat groups aiming to become more of a service provider than a direct exploit actor. Our prior analysis suggested a potential shift towards ransomware(or hacking)-as-a-service, but recent observations contradict this. Royal has continued to operate independently, not offering their services or infrastructure to third-party groups. Although they don’t target any specific industry over others, their high-profile hacks, like the recent Silverstone Circuit incident, indicate a strategy of targeting notable entities and high value companies to increase the likelihood of ransom payment. Their dark web portal, listing current victims, often includes major companies across different fields.

Our earlier speculation that Royal and BlackSuit might be a single group refining its tools is now confirmed by the CISA/FBI advisory. They have expanded their targets from Windows systems to the more lucrative Linux server space, in line with their evolving operations.

It will be intriguing to observe how such groups adapt to new regulations, like the SEC’s mandatory reporting rules coming into effect this month. Whether the enforced disclosure of hacks will diminish ransom payments, thus impacting their business model, or if their activities will persist unabated, remains to be seen.

These developments underscore the significance of the human element in cybersecurity, often a more vulnerable link than the technical aspects. Emphasizing the severe financial repercussions of criminal activities during employee training could reinforce the importance of cybersecurity. This, coupled with the basic practices of timely patch management, at least provides an initial deterrence factor against such groups.

Considering that their ransom demands for a year far exceed most companies’ operational profits for a similar period, the incentives – and risks – of such activities become clear, underscoring why cybersecurity must remain a priority. With threat actors eyeing such high returns, organizations can never afford to be complacent about their security measures.

In this realm, as in many others, it ultimately comes down to money.

Summary