In May of 2017, a ransomware cryptoworm called WannaCry claimed thousands of victims in a span of just a few days. Experts estimate that in total, the malware infected over 200,000 computers across 150 countries, resulting in hundreds of millions of dollars in damages.

WannaCry was, by far, the largest ransomware attack to date. The breadth of its success highlighted a scary realization for a lot of organizations: lack of preparation. Downtime, for any reason, is costly for all businesses, and ransomware attacks specifically threaten availability. But cybercriminals don’t limit their targets to just organizations. The ransomware business model allows for a much larger attack surface, and understanding that model is an important step to security.


What Sets Ransomware Apart from Other Cyber-Attacks

At its core, when you look past malicious intentions, ransomware was developed with customer service in mind. Thinking about it as a business transaction provides a better idea of why it has been so successful.

A typical ransomware attack looks like this:

  1. A phishing email with a malicious attachment is sent to the target.
  2. The target opens the attachment.
  3. Malware infects victim’s system and quickly encrypts all data.
  4. The victim is prompted to make a payment, usually via bitcoin, in a specified amount of time.
  5. The victim either agrees to make payment and is (hopefully) sent a key to decrypt data, or victim chooses not to send payment and data is lost forever.

Step 4 highlights a crucial element of business: customer service. Paying with Bitcoin, or any other cryptocurrency, automatically creates a technical barrier. Even in today’s super-trend of cryptocurrencies, most users and many organizations have no idea how to acquire Bitcoin (this was especially true before cryptocurrency exploded in 2017). So, if cybercriminals want to get paid, they have to assist their “customers” (victims) with a “how-to.” For all intents and purposes, the attackers provide customer service.

In fact, a few years ago, The New York Times published a tale of a woman who fell victim to a ransomware attack and was unable to provide payment before the deadline, causing the ransom to double. But she used the interface provided by the attackers to explain her case, basically pleading that she did everything she could to provide timely payment. They accepted her explanation and only charged her the original amount—a forgiving customer service experience that most credible businesses provide to their customers.

Step 5 highlights another crucial element of business: trust. No doubt, in many cases, attackers have accepted payment yet refused to send decryption keys. But if that were the norm, if most ransomware criminals treated victims this way, it would spell the end of these attacks because victims would likely never pay the ransom. Attackers that choose to dupe customers in this manner essentially ruin the entire operation for future would-be attackers.

Ransomware’s success centers around three fundamentals of business:

Ease of Use – the customer receives detailed instructions on how to make a payment and get their data back. Like all businesses, especially those that are internet-based, convenience is key.

Customer Service – even with detailed instructions, criminals have to be prepared to deal with non tech-savvy customers. After all, that is the ransomware market: people who are easy to phish. Therefore, customer service is of the utmost importance. One strain of ransomware went as far as to offer live support via chat.

Customer Satisfaction – like every business, satisfaction is an absolute must for repeat business. If a victim pays the ransom (akin to buying goods and services), the seller (the cybercriminal) must fulfill their end of the bargain. If word gets out that decryption keys are being withheld even after payment, future victims will be much less likely to make the payment. The ransomware economy would collapse if customer satisfaction wasn’t met.


Why This Matters

Motive is one of the first things law enforcement attempts to determine when they investigate a crime. The “why” often leads to the “whom.” Uncovering intent helps investigators reverse engineer the scene and discover clues that might help serve justice. Those clues also offer prevention techniques for future potential victims.

Similarly, understanding the why behind cyber-attacks helps organizations identify their most valuable assets through the lenses of cybercriminals. That vantage point sets the stage for prevention and recovery strategies. As always, education and awareness pave the road to security!

Justin Bonnema

Lead Writer at SAC
Justin left the music business to focus on his true passion: writing. A talented writer and detailed researcher, he’s involved in every department here at SAC to make sure all content is fresh and up-to-date. In his spare time, Justin writes about fantasy football for and practices mixology (he makes a mean margarita).