According to a study by the blockchain analysis firm Elliptic, the Darkside ransomware gang has made over $90 million in ransom payments in the last nine months. The most notable of these payments reportedly being Colonial Pipeline paying upwards of $5 million, which is almost five times the average payment Darkside asks. Additionally, because Darkside ransomware is a Ransomware-as-a-service model, the actual developers for the ransomware have made around $15.5 million, with portions going to affiliates who rent the malware.
While Darkside has suddenly gone missing and forums like XSS are now disallowing the sale of ransomware, the market itself has not found a shortage of victims nor a desire to stop. Because of ransomware’s money and effective impact, we will likely continue to see attacks big and small in the future. It should also be noted that ransomware is not a simple problem. The considerations that go into paying or not paying the ransom stretch far beyond simple bitcoin transactions. Actions taken by ransomware can be easy to identify given that the pace at which commands are executed are often not well hidden. Reports by groups such as DFIR Report have well-documented reports on how and what commands are executed before a group deploys ransomware. The costs of investing in detections and log ingestion will always far outweigh the costs involved in paying the ransom.
I've worked a lot of #ransomware incidents and I've found that most companies don't realize what the true cost of a ransomware incident is.
But isn't it just paying the ransom or restoring and you're done? Nope. Here are the (potential) costs (based on my experience): (1/X)
— Tyler Hudak (@SecShoggoth) May 4, 2021