Photo: AP

The black market economy fueling ransomware distribution is booming, according to new research.

In an October report, researchers at anti-malware service Carbon Black identified a 2,502 percent increase in ransomware software sales from 2016 to 2017. The study involved monitoring 21 of the top dark web marketplaces. The data gathered was then extrapolated to produce estimates for the more than 6,300 estimated marketplaces currently offering ransomware.


The 2,502 percent increase in sales translates to roughly $6.2 million in sales, up from the year’s previous total of about $250,000.

While the total isn’t much to look at, the reported growth is nevertheless impressive—if not foreboding. The researchers note that it’s spurred by an increase in supply and demand: “Cybercriminals are increasingly seeing opportunities to enter the market and looking to make a quick buck via one of the many ransomware offerings available via illicit economies,” the study says.

The expanding ransomware market is made possible not only by tools making the anonymization of commerce simple—Bitcoin and Tor, to name two—but also by the proliferation of ransomware services making it easy for nearly anyone to launch their own illicit startup. “As a result of the maturity with these innovations, the underground ransomware economy is now an industry that resembles commercial software—complete with development, support, distribution, quality assurance, and even help desks.”


Ransomware payments last year reached $1 billion, according to CSO Online, roughly a 4,000 percent increase from the previous year’s total.

Ransomware developers, too, are raking in big bucks, with some netting more than $100,000 a year, while the median income for their peers in legitimate industries falls closer to $70,000. And thanks to the underground supply chain, it’s no longer necessary for a ransomware author to manufacture an entire toolkit alone: While one coder might specialize in the encryption that locks victims out of their devices, another may specialize in methods for collecting payments.

Ransomware developer salary vs legal software development by country is shown below. (Carbon Black)

This kind of specialization is a key factor driving the underground economy, experts say. Launching profitable ransomware campaigns no longer requires one person to be “good” at creating and deploying complex ransomware. Knowing where to buy all the necessary components to complete the toolkit is all that’s required.


“The economy itself has become so much more robust because of the now-existing service layers,” Carbon Black reports. “These services drive down the barrier to entry and attackers no longer have to have multiple specializations. In fact you don’t have to have any. You just need some Bitcoin. This enables anyone who is inclined to launch attacks.”

The target universe itself is endless, thanks largely to a widespread lack of fundamental security controls: Businesses have continued to ignore critical warnings about the need to backup data, and few test their own security or patch out-of-date software. The researchers warn that law enforcement is entirely useless in preventing attacks; companies are largely on their own, they said.


The key to stopping the attacks, of course, is to convince enough people to stop paying. At present, roughly 59 percent of respondents say they’d be willing to pay less than $100 to regain access to their data, according to Carbon Black’s data. That figure drops to 12 percent if attackers demand $500 or more.

“The system only works if victims choose to pay,” the study concludes. “Until people decide not to pay, this problem will only continue to grow.”


Senior reporter, privacy & security | Got a tip? Email: | Send encrypted texts using Signal: (202)556-0846

Share This Story

Get our newsletter