My Explanation for the Sudden Rise in Ransomware


I was just observing a Twitter discussion between @jeremiahg and @thegrugq about the reason for Ransomware’s sudden and forceful appearance as the malware du jour.

Jeremiah is arguing that Ransomware is rising now because it’s suddenly much easier to receive anonymous payment, i.e., due to the rise of bitcoin.

TheGrugq and others are disagreeing, saying that there have been other forms of semi-anonymous payment for a long time, which did not lead to a surge in ransomware.

I have my own theory, which I admit is based purely on instinct and not any sort of research like Jeremiah has done.

I think the rise of ransomware comes down to a time-sensitive collision of a few key factors:

  • Other cybercrime business models have reached peak effectiveness, and are in fact declining in value. A) A main revenue model up until now has been to sell the data that was stolen. B) A secondary method has been to use compromised machines to engage in click fraud. Both of these methods are yielding dramatically lower revenue in recent months and years.

  • Because of this challenge, it just so happens to be time for a malware R&D cycle. It’s hard to get away from infrastructure that works, and the data selling and click fraud models took a decade to master. Much effort was spent improving that infrastructure, but the models have now run their course. They are therefore now willing, where they were not just a few months ago, willing to re-task their development efforts to a new model.

  • Data just became essential. As short as five or ten years ago businesses could survive much easier in an analog or offline way. So ransom would not have been as effective.

  • Bitcoin added one last piece of incentive by providing a cleaner way to receive money from victims. This alone would not induce a cybercrime model change, but combined with the two issues above it becomes a significant factor.

Just like most other types of business, it’s extraordinarily difficult to move to a new model when the current one is paying all the bills.

Especially when you helped build it. That’s your life in there. And now you’re just going to abandon it?

No way.

We can improve the algorithms! We can gather more data! We can sell it in bulk! We’ll do mobile click fraud!

And that’s where they’ve been for the last couple of years—making incremental improvements in a fight they could not win. Finally they realized it was time to look for something new, but there wasn’t much in the lab.

Then somebody paid a ransom.

(record scratching sound)

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

Um, what?

You can just encrypt peoples’ most sensitive data and they have to pay you to gain access to it?


Oh, and wait, the only solution is for them to be vigilant about security? So they have to stay patched and/or have really solid backup and recovery capabilities? For their entire lives and businesses?

That’s a human problem! And not one likely to be solved any time soon!

It’s also not resting on the price of a data record in a saturated marketplace. Or on the health of the ad business. This is stopping actual companies from making money. It’s locking people out of their personal lives.

And BAM—groups start pivoting violently towards Ransomware.

  • Tighten up malware campaign infrastructure

  • Make the ransom messages more compelling

  • Adjust the models of how much they have to pay

  • Gather data on how to optimize re-charges

  • Make the payment process easier and safer

  • Etc.


Cybercrime is a massive mechanism, with sunk costs and infrastructure that was hard to migrate away from, even when profits were declining. It was multiple factors that forced the course correction.

  1. The money suddenly dried up in stolen data and ad fraud markets

  2. They were looking for a new vector to put R&D into anyway

  3. People’s entire lives and businesses are now digital, and there’s no going back

  4. Bitcoin provided a newish, semi-anonymous method of receiving payment

It wasn’t one of these ingredients—it was their combination. And at the end of 2015 these chemicals finally mixed and exploded.

Related posts: