Please note we have recently updated our Privacy Policy, effective May 24, 2018. You may view the updated Privacy Policy here.
By using this website, you consent to the use of information that you provide us in accordance with the Privacy Policy.


Excerpts from The Ransomware Economy: The Ransomware Supply Chain

Rick McElroy
November 2, 2017 / Rick McElroy Sean Blanton

Carbon Black recently published an investigative report on the Dark Web marketplace for ransomware. This is an excerpt from that report, which you can find here. For more information about the rise of ransomware, and what you can do about it, check out the Ransomware Epidemic: Stop Bad Rabbit In Its Tracks webcast hosted by Rick McElroy, Security Strategist at Carbon Black.

The Ransomware Supply Chain

The underground ransomware economy fosters some very profitable business models. To curb the proliferation of the economy, we must first understand the economics behind the model.

Most people think about ransomware monetization at only one point – where the criminal actually receives payment from a victim. This may be the one of the headlines, but it’s actually at the tail end of the economy.

Here’s what the “Ransomware Supply Chain” looks like:




Ransomware is software. Someone has to create it, maintain it, test it. Sometimes, ransomware is created for the mass market and sometimes it is authored for targeted campaigns. The cost is based on how customized the code is for a particular target.

It’s important to understand that the entire supply chain could be provided by one group or one person but it may also be piecemealed together. The trend continues toward DIY kits and specialization within the underground economy is further contributing to ransomware’s boom.



This is where most people encounter ransomware for the first time. This is generally done in a “spray-and-pray” fashion where attackers send the same malicious email to a giant list hoping a small percentage will click. Moving into 2018, ransomware will increasingly target businesses, as we saw with the WannaCry attacks in 2017. Perhaps more alarming is how WannaCry leveraged NSA tools to spread the attack across the globe.


This is the module responsible for the activity on a system that actually encrypts the data. We’ve all seen the big, red splash screens commonly used in ransomware attacks. Ostensibly, once payment is rendered, the data is decrypted. For attackers, encryption and decryption tools can be purchased on their own, or as part of a DIY kit.



For more information about the rise of ransomware, and what you can do about it, check out the Ransomware Epidemic: Stop Bad Rabbit In Its Tracks webcast hosted by Rick McElroy, Security Strategist at Carbon Black.

Watch Now



This module facilitates, tracks and communicates payments, typically via Bitcoin. Service providers and distributors use this information to make future campaigns more successful.


This module is responsible for the end-to-end operations of ransomware and is used to control infected hosts throughout the ransomware life cycle. These are becoming fairly standardized.


The silver lining when it comes to breaking the ransomware supply chain is that defenders have an inherent advantage. If defenders can break or interrupt even one link of the chain, the entire attack falls apart.

Taking down distributors and operators is chasing the tail of the problem. To begin to put a dent in the underground ransomware economy, efforts should be enacted to disrupt the supply chain upstream and change the incentive for malware authors. By decreasing the ROI for attackers, defenders can decrease the financial incentive for the crime.

Additionally, we need to STOP paying ransoms. The system only works if victims choose to pay. Until people decide not to pay, this problem will only continue to grow. Additionally, as it stands right now, law enforcement cannot scale to the problem. Companies are largely on their own when it comes to stopping ransomware attacks.


The growth in the underground ransomware economy highlights a few unsettling trends. Namely, as an industry, we are often getting the fundamentals of security wrong. In too many instances, we are failing to do the basic blocking and tackling of security such as: backing up files and systems; testing restorations; patching; having adequate, enterprise-wide visibility; and implementing outdated prevention measures, such as legacy antivirus.

Attackers will continue to go where the money is. Right now, with ransomware, there is money to be made hand over fist. To begin to shift the economic tide, organizations should take careful inventory of their security best practices and look to implement user education programs in order to close any gaps that may exist.

In conjunction with user education, these organizations should turn to security software that can provide full visibility across the enterprise and prevent ransomware attacks before they cause any damage.

Specialization in the various components of ransomware has contributed to the 2,502% growth we’ve seen in the underground ransomware market over the past year. For ransomware to be profitable, you no longer have to be “good” at the entire supply chain, just know where to purchase the individual components.

The economy itself has become so much more robust because of the now-existing service layers. These services drive down the barrier to entry and attackers no longer have to have multiple specializations. In fact you don’t have to have any. You just need some Bitcoin. This enables anyone who is inclined to launch attacks.

Ransomware can no longer be perceived as small groups of criminals performing stick ups and kidnappings; instead think of ransomware more like the consumer of cloud service. You simply need to know how to put the pieces together. Startup CEOs no longer hire tons of IT staff or invest heavily in infrastructure. They achieve speed to market by utilizing existing services. So do cyber criminals. The criminals are jumping right to the point of profit.

Because of this specialization, ransomware attacks are more likely to succeed. The frequency and severity of the attacks will also increase. The power to attack is no longer in the hands of a few experts, but in the hands of anyone looking to make illicit money.



For more information about the rise of ransomware, and what you can do about it, check out the Ransomware Epidemic: Stop Bad Rabbit In Its Tracks webcast hosted by Rick McElroy, Security Strategist at Carbon Black.

Watch Now


TAGS: Carbon Black / ransomware / Threat Analysis Unit / threat research