Imagine you’re attacking thousands of systems and nobody cares. Not because every system was patched. Not because every operator had done careful backups. This would rather sound like an illusion. So, why would nobody care? Or more precisely: how can our society reach a state in which nobody cares?
The motivation of globally operating attackers is often to first buy intelligence about zero-day exploits, sometimes even code fragments for malware to launch distributed attacks, just as it has happened in the case of WannaCry. In the second step, after adapting and distributing the malware, the attacker’s motivation is to extort money from the victims, hoping they will pay the ransom since the attacker’s help to recover the damaged data looks like the only way to get out of the precarious impasse.
There is a number of problems with this model, though. First, there is no guarantee whatsoever that the attacker will collaborate and help recover the data. Attackers do not care about their reputation, consequently, they are likely not to help. Second, as the victims usually don’t know their attackers, how can they be sure the ransom is actually received by the genuine attacker? There have been cases reported where fake attackers joined the playground and claimed to be the official attackers, simply to siphon the ransom. Third, and this is the main point, if no victim pays, no attacker is interested in investing in the tremendously expensive zero-day exploits. A back-of-the-envelope calculation shows that the attack simply is not profitable. The return on investment is negative. Consequently, there is no hacking for profit, and no malicious encryption of important data.
Let’s consider the case of WannaCry again. The adversaries spent a great body of work to craft and distribute the malware code. We don’t know the adversaries (yet) since Bitcoin provides pseudonymity. However, what we know is that their Bitcoin accounts have not made more than some farcical tens of thousand dollars since the attack has been launched. This is ridiculous. Attacking more than 200’000 machines in 150 countries to earn as little as some thousand bucks — clearly naive fallacy.
In other words, if the whole world agrees not to pay for any kind of ransom, cybercriminal attacks for profit could collectively be stopped. Hacking for fun or hacking by nation-state adversaries is not covered by these thoughts. Such actors, however, do not aim for financial profit.
This is a cross-post to my LinkedIn-Post