While cybercriminals have always known investing in underground tools and kits to attack victims is a worthwhile investment, new research has quantified their spending and found that the average cybercriminal can expect a 1,425 percent return-on-investment (ROI).
Trustwave's “2015 Global Security Report” created a sample case study for the average cybercriminal or crime group. In the company's example, a criminal could invest $3,000 to use a ransomware, specifically CTB Locker, for one month, and then invest an additional $2,900 on the infection vector, traffic acquisition and daily encryption, bringing the total cost for a one-month malware campaign up to $5,900.
If the criminal is able to infect only 10 percent of visitors to a chosen target website, and successfully get 0.5 percent of them to pay a $300 ransomware over the course of 30 days, the criminal could feasibly rake in $90,000. This comes out to $84,100 in profit and a 1,425 percent ROI.
“[This percentage] shows you and quantifies [cyber criminals'] motivation,” said Charles Henderson, vice president of managed security testing at Trustwave, in an interview with SCMagazine.com. “The criminal enterprise around cybercrime is absolutely a big business, and it is focused, as well as refined, around numbers.”
More than anything, these numbers make clear that a business plan is in place for cybercrime, just like any legitimate, legal business, Henderson said. Plus, it's a marketplace ripe for disruption.
Although disruption could be interpreted to mean not paying a ransom or clicking on spam, that advice doesn't always work, Henderson said. Instead, he recommended focusing on making it cost prohibitive to become a cybercriminal's target.
“In other words, what you're looking at is ways to make an attack against your assets more expensive,” he said. “Go through a checklist of things that you can do to make it more burdensome to attack you.”
Trustwave's study also looked at data breaches and remediation. It found that 81 percent of victims did not detect a breach themselves. A majority of the time, regulatory bodies, card brands or banks detected the compromised system and information.
In 12 percent of cases, law enforcement detected the breach first, which Henderson contributed to better communication and efforts to hunt down organized groups that conduct more than one breach.
Furthermore, the study found that, yet again, “Password1” was the most common business password.
“There comes a time where repetitive is newsworthy,” Henderson said.