How big will ransomware ransoms get? As ransomware attacks grow more targeted and sophisticated, the average ransom demand keeps going up, too. Some surveys indicate that the average ransom demand increased from $6,000 2018 to $84,000 in 2019. That trend continued into 2020, with the average increasing to over $300,000, by some estimates.
I recently tallied up the biggest ransoms ever, but the next week, the Kaseya attack hit, breaking the record for the biggest ransom demand yet again. The hackers probably won’t get the full $70 million they are demanding, but there is a possibility is Kaseya and the other affected companies end up paying the ransom, it could exceed the previous biggest ransom payment of $40 million.
So when will this growth in ransom size stop? Will we ever see a billion dollar ransom? To answer that question, let’s first consider why ransoms are getting bigger.
Factors Driving Bigger Ransoms
How much corporations are willing to pay to ransomware hackers is often a purely economic situation. If the damage the hackers are able to do would cost more than paying the ransom itself, it’s cheaper to pay. It’s that simple.
This is actually one of the reasons the problem keeps getting worse— as hackers rake in the cash, they reinvest some of their profits into upgrading their capabilities. They might use the money to contract out services of other hackers on the dark web to improve their software, or advertise and attract affiliates under Ransomware-as-a-Service (RaaS) business models.
Another issue is hackers leveraging sensitive data more and more. Data leaks can be hugely expensive for victims, so it can easily be used for blackmails. But is there really any data out there worth a billion dollars? Not very likely. Perhaps nuclear secrets, but that kind of data is not generally connected to the internet, but rather on military intranets.
What Would Make a Billion Dollar Ransom Worth It?
For someone to pay a billion dollar ransom, there are two requirements:
- They would have to have a billion dollars.
- They would have to save more than a billion dollars by paying.
This means most smaller companies are out of the question, so let’s start by looking at bigger companies.
Amazon, for example, was raking in over $400 billion in revenue per year, well over $1 billion a day. That means a hacker that could shut Amazon down completely for several days could realistically demand a $1 billion dollar ransom.
WalMart actually has higher total revenue than Amazon, but they are much less reliant on IT for their revenue streams. They could theoretically operate stores manually in case of an emergency.
It’s More Likely to be a Government
We have seen a number of cases of local governments paying large ransoms. Some research actually found that governments pay significantly higher ransoms than private sector victims. If we ever do see a billion dollar ransom, it’s more likely a government will pay it.
Pacific Gas and Electric, the largest utility company in the US only has a revenue of around $13 billion per year, but the broader impact of millions of households losing power could be much bigger. Imagine trying to get re-elected as the President who let everyone’s power go out for a week!
We saw something like this happen with the Colonial Pipeline attack; when the fuel stopped flowing, it led to shortages across the East Coast of the US. If a situation like this continued long enough, a government could be pressured into paying by angry mobs of demonstrators.
A scarier possibility is an attack which targets critical infrastructure, putting a large number of people in danger. In most cases, measures are in place to protect facilities like nuclear power plants or hydroelectric dams, but one possibility could be an attack on a chemical facility.
To give you an idea of the damage a chemical plant accident can cause, think about the Bhopal accident in India. An equipment failure in a factory led to the release of 42 tons of deadly methyl isocyanate wafting into nearby residential areas. The accident led to the death of over 3,700 people, injuring over 500,000 more.
If a ransomware hacker was ever able to threaten some kind of an accident like this, they could easily demand a ransom of over a billion. But there would definitely be a huge backlash from something like this. It could easily be considered as an act of war.
A Long Way to Go
While ransoms keep getting bigger, hackers have a long way to go before they can think about a billion dollar ransom. As the ransomware epidemic gets worse, cybersecurity practices keep getting better. While the big ransomware cases grab a lot of headlines, the bulk of victims are small and medium businesses that don’t have the budget for advanced cybersecurity.
At the same time, hackers are getting more and more sophisticated and ambitious. It’s by no means impossible that we will one day see a billion dollar ransom, but if it does happen, it’s likely to change the world in ways we can scarcely imagine.