RSA 2015 RSA chief information security officer David Martin says ransomware scum may have reached the sweet spot between extorting users and avoiding law enforcement heat.
Martin says ransomware extortionists' demands top out at about US$10,000, a sum sufficiently low to get reluctant companies to pay and to prevent time-poor police from intervening.
"I think there is a sweet spot where you (criminals) only want to target organisations in local jurisdictions but if you move into a large enterprise with enough customers, you'll get federal law enforcement involved and make some serious enemies," Martin told El Reg at the RSA Conference in San Francisco last week.
"If you get too big, too greedy, you'll make enemies with the people who have the might and muscle to come and get you.
"There is a lot of innovation and I think we will continue to see things evolve."
Martin recommends says ransomware scum should stick to targeting smaller businesses and try to make big bucks out of multiple attacks, rather than "one big play".
Smaller demands of cash for keys tends to convince smaller businesses to pay rather than attempt to find cryptographic implementation faults to decrypt the their data without paying.
Security companies have published free tools to help decrypt shoddy ransomware that typically asks for a few hundred dollars, but the proper high-end product can be next to impossible to feasibly crack.
The latter ransomware is typically accompanied with emails sent by attackers to victims informing them that their data is encrypted and to pay up or face a rising ransom for each day lapsed.
Crooks will often hand over the key on payment to preserve the integrity of their business model. It is so effective that multiple police agencies have paid the ransoms.
Detailed data on the value of ransomware are hard to come by but some crooks have made millions of dollars in mere months. Symantec reckons (pdf) in the early days of ransomware that 2.9 percent of compromised users paid.
To reduce risk from ransomware raids businesses should change weak and default passwords used on services like remote desktop protocol -- a favourite vector for some scammers -- and back up critical data to air-gapped media.
Exploit kits that target unpatched software like Flash and Java will often foist ransomware, placing a user emphasis on patching.
One recent ransomware iteration demonstrated that even air-gap backups may not be enough by silently encrypting and decrypting web databases for months before pulling the key. ®
Darren Pauli travelled to San Francisco as a guest of RSA.