The WannaCry ransomware exploded onto the scene in mid-May, bringing computer systems in organizations as diverse as FedEX and the U.K.’s National Health Service to a grinding halt. There’s no indication that its authors targeted these organizations specifically, and the malware will happily infect any vulnerable computer system that it comes across in order to hold the data stored on it to ransom.
In other words, WannaCry is an unscrupulous money-making tool, and its purpose is to make whoever is behind it rich. Operating a piece of ransomware like WannaCry is really just a business. An illegal business, but a business none the less.
The purpose of any business is to maximize profits, and to do that it is important to charge the right price. When it comes to ransomware, the amount demanded as a ransom is effectively the price. The dilemma for the criminal behind the ransomware is whether to set the ransom relatively low in the hope that a large number of victims will pay up, or to set the ransom much higher to get a smaller number of big payments. Which pricing strategy yields higher revenues depends on what economists call the price elasticity of demand.
It turns out that the average ransom demanded is about $700, although in about 20 percent of cases the ransom may be as high as $1300, according to research carried out by security software vendor Trend Micro. “If you look at the demands they are relatively low — they are in the ballpark of what people can afford to pay,” says Bharat Mistry, a Trend Micro cybersecurity consultant. That would suggest that ransomware criminals believe the price elasticity of demand is relatively high: a small increase in the ransom demanded will lead to a much greater fall in the people willing or able to pay it, resulting in less overall profit.