Criminal Hackers Have 1000% ROI on Ransomware & Exploits

Trustedwave released a 110 page Global Security Report

This article will review the ROI portion of the report.


This report focuses on breaches on TrustedWave investigations (as Trustedwave has many security services and products) so this report is trying to help sell their services.

One could say it is a competitor of consultants and other security companies.  Although we service different types of companies.

The Trustedwave report actually said 1425% ROI, but I made this post 1000% because another few hundred percent does not matter – and then fixed the calculation by some reverse math as you will see below.


The report also states that 81% of victims did not detect the breach themselves (this has been said before elsewhere). In fact how would you know that you have been breached with credit card number breaches for example? VISA can tell, or the bank that issued cc, but can you tell?

This number should have been 99%, because if you can detect a breach you are also not detecting some breaches. In an enterprise environment with 150,000 computers and in 10 different countries in 3 continents you can’t tell me that you are detecting all breaches.

So this report is stating the obvious in a different manner. You could easily make up a number and then say 3293% ROI.

They are stating their data compromise investigations: 574 data compromises across 15 countries.

The ROI information starts at page 63

first some explanations and definitions…

Then there is a Russian advertisement for a CTB Locker (ransomware software) $3000 with $300 / month service support.

So this is how there is the beginning of ROI determination.

Now you have payload, but no computers.

So you can buy exploited computers or traffic to a page that would have your payload in it.

Remember I have said in the past that what the criminal hacker wants is to control your computer (so they can sell the access)

Here is my diagram which places worth to your computer


I have to update the image and put ransomware paid on there $300

Once computers have been hacked the computer can now be exploited.

Now the criminal hacker may also need a daily encryption service ($600)


So the total is $5900 expenses.


Now how much can one make?

If you charge $300 for a “Decryption” it will only take 12 successful payments to make your investment back.

Out of 1000 clicks or controlled computers not all will be successful (something may go wrong) and not all will pay.

So here is where the estimation gets a bit murky.

Trustedwave thinks an average of 10% infection rate, a 50% payout rate, $300 ransom amount, and  how long the campaign is.

so they come up with $90,000 with 20,000 visitors.


Of course these numbers could be less or higher depending on the skill of the criminal hacker.

This is why I chose 1000% as my number

8640 visitors *.05 infection rate = 432 infections

payout rate 50% = 216 paid  a total of  $64900

for 64900 – 5900 cost = $59000 net profit

59,000 / 5900 = 10 = 1000%


Simple reverse mathematics  since the numbers can be easily adjusted.

So which sounds nastier?

10 times the investment? or 1000% of the investment?

The criminal hacker is constantly trying to

1. Get more traffic to the websites that have their ransomware payload

2. More efficient ransomware (i.e. so that the person will pay)

3. More efficient website infection rates.  this of course depends on the client-side infection capabilities.


As a new vulnerability comes out (I’m using yesterday’s blogpost from image below) it will have a certain time period of effectiveness for even patched computers.  But if your computer is not patched then an old vulnerability will work



This is  why we (security pros) recommend patching as soon as practicable  after a patch is released


3 thoughts on “Criminal Hackers Have 1000% ROI on Ransomware & Exploits”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.