Ransomware as a business model

How it works and how to respond

Johannes Dohren
Partner, Cybersecurity and Privacy, PwC Switzerland

Ransomware attacks have become a lucrative business for cybercriminals, which they use to extort millions every year. For example, the group behind the NetWalker ransomware software is said to have pocketed more than 25 million US dollars in just four months. A ransomware value chain has developed involving various different highly-professionalised groups. These include the developers and sellers of malware, which provide “ransomware-as-a-service” in the sense of today’s service economy, as well as the operators of malware, which spread and use it.

It also includes “support” specialists, who for example handle enquiries from unwilling “customers” through hotlines. This differentiation means that criminals are targeting a much wider range of parties than just large business and companies.

61% of Swiss executives expect a surge in reportable ransomware incidents in 2022.

Source: PwC, 2022 Global Digital Trust Insights
The New Equation

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more

The development of ransomware attacks

Originally, a ransomware attack meant that the relevant working data in the company’s network was encrypted by using malware. The attackers then demanded a ransom to decrypt it. Previously, cybercriminals targeted as many companies and systems as possible almost indiscriminately. The sheer number of parties involved alone made it a lucrative business model. Since then, many companies have adopted an effective strategy for backing up and restoring data as the most effective measure against ransomware attacks, and are well prepared.

This has led to cybercriminals seeing their incomes fall, which in turn has led them to adapt their business model. Attackers have now gone one step further and copy sensitive data before encrypting it, especially customer data, so that they can now also blackmail their victims with the threat of having their data published. They tell the affected parties that publishing the data would constitute a breach of data protection legislation (e.g. the GDPR), and the company would be obliged to pay a fine. It is true that such a case may mean a breach of data protection legislation, which may also lead to prosecution. What is false, however, is the idea that paying a ransom or not has any bearing on whether a breach of the GDPR has occurred.

The fact is, a successful ransomware attack almost always causes significant damage, whether damage to the company’s public image through customer data (e.g. passwords, medical documents, financial data, shopping habits) being leaked or the loss of intellectual property (e.g. source codes, construction plans, formulas, films). Affected companies often see paying a ransom as the lesser of two evils.

Cyber incident response and recovery

We have a broad range of flexible solutions, including entire packages, to help you plan and prepare for cybersecurity incidents.

Find out more

Phase 1: Making preparations

Imagine the attacker as an employee in a small criminal organisation within the ransomware value chain. This person’s main job is to identify suitable companies as targets and to carry out the attack. As a first step, the potential targets are spied on and information is gathered about them. There are two different approaches to this: You can attack on a large scale in order to blackmail as many companies as possible – some of them are bound to be willing to pay large ransoms. The more lucrative option, however, is to target companies with highly sensitive data so that you can demand the highest ransoms possible. In our scenario, the attacker chooses the second option. To do this, the person makes a list of companies and uses different sources to find out more about them. In particular, they read the publicly available financial reports. Among other things, they can work out when the company last invested in their IT systems and how much ransom they can extort out of them. They also look for job openings because these can be particularly revealing for cybercriminals, for example when they advertise for administrators with a knowledge of outdated systems such as Windows 7 or Windows Server 2008 R2. They compile the information they have gained into a short profile so they can assess and prioritise it. The possible gains are always weighed up against the expected costs.

After a target has been chosen, the attacker gathers more information. For example, they make lists of employees and their e-mail addresses, or try and find out whether certain servers, clients, IoT devices or production facilities (operational technology, OT) can be accessed online and allow login attempts with default names and passwords.

The malware and other tools have already been prepared or bought by third parties. All the hacker has to do is select and use the right versions for the target, i.e. enter the IP and e-mail addresses. They also set up their own infrastructure where they can upload the stolen customer data.

Emerge stronger through disruption podcast

Ransomware attacks hit without warning, inflicting serious damage with effects that can linger for years. With strong crisis management capabilities, however, companies can mitigate the damage – and even grow trust with customers, deepening the connection to their values and purpose.

Listen now


Even if individual steps differ in detail, the course of a ransomware follows a similar logic. It can be illustrated using four phases – preparation, attack, propagation and infection. In a series of blogs, we will illustrate these phases using an example scenario from the perspective of a ransomware operator and discuss the effectiveness of protective measures. In the last blog, we’ll look at the legal aspects of paying a ransom in Switzerland.


Building trust to succeed

At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.

Explore our offering

Contact us

Johannes Dohren

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 22 20