When Does Cybercrime Become a Desirable Career Choice?

I spend most of my days working with amazing people who are dedicated to trying to make the world safer. At the same time, I often wonder why we don't work on the other side where the money seems to be growing faster than the risk of facing consequences for committing a crime. A shocking admission, right? Well, don’t call the FBI. I’m still not a cybercriminal. But, I think this is a topic worth exploring because, when we look at things in terms of risk/reward, it's easy to see why cybercrime could become an increasingly appealing career choice for more people than we may think.

Ransomware is Big Business

According to security firm Chainalaysis, ransomware payments in 2023 exceeded $1B globally - a new all-time high - with Sophos reporting that the average ransomware payment is now estimated to be $1.54M.

And this threat has been sustainable, with the average annual cost from ransomware over the last five years being $755M. While ransomware payment rates reportedly dropped to 29%, criminals simply created more revenue by increasing their volume of attacks by as much as 60% as compared to the previous two years. Recent noteworthy ransomware payments include the 2021 ransomware payments by CNA Financial ($40M) and Colonial Pipeline ($4.4M), Caesar’s Entertainment’s 2023 ransomware payment of $15M, and the recently reported ransomware payment of $22M by Change Healthcare.

Prosecution for Ransomware Attacks is Still Rare

Despite more than $1B in annual losses, and payments in excess of $10M for a single ransomware attack becoming commonplace, arrests and prosecutions for perpetrators of these attacks remain rare enough that the rewards of committing these cybercrimes may outweigh the perceived risks of being caught and punished.

• A Russian national known for his involvement in developing the Trickbot malware - used in a series of ransomware attacks that reportedly netted at least $724M as of early 2023 - was recently sentenced to five years and four months in prison. 
• A recent international law enforcement effort against the Lockbit ransomware gang - which is reportedly responsible for extracting $120M in ransomware payments - resulted in the successful takedown of their websites as well as the arrests and indictments of two named Russian nationals.
• A Russian-Canadian national was convicted and sentenced in March 2024 to nearly four years in jail and ordered to pay $860K in restitution for his crimes, which included cyber extortion, mischief, and weapons charges.

While these examples of consequences may sound serious, the challenge is in their rarity when compared to the number of ransomware attacks perpetrated.

• A 2019 survey indicated as many as 20% of Americans had been impacted by a ransomware attack.
• CISA reported that 14 out of 16 industrial sectors had been hit by ransomware attacks.
• The U.S. Government Accountability Office reported in 2023 that the U.S. was still not adequately prepared to address threats in cyberspace.
• While as many as 493M ransomware attacks were conducted in 2022 with an estimated 41% of targets paying a ransom, the FBI reportedly received only 2,385 ransomware complaints for the same year.

The number of arrests and convictions for ransomware crimes is a small fraction of the number of crimes committed, which is an even smaller fraction of the total number of crimes committed. In short, the odds of being caught and convicted for engaging in ransomware are roughly equivalent to winning the lottery.

Meanwhile, Here in the Real World

OK. So we all understand that ransomware is big business that is largely unpunished. But, what does that have to do with cybercrime becoming a desirable career choice? Good question!

The most recent example I referenced above was the reported $22M ransom payment that Change Healthcare just made to the Blackcat ransomware group (also known as “ALPHV”). For a high performing person in the tech industry who made all the “right” choices growing up and got some luck along the way, the odds of earning $22M in a lifetime are still pretty slim.

• Quick Math: To earn $22M in a lifetime, someone would need to earn an average of $400K for 55 years, $300K for 73.3 years, or $200K for 110 years.
  • While this does not include investment income over time, it also doesn’t remove income taxes that would be applied

The same young workforce that may see the disparity between the riches of crime and their long-term working future - or compare their income and lifestyle to that of CEOs who now earn (on average) 272 times what their average employee earns - may be enticed to consider using their hard-earned technical skills to take a bite out of corporations that seem more eager to pay ransoms than invest in cybersecurity.

Add to that the student loan debt younger generations entering the workforce are facing while the tech industry they worked so hard to get into continues to conduct massive layoffs in the name of increased profits for corporations that are already reporting record profits, and crime may look even more appealing.

But that’s not all!

Now, look through the eyes of these newly minted college graduates who survived a pandemic only to be told they need to commute to congested offices for increased productivity (which has turned out to be an inaccurate assumption) when it’s more likely that they work for insecure managers in corporations focused on protecting their commercial real estate investments.

Cybercrime is starting to look pretty appealing, isn’t it?

That’s because the reward for a successful criminal act isn’t just the money - it’s the freedom that money brings. If all the time and money spent on education doesn't lead to a career that is seen as a path to freedom, and it’s very unlikely that someone will face consequences for using those same expensive talents that someone is still making payments on, that sounds like a viable career path we may see more people choosing to take.

What’s Your Point?

I want to leave you with three major takeaways from this little thought exercise.

• All of this data and context presents strong reasoning for not paying ransom.
  • While it may seem like the right move at the moment, it’s a short-term answer to a long-term problem. If this crime doesn’t pay it won’t attract more criminals.
• Focus on treating the tech industry’s workforce much better.
  • Flexible work (locations and schedules) increases productivity and employee satisfaction, which reduces insider threats.
  • Invest in their futures with better training programs and clearer career paths so they know how to succeed.
  • Thoughtfully employ automated solutions and artificial intelligence when replacing people, instead of myopically focusing on profit without regard for the negative consequences that come with treating people as disposable “human resources.”
• Think beyond today or tomorrow.
  • If we automate entry level work, who grows into the higher level roles?
  • How do we retrain and refocus tens of thousands of people into roles that offer a promising future akin to what they’ve worked towards?

Everyone with aspirations, needs, and debts who is automated out of their career will need a new path to achieve the success they were told their expensive education and hard work would provide. If they aren’t employed within our industry, they will be recruited as the next generation we’ll have to defend against

• Unlike the ferrier or field hand of past industrial revolutions, these highly skilled people can weaponize their knowledge.

Cybercrime offers remote work, flexible hours, and large compensation without fear of being laid off so someone can increase a stock price or their annual bonus. Being a cybercriminal has risks, but so does working for companies that repeatedly cut their workforce despite posting record profits quarter after quarter, year after year.

When risk is a daily consideration, that $22M brass ring may be increasingly enticing.