Ransomware attacks on healthcare and other organizations “will wreak havoc on America’s critical infrastructure community,” according to a new report that also found the malware is now so prevalent it’s creating an economy of its own.

“New attacks will become common while unattended vulnerabilities that were silently exploited in 2015 will enable invisible adversaries to capitalize upon positions that they have previously laid claim,” the report published by the Institute for Critical Infrastructure Technology explained. 

In the ransomware economy, criminals are using pricing calculations to target victims based on the most efficient ways to rake in money and, what’s more, criminals understand and engineer the pressures to put on victims.

[Also: Healthcare enters new wave of cyberthreats as hacktavists, organized crime, foreign nationals take aim]

The report said ransomware hackers are discovering the right price to charge for targeted industries and individuals, citing Symantec research that lists the average ransom paid by businesses at about $10,000.

“Healthcare organizations were not a primary target for ransomware attacks prior to 2016,” the report stated. “But, the success of the Hollywood Presbyterian attack and the media coverage will ensure that attackers focus on the healthcare sector in the future.”

Indeed, Ransomware is responsible for 406,887 attempted infections and accounts for a total of approximately $325 million in damages, according to a November, 2015 report by the Cyber Threat Alliance. 

And the market for malware may very well keep growing, in large part because of the low cost and ease in perfecting it. In the case of the major ransomware variant Crypotwall, CTU researchers estimated that in 2014, about 1.1 percent of the Cryptowall ransomware victims paid the ransom (at an average of $500), which might not look like a lot but the FBI said that 992 complaints Crytpowall netterd more than $18 million between 2014 and 2015.

“The lesson is that ransomware, while less sophisticated than APT (advanced persistent threat) groups and other cyber criminals, is still significantly profitable, even when only a miniscule number of user fall for its scheme.” ICIT authors wrote. And “who knows how many infections were not reported?”

Twitter: @HealthITNews