The cost to your average ransomware crew can be rounded down to zero, because it's pretty darn close. They use automated tools running on other peoples computers and utilizing other peoples connectivity. The tools themselves for most RaaS (ransomware as a service) affiliates are also close to zero cost, as they pay the operator a percentage of profits.

The time is a cost, but at scale any individual target is a pretty minor investment since it's 90%+ automated. Also, these aren't folks that are otherwise highly employable. The opportunity cost to them is also usually very low.

The last attacker I got into a conversation with was interesting. Turns out, he was a 16 year old from Atlanta GA using a toolkit as an affiliate. He claimed he made ~100k/year and used the money on cars and girls. I felt like he was inflating that number to brag. His alternative probably would have been McDonalds, and as a minor if he got caught it would've been probation most likely. I told him to come to the blue team, we pay better.

At the end of the day, that guy is spending all of his finite hacking time setting up and maintaining these exploits and stolen infra. His marginal cost of breaching you is 0 if you're already vulnerable to the exact same exploit he already set up, but that's a big if, and someone else spent their finite time making toolkits. Otherwise you'd expect everything on the Internet that has any kind of vuln to be breached already.

Anyway I'm curious about the 16yo. Is it that he has special skills, or is it just that minors will do that dirty work for cheaper, given lower consequences and fewer other opportunities?