Skip to content
​Illustration by David Vogin ​​​

Held Hostage

​Most ransomware demands lean towards the lower end of the scale to encourage victims to pay. But that was not the case when cyber criminals targeted South Korean Web-hosting company Nayana and demanded an initial ransom payment of roughly $4.4 million.

The attackers had leveraged a variant of Erebus ransomware that exploits a flaw in the Linux operating system, which Nayana used, according to a blog post by security firm Trend Micro. After assessing the ransomware, Nayana was able to negotiate with the attackers to lower the ransom to decrypt its files to approximately $1 million—still an astronomical amount in the world of ransomware payments.

"It was a huge sum of money; you normally get $200 to $2,000 per machine being asked for," says Michael Marriott, a research analyst at Digital Shadows. "The chief actor really targeted its approach to this organization."

And this is a trend that organizations can expect moving forward as ransomware continues to be the most prevalent form of malware spreading across the globe—because people continue to pay ransoms.

Organizations make their own decisions based on what makes sense for them, Marriott explains. "In the Nayana case, it really makes you think, if threat actors see that, they're going to be quite spurred on to target specific organizations."

Ransomware, sometimes called cryptoware, is the process of encrypting a user's files and then demanding payment to decrypt them. It is not new to the scene and gained widespread awareness following a string of highly visible campaigns in early 2017 with the WannaCry and NotPetya ransomware attacks.

In fact, EUROPOL considers ransomware to be the "most prominent malware threat," surpassing data stealing malware and banking Trojans, according to its 2016 Internet Organised Crime Threat Assessment.

"Whereas each variant has its own unique properties, many are adopting similar anonymization strategies, such as using Tor or I2P for communication, and business models offering free test file decryptions to demonstrate their intentions," the assessment said. "While most traditional and 'commercially available' data stealing malware targets desktop Windows users, there are many more applicable targets for ransomware, from individual users' devices, to networks within industry, healthcare, or even government."

​Ransomware Basics

On an average day in 2016, more than 4,000 ransomware attacks occurred—a 300 percent increase over the approximately 1,000 attacks per day in 2015, according to a U.S. government interagency report issued early in 2017.

The report, Protecting Your Networks from Ransomware, was crafted by several government agencies—including the U.S. National Security Agency (NSA), the U.S. Department of Homeland Security (DHS), the FBI, and the CIA—to inform CIOs and CISOs at critical infrastructure entities about ransomware and how to best respond to it.

"Since 2012 when...ransomware variants first emerged, ransomware variants have become more sophisticated and destructive," the interagency report said. "Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives, externally attached storage media devices, and cloud storage services that are mapped to infected computers."

Ransomware authors also continue to improve ransomware by using Tor—a free software for anonymous communication—and Bitcoin to collect ransom payments. In March when the report was released, the top five ransomware variants targeting U.S. companies and individuals were CryptoWall, CTB-Locker, TeslaCrypt, MSIL/Samas, and Locky.

CryptoWall, for instance, was the first ransomware that accepted ransom payments only in Bitcoin, with ransoms ranging from $200 to $10,000.

"Following the takedown of the CryptoLocker botnet, CryptoWall has become the most successful ransomware variant with victims all over the world," the report said. "Between April 2014 and June 2015, [the Internet Computer Crime Center] received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million."

While these were the top ransomware variants at the time the report was compiled, new variants are being created on a regular basis.

One of those is the WannaCry ransomware, which spread across the globe by leveraging a vulnerability allegedly discovered and used by the NSA to infiltrate targets. The vulnerability, called EternalBlue, exploited a component within Microsoft Windows, says Eldon Sprickerhoff, founder and chief security strategist at cybersecurity firm eSentire.

A group of hackers, dubbed the Shadow Brokers, claimed that it stole EternalBlue from the NSA and leaked it online in the spring of 2017. In response, Sprickerhoff says Microsoft issued a "megapatch to close up the hole."

But not everyone who should have patched did, and in May 2017 hackers exploited that vulnerability on unpatched systems to spread WannaCry ransomware across the globe to infect approximately 200,000 computers.

"I call it Amazonian evolution," Sprickerhoff says. "There's nothing that is propagating and evolving as quickly as the ransomware category. There's no chance this will stop. We're seeing, I think, the biggest threat from a malware perspective."

While ransomware is a threat to all businesses, it hits small and medium-sized businesses especially hard. In its second annual survey, cybersecurity firm Malwarebytes Labs surveyed 1,054 small to medium-sized businesses in Australia, France, Germany, Singapore, the United Kingdom, and the United States about their experiences with ransomware.

"Among small to mid-sized organizations that have experienced a successful infiltration of the corporate network by ransomware, 22 percent reported that they had to cease business operations immediately, and 15 percent lost revenue," the survey said. "In a similar study conducted last year among businesses of all sizes, only 19 percent of enterprises had to cease operations immediately."

It's not the ransom, however, that is so devastating for smaller organizations—it's the downtime. Malwarebytes found that most ransoms were $1,000 or less, but that "for roughly one in six impacted organizations, a ransomware infection caused 25 or more hours of downtime, with some organizations reporting that it caused systems to be down for more than 100 hours," the survey explained. Nine percent of those surveyed reported only up to one hour of downtime.

Adam Kujawa, director of malware intelligence for Malwarebytes, says that ceasing their operations has a major impact on small to medium-sized businesses, and that downtime can make recovering from a ransomware attack more expensive for them.

"Larger enterprises should have some kind of redundancy, so downtime isn't a huge factor," he explains. "But when you think about big organizations that deal with millions of customers, they plan for things like power outages, natural disasters; they should have something in place to make sure their operations don't completely shut down because there's bad weather in the area."

But many smaller businesses don't have the resources—financial or staff—to put such contingency plans in place. Small to medium-sized businesses "don't have the resources to protect themselves as well as large organizations do, or to recover from an attack," Kujawa adds.

"A small business that deals with health records or financial information could not only lose face with customers but could also end up dealing with government penalties for allowing their data to be stolen, as the result of a ransomware attack."

​The Hackers

Ransomware was first used in 1989. In 2016 Symantec detected a 36 percent increase from 2015 in ransomware infections with the number of new ransomware families uncovered more than tripling to 101, according to its Internet Security Threat Report

"Attackers are demanding more and more from victims with the average ransom demand in 2016 rising to $1,077, up from $249 a year earlier," the report said. "Attackers have honed a business model that usually involves malware hidden in innocuous emails, unbreakable encryption, and anonymous ransom payment involving cryptocurrencies. The success of this business model has seen a growing number of attackers jump on the bandwagon."

However, that doesn't mean that all attackers are created equal, Marriott says.

"A lot of it comes down to people's level of skill," he explains. Open source ransomware is widely available and doesn't cost anything "and you might see people releasing a variant based off that and they've tweaked a few things, but it's largely based on stuff that's already out there so it's not massively innovative."

Then you have the attackers who use ransomware as a service model. These attackers can't create their own infrastructure to support the ransomware and collect ransom payments.

"It's not quite as simple as getting ransomware into a computer and then you make money," Marriott says. Instead, attackers need to have the ransomware, somewhere to host their payment site that's resilient to attacks, and a way to cash out the money after a ransom is paid.

Attackers using ransomware as a service pay someone else to set this infrastructure up for them, to make it a more affordable criminal enterprise. And the service models have drastically improved over the past few years to make them more attractive and easier to use.

"You've got pre-filled fields, so you can say, 'I want this message. I want to charge this amount of money,' and the more advanced ransomware as a service will even let you specify where you want to send it," Marriott says. "You can see which targets you've hit, your successes, and your payouts all in one savvy dashboard, with customer support."

The elite ransomware attackers, such as those behind the Serba or Spora ransomware variants, have their own infrastructure. These attackers operate their own campaigns and sell their versions of ransomware as a service to other attackers.

"It's not just your traditional ransomware," Marriott says. "You're also making it available as ransomware as a service, and you've got a nice user interface, customer support. It's very appealing to people because it's all in one place, and it's backed by a team that is constantly developing and improving the variants to get ahead of the people who are creating decryption keys."

These attackers are also agile at incorporating new exploits as they are released to target new victims and generate more revenue.

"What makes a really good ransomware variant is how quickly you have ways to deploy it," Marriott explains. "If you can have it all in one, not only will it be a type of encryption that's very hard to break but you've got a large array of people to send spam emails to, exploit kits you can use to get into networks, and all those things will make it a more successful variant."


Cyber criminals who use ransomware can turn a profit, which is a major incentive to use the malware on targets. Some hackers are also using ransomware as another method to monetize data that's being breached for a separate purpose.

One example of this was a banking Trojan called GameoverZeus. Its primary purpose was to find financial information on a victim's computer to gain access to his or her bank accounts. If the Trojan didn't find that information, however, it would install CryptoLocker to encrypt the victim's computer files and then demand a ransom for them.

The hackers took the approach of "can I make money this way? If not, let's just encrypt stuff and see what happens, we can maybe get a bit of money out of it," Marriott explains. "Criminals want to make money from data, and it's not necessarily siloed into one tactic. They'll take different tactics to monetize that data."

There are also cyber criminals who aren't interested in making money, but in sowing disruption. For instance, RamScam and Hitler-Ransomware just encrypt files and then delete them.

"They're basically encrypting people's files just for the fun of it," Marriott says. "They didn't want any money. They were just people who were a bit bored and wanted to cause a bit of mayhem."

Politics can also motivate; some cyber criminals encrypted files of Israel-based firms and organizations, demanding a free Palestinian state in return for file access.

"It was not a particularly sophisticated variant, as I understand, but it's interesting that it's not always about the money—just disruption is also a valid motivation for cyber criminals or malicious actors," Marriott says.

And while financially motivated ransomware campaigns will continue to operate at the forefront, Marriott says that it is feasible that ransomware will be used as a disruption or hacktivism method in the future.

One possible recent example of this might be the NotPetya ransomware campaign, which did not generate high profits for the cyber criminals behind it and appeared to target numerous Ukrainian organizations.

"One theory and hypothesis was that because it was heavily Ukrainian in the targeting and the timing was around the Ukrainian independence holiday…it lent itself towards the conclusion that it could have been a nation-state that wasn't particularly fond of Ukrainian independence," Marriott says.

But because no one has claimed responsibility for the ransomware attack, there's no guarantee that it was politically motivated.

"There are so many kinds of smoke and mirrors using ransomware and propagation worldwide to distract people," Marriott says. "NotPetya could be that, but at the same time, it could just be cyber criminals that aren't very good—that make mistakes."


None of the experts Security Management spoke to expect ransomware to go away any time in the near future, and EUROPOL says ransomware is likely to morph into new variants used to target mobile devices, as well as computer files.

"Now firmly established as a daily desktop malware threat, the profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms," the EUROPOL report said. "Given the scale of mobile device ownership (with many more mobile devices than people) there is no shortage of fertile ground for the proliferation of ransomware."

EUROPOL also predicts that ransomware is likely to spread to other smart devices, including smart televisions.

"Following the pattern of data stealing malware, cryptoware campaigns will likely become less scattergun and more targeted on victims of greater potential worth," according to the EUROPOL report.

In an attempt to make it more difficult for attackers to infiltrate systems and spread ransomware, international law enforcement has focused on raising awareness about the threat and encouraging companies to adopt proactive defense measures.

For instance, the U.S. interagency report recommends a series of preventive measures for organizations to take—including implementing awareness and training programs for employees, enabling strong spam filters to prevent phishing emails from reaching users, scanning all incoming and outgoing email, managing privileged accounts, configuring firewalls to block known malicious IP addresses, and patching operating systems.

Regularly patching systems is critically important, as shown with the WannaCry ransomware attack, but it is something many organizations continue to struggle with, Sprickerhoff says.

"It's a sad sort of situation—it isn't sexy. Nobody brags about how awesome their patch rigor is," he adds. "It's not very interesting, but it is so necessary."

One reason that companies struggle with staying up to date on patching is that it's impossible to be proactive. A company's IT team has to wait for a vendor, such as Microsoft, to release a patch to fix a vulnerability in its system. The team then has to test the patch to ensure that it doesn't disable other features in the system, and then it has to be installed.

"And it's a monthly occurrence where Microsoft has Patch Tuesday," Sprickerhoff says. "They release some big patch bundle and you have to do it all over again, every month. Rinse, repeat. And so a lot of people say 'I'm going to do it once a quarter unless things are really crazy and I feel like I need to do this.'"

In addition to taking preventative cybersecurity measures, organizations should also have a response plan in place for if they are infected with ransomware. And while experts don't recommend paying the ransom to get data back, if an organization is going to pay, Kujawa says it should negotiate with the hackers for a better rate.

"With ransomware, you're dealing directly with the victim," he explains. "The payment goes straight to you; there's no middle man. The problem, for the criminals, is that if they don't get paid by the victim, they're not getting paid at all. There's no guarantee of value for the criminals, so it's in their best interest to make sure that people can pay."

One example of this was when Hollywood Presbyterian Medical Center in California paid a ransom to get some of its data back after being hit by a ransomware attack. The original ransom amount was more than $1 million, but the hospital needed just one endpoint decrypted.

The hospital negotiated with the criminals and was able to decrypt the information it needed for just $17,000 to get operations back up and running.

"At the end of the day, criminals want to ransom stuff to you," Kujawa says. "You can say, 'No, you're not getting any money,' and then they're left out to dry. If you say, 'We'll give you a little bit of money,' they may be a little more interested in following along because at least they're getting something."