• United States




Ransomware 2.0: Anatomy of an emerging multibillion business

Feb 08, 20176 mins
Advanced Persistent ThreatsBackup and RecoveryCybercrime

What to expect from and how to resist the fastest growing sector of cybercrime in 2017?

Technically speaking, almost all components of ransomware, such as spear phishing, watering hole attacks involving popular and trustworthy websites, antivirus evasion techniques or data encryption algorithms, are well-known and have been used separately by hackers since years. However, modern ransomware certainly merits a classification as one of the most evolving sectors of cybercrime in 2017.

Though it is quite difficult to calculate the overall damage caused by ransomware in 2016, some researchers state that cybercriminals received over $1 billion in ransom payments last year. Others mention a 3,500% increase in the criminal use of infrastructure that helps run ransomware campaigns. Carbon Black says that ransomware is the fastest growing malware across industries, up 50% in 2016. Technology (218%), utilities and energy (112%) and banking (93%) saw the highest year-on-year ransomware growth last year.

Due to an important lack of qualified technical personnel and other resources, law enforcement agencies are globally unprepared to detect, prevent and prosecute this type of digital crime. Moreover, more and more cases of ransom payment by the police have become public, while those police officers who dare to resist take a substantive risk. There is the Texas police who lost eight years of their investigative work and all of the evidence by refusing to pay cybercriminals. This sad statistic explains why the majority of despaired victims of cybercrime fail to report it to the law enforcement agencies.

Attackers can easily rent a Ransomware-as-a-Service (RaaS) infrastructure for as low as $39.99 per month, making up to $195,000 of monthly profit without much effort in comparison to other niches of digital fraud and crime. The business of ransomware has become so attractive that some cybercriminals don't even bother to actually encrypt the data, but just extort money from their victims with fake malware. The victims are so scared by media stories about ransomware, combined with law enforcement agencies' inability to protect them or at least to punish the offenders, that they usually pay.

The new generation of ransomware attacks IoT and smart devices, locking not only mobiles and smart TVs, but also doors in hotels and air conditioning systems in luxury smart houses. Criminals switch from file encryption to database encryption and web applications, demonstrating a great scalability of ransomware tactics.

To increase their profits, hacking teams behind the ransomware campaigns now threaten to send the victim's sensitive data to all of their contacts instead of just deleting it. Cryptocurrencies allow attackers to receive online payments almost without any risk of being traced and prosecuted. Despite the media hype around blockchain's ability to reinvent and improve the world, so far only the cybercriminals have entirely leveraged the full potential of this emerging technology.

A simple business model, high profits, accessibility and affordability of resources to deploy large-scale attacking campaigns, and low risks in comparison to other sectors of (cyber)crime, assure the flourishing future of ransomware. All of this without mentioning the problem of global inequality actually causing the cybercrime, which I briefly described in Forbes recently.

Nonetheless, it does not mean that organizations should give up. The FBI confirms the skyrocketing problem of ransomware, but suggests relying on prevention rather than paying ransom to the criminals. PwC also suggests to plan and prepare the organization to this kind of incident in order to have internal capabilities to recover without suffering important financial losses.

Some cybersecurity vendors, like SentinelOne, contractually guarantee protection and provide a financial insurance for their clients. Others, like Kaspersky, offer free tools to decrypt data compromised by popular malware. Last, but not least, Europol's No More Ransom public-private partnership with other law enforcement agencies and leading cybersecurity companies, provides a comprehensive collection of free tools to recover the data and clean the systems infected with ransomware.

Below are six essential steps that will help you avoid paying ransoms:

  • Maintain a comprehensive and up-to-date inventory of all your digital assets. You cannot defend what you don't know.
  • Make sure that you have implemented proper access control and segregation to prevent domino effect triggered by a single compromised device.
  • Implement continuous monitoring of your physical and virtual IT infrastructure, software and security patches, as well as of new threats and malware targeting your industry.
  • Create and regularly test a Disaster Recovery Plan (DRP) that will allow you to mitigate loss of any critical data in a reasonable timeframe, and at a cost compatible with your corporate risk appetite.
  • Invest in security training and awareness programs to educate your employees, key suppliers and partners.
  • Verify that your approach to cybersecurity and risk management is based on common sense principles, which your C-level fully understands, shares and practically supports.

By following those rules, any company and organization can significantly reduce their risk of having to pay ransom. Attackers would rather target easy and unprepared victims, instead of spending their efforts on any particular organization. Properly implemented security standards, like ISO 27001, can also prevent the vast majority of costly ransomware incidents.

However, keep in mind that information security starts with factual security, not with a paper-based compliance. If your IT infrastructure is secure in practice, you will not only easily pass the majority of compliance and regulation requirements, but you will also defend your business from many vectors of cybercrime, including the growing monster of ransomware.


Ilia Kolochenko is a Swiss application security expert and entrepreneur. Ilia holds a BS (Hons.) in Mathematics and Computer Science, and is currently performing his Master of Legal Studies degree at Washington University in St. Louis.

Starting his career as a penetration tester, he later founded web security company High-Tech Bridge, headquartered in Geneva. Under his management, High-Tech Bridge won SC Awards Europe 2017 and was named a Gartner Cool Vendor 2017 among numerous other prestigious awards for innovation in application security and machine learning.

Ilia is a contributing writer for SC Magazine UK, Dark Reading and Forbes, mainly writing about cybercrime and application security. He is also a member of the Forbes Technology Council.

The opinions expressed in this blog are those of Ilia Kolochenko and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.