The overall number of ransomware attacks may be on the decline but attacks have become more targeted in an attempt to siphon bigger ransom payments, according to research by cybersecurity firm Vectra.

Since its peak volume in 2017, ransomware – malware that encrypts files and demands payment to unlock them – has been on the decline.

But 2019 has seen criminals move from a high-volume, opportunistic approach – or ‘spray and pray’ – to lower volume, targeted ransomware attacks.

“It’s interesting to me that [ransomware] really made a comeback, because I kind of thought it died, or we beat it. And it came back stronger and smarter,” Chris Morales, head of security analytics at Vectra, told Verdict.

Whereas WannaCry was “one piece of software that did everything” and was highly automated, today’s targeted ransomware tends to be a “module that’s deployed manually”, explains Morales.

In these attacks, criminals gain access to a network through means such as a phishing email and then look around the network before deciding to unleash ransomware.

“They’re putting out ransomware last minute because they decide ‘you know what, I’m going to encrypt this’,” explained Morales. “So because it’s being propagated manually, or very controlled, it’s much harder to stop until the last minute.”

Targeted ransomware such as Ryuk allows cybercriminals to manually determine the price that the company is likely to pay based on their “pain threshold”, i.e. how long they believe the company could survive going down compared to paying the ransom to get back online.

Cloud providers, for example, tend to be seen by attackers as more likely to pay a higher ransom. In January, cloud hosting provider Dataresolution.net was crippled by Ryuk ransomware.

Since Ryuk’s first appeared in August, the threat actors behind it have netted at least $3,701,893.98 in Bitcoin.

Bye bye WannaCry

Such ransomware is in stark contrast to WannaCry, the notorious ransomware that spread around the world in 2017, including Britain’s National Health Service (NHS).

WannaCry propagated so quickly via a Windows exploit known as Eternal Blue. The aim of ransomware is to spread as widely as possible, which it can do by encrypting shared files on a network server, scanning for access privileges to spread from one computer to another.

3 Things That Will Change the World Today

Such file share attacks are not new. But for all the damage inflicted on organisations with WannaCry, it did not collect much in ransom payments.

“The NHS was hit pretty hard and [WannaCry] made a lot of noise and on a global scale. But it turns out it didn’t make a lot of money,” said Morales. “It didn’t pay out as well as people wanted to. And the whole point is to be opportunistic, in terms of financial gain. So being noisy apparently didn’t work.”

The rise in targeted ransomware reflects the next phase in the evolution of ransomware, which only really came on the scene in 2012, explained Morales.

There are now more strains and families available on the black market than ever. These are cheaper and more readily available compared to the days of WannaCry because there is an entire development lifecycle around them now, similar to commercial software.

“If you take it over a timeline, it’s just evolved,” said Morales. “They’ve gotten better at it. And there’s a realisation that rather than be a random, just shoot it out there [attack], it’s evolved to the point now where it’s become more of a tool, and less than just this massive attack. And it’s targeted.”

Who are the ransomware targets?

Vectra analysed data from the ‘2019 Black Hat Edition of the Attacker Behaviour Industry Report’ to identify the sectors and countries hit most by network ransomware attacks.

In North America, the finance and insurance industry was targeted the most, accounting for 38% of network file encryptions between January and June 2019. Closely behind was the eduction sector at 37%.

In contrast, there wasn’t a single instance of network file encryption ransomware attacks in the education sector within Europe and the Middle East.

However, the most targeted industry remained finance and insurance at 35%, followed by healthcare at 18%.

targeted ransomware

Total volume of incidents
with network file encryption from January-June 2019. (via Vectra)

Notably Germany was the most targeted country in this period, experiencing almost as many instances of network encryption in ransomware as every other country in Europe and the Middle East combined. This is perhaps because Germany is a leader in industry 4.0, with criminals seeing connected manufacturing as a potentially lucrative target.

Perhaps unsurprisingly, California, home to Silicon Valley, was the most targeted US state.

Tips for business to defend against ransomware

The best tip for businesses is to never pay the ransomware. There is no guarantee that files will be unlocked and the business will be added to a ‘suckers list’ that is circulated among cybercriminals, making it likely they’ll be targeted again.

Vectra recommends using tools to carry out proactive searching on the network to spot attackers while they are carrying out reconnaissance and before they encrypt network files.

The US-based firm also suggests backing up regularly and having a ransomware response plan in place and to rehearse it.

Organisations should also keep an eye on privileged access accounts that have access to critical systems, as these are the most likely to be targeted.

For organisations hit by ransomware, they can contact the No More Ransom Project, a free-to-use initiative set up by Europol, McAfee and the Dutch police to unlock decrypted files.


Read more: No More Ransom Project saves ransomware victims $108m, free of charge