The Increase in Targeted Ransomware

Published By:
Published ON:
September 23, 2016

Ransomware is shaping up to be the stand-out cyber threat of the decade. Victims now number in their millions, and the average loss per incident has risen from $294 to $679 as of the end of 2015, according to Symantec.So why has it become the preferred method of attack for so many criminals? And why is the success rate so high?The answer is a confluence of a few different factors, namely anonymity, simplicity and scalability.

1. For a start, the perceived anonymity of Bitcoin (the main monetisation process), is deeply incentivising to risk-averse cybercriminals.

Many ransomware schemes now include obfuscating Tumbler services and ToR infrastructure to provide further reassurances to attackers.

2. There’s no technical barrier to entry.

Ransomware-as-a-Service (RaaS) is incredibly simple to use, and distributors require no malware development skills. This increased user-base also benefits ransomware authors who then profit from a larger number of infections.

3. It spreads to critical systems and data quickly.

Self-propagating malware is very good at finding and infecting backups and other critical systems that drive victims to pay up by reducing the likelihood of independent recovery.

4. It runs itself.

Ransomware campaigns are often a low-maintenance option for organised crime groups. They need minimal technical administration compared with, for instance, banking Trojan operations, nor do they require the lengthy data gathering and social engineering activities associated with Business Email Compromise scams.

Importantly, none of these factors preclude further evolution of the medium. Criminals are greedy, and if there’s a way to squeeze more money from targets, then they’ll find it.

The simplest and most efficient way to do this is to more closely target high-value assets, and there’s evidence to suggest certain groups are changing their approach already.

In February of this year, the Hollywood Presbyterian Hospital in Los Angeles paid the equivalent of $17,000 in Bitcoins to regain access to medical records. The hospital's President and CEO, Allen Stefanek, referred to the situation as an ‘internal emergency’, and warned that critical emergency room systems may have been affected. Whether or not this was a targeted attack is still unclear, but it’s likely the size of the ransom, and the means by which it was acquired, will have been noted by criminal onlookers.

It’s not merely that humans are becoming more inventive in their targeting – but that the technology itself is evolving.

Samsam ransomware, for instance, is delivered to its target via a compromised server, rather than the more typical email or exploit root kits. This makes it particularly suited to spreading faster and wider across enterprise networks.

Developments in other ransomware families are also signalling a focus on businesses. LowLevel04 ransomware, for instance, scans all mapped drives, including removable and network drives. Smaller companies may not have the capability or capital to implement the backup architecture required to protect against such a threat.

This newfound specificity – of both human behaviour and of specially developed software – is simultaneously known to be common and yet woefully under-reported to law enforcement agencies. The attacks on small to medium sized companies by the German group behind Chimera ransomware from September last year, are only an indication of things to come.

So what now? We shouldn’t let the increased prevalence of small-time attacks (enabled by less sophisticated actors using RaaS) blind us to the growing capabilities of more experienced actors.

Crime groups are experts in making money out of the same operation in as many ways as possible. Where we once saw crime groups stealing data and money, they are now more likely to install ransomware at the end of an infiltration campaign in order to squeeze as much money out of an organisation as possible.

Once an attacker has infiltrated a network to the extent that they understand the criticality of the data, they have the necessary leverage to charge truly astronomical ransom fees, secure in the knowledge they hold your business in their hands.

Security Alliance is due to present at the Law Firms and Cyber-Attack Conference 2016 in October. At the event, we will be releasing our research paper that focuses on the current threat landscape faced by law firms. Law firms are a prime example of organisations that are likely to face more direct targeting of ransomware. As an industry that handles large amounts of sensitive and aggregated data, expect ransoms to become eye-watering.

Security Alliance has a limited number of guest tickets available for the event. If you would like to attend or register for a copy of the paper, please get in touch at


User education is key. Email is the main attack vector for ransomware and users are notoriously the weakest link in cyber security.

Invest in modern, segregated backups - ideally in different locations. Ensure you test your recovery processes.

Review your technical security posture, including user permissions, email filtering, endpoint solutions, intrusion detection and intrusion prevention systems. Consider if you can turn off macros for regular users.

If you are infected with ransomware, research it on the internet. Check to see if a decryption tool is available online on web portals such as No More

Invest in security testing programmes and threat assessments. Understand where threats to your company will come from, by whom and how.

Find out more about our cyber security services:

Or contact us at or +44 (0)20 7148 7475 to speak to a cyber intelligence consultant.