This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Microsoft DART ransomware case study

  • 5 contributors

Human-operated ransomware continues to maintain its position as one of the most impactful cyberattack trends world-wide and is a significant threat that many organizations have faced in recent years. These attacks take advantage of network misconfigurations and thrive on an organization's weak interior security. Although these attacks pose a clear and present danger to organizations and their IT infrastructure and data, they are a preventable disaster .

The Microsoft Detection and Response Team (DART) responds to security compromises to help customers become cyber-resilient. DART provides onsite reactive incident response and remote proactive investigations. DART leverages Microsoft's strategic partnerships with security organizations around the world and internal Microsoft product groups to provide the most complete and thorough investigation possible.

This article describes how DART investigated a recent ransomware incident with details on the attack tactics and detection mechanisms.

See Part 1 and Part 2 of DART's guide to combatting human-operated ransomware for more information.

DART leverages incident response tools and tactics to identify threat actor behaviors for human operated ransomware. Public information regarding ransomware events focuses on the end impact, but rarely highlights the details of the operation and how threat actors were able to escalate their access undetected to discover, monetize, and extort.

Here are some common techniques that attackers use for ransomware attacks based on MITRE ATT&CK tactics .

Common techniques that attackers use for ransomware attacks.

DART used Microsoft Defender for Endpoint to track the attacker through the environment, create a story depicting the incident, and then eradicate the threat and remediate. Once deployed, Defender for Endpoint began detecting successful logons from a brute force attack. Upon discovering this, DART reviewed the security data and found several vulnerable Internet-facing devices using the Remote Desktop Protocol (RDP).

After initial access was gained, the threat actor used the Mimikatz credential harvesting tool to dump password hashes, scanned for credentials stored in plaintext, created backdoors with Sticky Key manipulation, and moved laterally throughout the network using remote desktop sessions.

For this case study, here is the highlighted path that the attacker took.

The path the ransomware attacker took for this case study.

The following sections describe additional details based on the MITRE ATT&CK tactics and include examples of how the threat actor activities were detected with the Microsoft Defender portal.

Initial access

Ransomware campaigns use well-known vulnerabilities for their initial entry, typically using phishing emails or weaknesses in perimeter defense such as devices with the enabled Remote Desktop service exposed on the Internet.

For this incident, DART was able to locate a device that had TCP port 3389 for RDP exposed to the Internet. This allowed threat actors to perform a brute-force authentication attack and gain the initial foothold.

Defender for Endpoint used threat intelligence to determine that there were numerous sign-ins from known brute-force sources and displayed them in the Microsoft Defender portal. Here's an example.

An example of known brute-force sign-ins in the Microsoft Defender portal.

Reconnaissance

Once the initial access was successful, environment enumeration and device discovery began. These activities allowed the threat actors to identify information about the organization's internal network and target critical systems such as domain controllers, backup servers, databases, and cloud resources. After the enumeration and device discovery, the threat actors performed similar activities to identify vulnerable user accounts, groups, permissions, and software.

The threat actor leveraged Advanced IP Scanner, an IP address scanning tool, to enumerate the IP addresses used in the environment and perform subsequent port scanning. By scanning for open ports, the threat actor discovered devices that were accessible from the initially compromised device.

This activity was detected in Defender for Endpoint and used as an indicator of compromise (IoC) for further investigation. Here's an example.

An example of port scanning in the Microsoft Defender portal.

Credential theft

After gaining initial access, the threat actors performed credential harvesting using the Mimikatz password retrieval tool and by searching for files containing “password” on initially compromised systems. These actions enabled the threat actors to access additional systems with legitimate credentials. In many situations, threat actors use these accounts to create additional accounts to maintain persistence after the initial compromised accounts are identified and remediated.

Here's an example of the detected use of the Mimikatz in the Microsoft Defender portal.

An example of Mimikatz detection in the Microsoft Defender portal

Lateral movement

Movement across endpoints can vary between different organizations, but threat actors commonly use different varieties of remote management software that already exists on the device. By utilizing methods of remote access that the IT department commonly uses in their day-to-day activities, threat actors can fly under the radar for extended periods of time.

Using Microsoft Defender for Identity, DART was able to map out the path that the threat actor took between devices, displaying the accounts that were used and accessed. Here's an example.

The path that the threat actor took between devices in Microsoft Defender for Identity.

Defense evasion

To avoid detection, the threat actors used defense evasion techniques to avoid identification and achieve their objectives throughout the attack cycle. These techniques include disabling or tampering with anti-virus products, uninstalling or disabling security products or features, modifying firewall rules, and using obfuscation techniques to hide the artifacts of an intrusion from security products and services.

The threat actor for this incident used PowerShell to disable real-time protection for Microsoft Defender on Windows 11 and Windows 10 devices and local networking tools to open TCP port 3389 and allow RDP connections. These changes decreased the chances of detection in an environment because they modified system services that detect and alert on malicious activity.

Defender for Endpoint, however, cannot be disabled from the local device and was able to detect this activity. Here's an example.

An example of detecting the use of PowerShell to disable real-time protection for Microsoft Defender.

Persistence

Persistence techniques include actions by threat actors to maintain consistent access to systems after efforts are made by security staff to regain control of compromised systems.

The threat actors for this incident used the Sticky Keys hack because it allows for remote execution of a binary inside the Windows operating system without authentication. They then used this capability to execute a Command Prompt and perform further attacks.

Here's an example of the detection of the Sticky Keys hack in the Microsoft Defender portal.

An example of detecting the Sticky Keys hack in the Microsoft Defender portal.

Threat actors typically encrypt files using applications or features that already exist within the environment. The use of PsExec, Group Policy, and Microsoft Endpoint Configuration Management are methods of deployment that allow an actor to quickly reach endpoints and systems without disrupting normal operations.

The threat actor for this incident leveraged PsExec to remotely launch an interactive PowerShell Script from various remote shares. This attack method randomizes distribution points and makes remediation more difficult during the final phase of the ransomware attack.

Ransomware execution

Ransomware execution is one of the primary methods that a threat actor uses to monetize their attack. Regardless of the execution methodology, distinct ransomware frameworks tend to have a common behavioral pattern once deployed:

  • Obfuscate threat actor actions
  • Establish persistence
  • Disable windows error recovery and automatic repair
  • Stop a list of services
  • Terminate a list of processes
  • Delete shadow copies and backups
  • Encrypt files, potentially specifying custom exclusions
  • Create a ransomware note

Here's an example of a ransomware note.

An example of a ransomware note.

Additional ransomware resources

Key information from Microsoft:

  • The growing threat of ransomware , Microsoft On the Issues blog post on July 20, 2021
  • Human-operated ransomware
  • Rapidly protect against ransomware and extortion
  • 2021 Microsoft Digital Defense Report (see pages 10-19)
  • Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
  • Microsoft DART ransomware approach and best practices

Microsoft 365:

  • Deploy ransomware protection for your Microsoft 365 tenant
  • Maximize Ransomware Resiliency with Azure and Microsoft 365
  • Recover from a ransomware attack
  • Malware and ransomware protection
  • Protect your Windows 10 PC from ransomware
  • Handling ransomware in SharePoint Online
  • Threat analytics reports for ransomware in the Microsoft Defender portal

Microsoft Defender XDR:

  • Find ransomware with advanced hunting

Microsoft Defender for Cloud Apps:

  • Create anomaly detection policies in Defender for Cloud Apps

Microsoft Azure:

  • Azure Defenses for Ransomware Attack
  • Backup and restore plan to protect against ransomware
  • Help protect from ransomware with Microsoft Azure Backup (26 minute video)
  • Recovering from systemic identity compromise
  • Advanced multistage attack detection in Microsoft Sentinel
  • Fusion Detection for Ransomware in Microsoft Sentinel

Microsoft Security team blog posts:

3 steps to prevent and recover from ransomware (September 2021)

A guide to combatting human-operated ransomware: Part 1 (September 2021)

Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.

A guide to combatting human-operated ransomware: Part 2 (September 2021)

Recommendations and best practices.

Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats (May 2021)

See the Ransomware section.

Human-operated ransomware attacks: A preventable disaster (March 2020)

Includes attack chain analyses of actual attacks.

Ransomware response—to pay or not to pay? (December 2019)

Norsk Hydro responds to ransomware attack with transparency (December 2019)

Additional resources

  • Incident response
  • Microsoft Incident Response

The five-day job: A BlackByte ransomware intrusion case study

  • By Microsoft Incident Response
  • Threat intelligence
  • Microsoft Defender

Microsoft Defender for Endpoint

Microsoft Defender Vulnerability Management

  • Microsoft Defender XDR
  • Microsoft Security Experts

Microsoft Sentinel

  • Attacker techniques, tools, and infrastructure
  • Vulnerabilities and exploits
  • Credential theft
  • Elevation of privilege
  • Living off the land

As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.

Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:

  • Exploitation of unpatched internet-exposed Microsoft Exchange Servers
  • Web shell deployment facilitating remote access
  • Use of living-off-the-land tools for persistence and reconnaissance
  • Deployment of Cobalt Strike beacons for command and control (C2)
  • Process hollowing and the use of vulnerable drivers for defense evasion
  • Deployment of custom-developed backdoors to facilitate persistence
  • Deployment of a custom-developed data collection and exfiltration tool

BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact.

In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.  

Forensic analysis

Initial access and privilege escalation.

To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:

  • Attain system-level privileges on the compromised Exchange host
  • Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
  • Construct a valid authentication token and use it against the Exchange PowerShell backend
  • Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
  • Create web shells to obtain remote control on affected servers

The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:

  • 185.225.73[.]244

Persistence

After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:

The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:

  • hxxps://myvisit[.]alteksecurity[.]org/t

The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.

An additional file, api-system.png , was identified to have similarities to api-msvc.dll . This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.

Cobalt Strike Beacon

The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh :

  • hxxps://temp[.]sh/szAyn/sys.exe

This beacon was configured to communicate with the following C2 channel:

  • 109.206.243[.]59:443

Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:

  • C:\systemtest\anydesk\AnyDesk.exe
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  • C:\Scripts\AnyDesk.exe

Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.

Reconnaissance

We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:

  • netscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)
  • netapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)

Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.

Credential access

Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log . Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.

Lateral movement

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.

Data staging and exfiltration

In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:

explorer.exe P@$$w0rd

After reverse engineering explorer.exe , we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:

  • C:\Exchange\MSExchLog.log

Analysis of the binary revealed a list of file extensions that are targeted for enumeration.

Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:

  • hxxps://g.api.mega.co[.]nz

ransomware case study presentation

We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.

ExByte execution flow

Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0 :

  • If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs , which runs explorer.exe with elevated privileges.

After this access check, explorer.exe attempts to read the data.txt file in the current location:

  • If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:
  • If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:

Finally, it forms a URL for sign-in to the API of the service MEGA NZ:

  • hxxps://g.api.mega.co[.]nz/cs?id=1674017543

Data encryption and destruction

On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:

  • schillerized.exe

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.

Two modes of execution were identified:

  • When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
  • When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.

Depending on the switch ( -s or -a ), execution may create the following files:

  • C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
  • C:\SystemData\wEFT.exe (Additional BlackByte binary)
  • C:\SystemData\MsExchangeLog1.log (Log file)
  • C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
  • C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
  • C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe file)
  • C:\SystemData\skip_bypass.txt (Unknown)

BlackByte 2.0 ransomware capabilities

Some capabilities identified for the BlackByte 2.0 ransomware were:

  • The file rENEgOtiAtES created matches RTCore64.sys , a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
  • The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES , and exploits this service to evade detection by installed antivirus software
  • cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q
  • cmd /c netsh advfirewall set allprofiles state off
  • cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
  • cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
  • cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB
  • cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED
  • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
  • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  • cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
  • Ability to terminate running services and processes
  • Ability to enumerate and mount volumes and network shares for encryption
  • Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
  • Ability to perform anti-debugging techniques

Recommendations

To guard against BlackByte ransomware attacks, Microsoft recommends the following:

  • Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
  • Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
  • Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
  • Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
  • Block inbound traffic from IPs specified in the indicators of compromise section of this report
  • Block inbound traffic from TOR exit nodes
  • Block inbound access from unauthorized public VPN services
  • Restrict administrative privileges to prevent authorized system changes

BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities.  As outlined in the Microsoft Digital Defense Report , common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.

As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.

Microsoft 365 Defender detections

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more .

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

  • Trojan:Win32/Kovter!MSR
  • Trojan:Win64/WinGoObfusc.LK!MT
  • Trojan:Win64/BlackByte!MSR
  • HackTool:Win32/AdFind!MSR
  • Trojan:Win64/CobaltStrike!MSR

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • ‘CVE-2021-31207’ exploit malware was detected
  • An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
  • Suspicious registry modification.
  • ‘Rtcore64’ hacktool was detected
  • Possible ongoing hands-on-keyboard activity (Cobalt Strike)
  • A file or network connection related to a ransomware-linked emerging threat activity group detected
  • Suspicious sequence of exploration activities
  • A process was injected with potentially malicious code
  • Suspicious behavior by cmd.exe was observed
  • ‘Blackbyte’ ransomware was detected

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
  • CVE-2019-16098

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ProxyShell web shell creation events

Suspicious vssadmin events

Detection for persistence creation using Registry Run keys

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

  • Web shell activity
  • Suspicious file downloads on Exchange Servers
  • Firewall rule changes
  • Shadow copy deletion
  • Anamolous RDP activity

Indicators of compromise

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

NOTE: These indicators should not be considered exhaustive for this observed activity.

File extensions targeted by BlackByte binary for encryption:

Shared folders targeted for encryption (Example: \\[IP address]\Downloads ):

File extensions ignored:

Folders ignored:

Files ignored:

Processes terminated:

Services terminated:

Drivers that Blackbyte can bypass:

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog .

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel .

Related Posts

Microsoft Cyber Defense Operations Center.

  • Best practices

Why a proactive detection and incident response plan is crucial for your organization  

Matt Suiche of Magnet Forensics talks about top security threats for organizations and strategies for effective incident response.

Photo of Orbital Ground Station satellite uplink. Two male datacenter employees walk side by side beneath the orbital ground station

  • Threat actors

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques  

Chinese state-sponsored actor Volt Typhoon is using stealthy techniques to target US critical infrastructure, conduct espionage, and dwell in compromised environments.

IT professionals at a digital consulting firm. The firm provides custom solutions across a multitude of disciplines including IT, front and back end software development, customer support and data services.

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign  

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.

Practitioner and chief information security officer collaborating in a security war room.

  • Security operations

Why you should practice rollbacks to prevent data loss in a ransomware attack  

Tanya Janca, Founder and Chief Executive Officer of We Hack Purple, shares insights on application security and offers strategies to protect against data loss from ransomware attacks.

For the best Oliver Wyman website experience, please upgrade your browser to IE9 or later

ransomware case study presentation

Surviving a Ransomware Attack: A Case Study

A project manager for ABC Inc., a manufacturer with $1 billion in annual revenue and operations in 30 countries steps off the elevator at company headquarters. She’s returning to her office after a lunch break and is eager to get back to work on a major order for a large client that is due next week. But something’s wrong.

When she sits down at her desk, she sees that her computer does not seem to be functioning. Instead of the usual desktop image on her monitor, she instead sees a lock and a disturbing message:

Your files are encrypted. If you do not submit payment to us — $5 million in bitcoin — within three days, your files will be lost forever.

Worried, she calls ABC’s IT manager on the other side of the floor, but the IT manager and his staff are too busy to answer. Other employees around the world are reporting that procurement and shipping software is inaccessible. At the company’s factories in China, India, and elsewhere, assembly lines have come to a halt. And that same message is being seen on computers at every company office.

The company is a victim of ransomware — an attack that is growing increasingly more frequent, severe, and sophisticated.

A ransomware attack can disrupt a business for weeks, cost millions of dollars in downtime and restoration costs, and damage reputations. Millions more is often needed to pay the actual ransom. Personal information may also be exposed, resulting in significant costs for breach notification and credit monitoring. But with the right advisor and with effective planning and preparation, a business can weather the storm and take action to protect its operations, systems, revenue, and reputation.

Marsh can be that advisor to your organization, delivering recommendations before, during, and after an incident. Here’s how a ransomware attack can play out, and how we can help you manage its impacts on your organization.

To Pay or Not to Pay

As critical data is held hostage and systems are rendered inoperable, ABC finds itself in an untenable situation. Operations are completely halted; the technology that powers ABC’s manufacturing line is down. Employees cannot perform critical tasks — they cannot order components that go into their products, nor can they ship finished goods to customers.

With contractual obligations not being met and assembly lines idling, the company is losing money — every hour, every minute, every second. And with the threat actor’s deadline looming, ABC’s risk management and leadership teams face a critical decision:  Should we pay the ransom?

Several factors should go into this decision. These include the criticality of affected data and systems, availability and integrity of data backups, cost of the ransom versus the estimated cost of restoration, the likelihood of successful restoration (whether the ransom is paid or not), and regulatory implications.

Organizations should develop guidance regarding ransomware decision-making and build this into their incident response plans. Generally, choosing to pay or not requires careful consideration and input from key stakeholders, including in-house and outside legal counsel and vendors.

As ABC considers its options, it can rely on Marsh for help.

Scenario 1: Paying the Ransom

ABC makes the decision to pay the ransom after determining that restoring its systems, files, and data is not possible — or at all timely. ABC quickly engages a law firm with specific expertise in ransomware to serve as the incident response coordinator.

Computer forensic teams actively investigate the incident and try to determine its scope while working to limit the spread of the malware. Crisis management and public relations teams are engaged to manage reputational harm.

ABC, meanwhile, is also busy getting the necessary internal authorizations and working with third parties to prepare for a cryptocurrency payment. Legal and regulatory checks must be performed, such as a review of whether payment is possible under rules established by the  Office of Foreign Asset Control , which prohibits payment to certain sanctioned foreign parties.

A ransomware response vendor, meanwhile, begins negotiating with attackers on ABC’s behalf for a reduction in payment demands and a later deadline. The vendor’s specialists have seen this strain of ransomware before and understand how the threat actor group operates.

After initial communication with the threat actor group’s “PR department,” the vendor engages the threat actor group’s “finance department” and succeeds in extending the payment deadline and cutting the required payment to $2 million in bitcoin. The ransomware response firm also tests the decryption keys to make sure they work.

ABC is ready to make payment. The company works with its legal advisors and ransomware response vendor to make a bitcoin payment to the cyber-attackers four days after the ransomware message first appeared. In exchange, its IT team receives a decryption key to restore access to the network.

The work, however, is far from over. It may take weeks to deploy the decryption keys across ABC’s network and restore all impacted systems to full functionality. Additional forensics may be necessary to confirm there are no remnants of the malware, that backdoors are identified and eliminated, and that systems have been scrubbed clean.

Backups will need to be reconfigured and tested and data may need to be restored. To prevent incident reoccurrence, new hardware or software may also be needed as a part of reengineering IT systems and boundaries. The overall focus of reengineering is to improve the overall security environment and support improved cybersecurity monitoring.

ABC’s cyber insurance coverage, secured with the help of its brokers at Marsh, can prove useful. ABC’s cyber policy will reimburse the ransomware payment and cover the costs of the vendors that helped with the negotiation. Incident response, including attorney fees, PR expenses, and data restoration costs will also be covered, as is lost income during ABC’s downtime and extra expenses that might have been incurred to keep operating.

In addition to securing your cyber policy, Marsh can help you navigate the carrier's vendor and ransomware reimbursement consent requirements. And we can help you prepare a business interruption claim to ensure that you maximize your cyber insurance coverage.

As ABC returns to some semblance of normalcy, the assembly line once again begins to hum.

Scenario 2: Not Paying the Ransom

In ABC’s executive offices, the ransomware demand sparks heated debate. While some argue in favor of paying quickly to minimize the damage and resume operations as quickly as possible, company leadership ultimately concludes that the company will be able to make a near full recovery using its offline backups.

After engaging a ransomware response vendor, ABC also learns that the attackers hardly ever deliver a working decryptor key. For these reasons, ABC decides not to pay the ransom.

Instead, ABC works with its advisors — including consultants from Marsh, experienced cyber legal counsel, forensic analysts, and others — to determine the extent of attackers’ presence within their networks and what data and systems may be compromised. Efforts are taken to contain the malware and to isolate and remediate impacted systems. Once the network is scrubbed clean, ABC then takes steps to restore backups and rebuild critical datasets.

ABC’s cyber insurance coverage can again prove useful, responding in many of the same ways as if the company had paid the ransom. Its policy provides coverage for incident response, data restoration, business interruption, and extra expenses.

One week after the ransomware message first appeared, ABC successfully starts restoring access to its core systems and backup data, though the process is still a long one. As ABC rebuilds its IT infrastructure, some legacy systems need to be replaced. While operations can resume as active monitoring for indicators of compromise (IoCs) continues, ABC is only operating at 50% capacity. Once the network is scrubbed clean and purged of malware, the company gradually increases its capacity to get back up and running again.

Three weeks out, factory operations resume at 100% capacity and affected employees fully return to work. ABC can once again focus on its core mission of delivering high-quality manufactured goods to its customers.

Managing Claims

With cyber insurance responding in either scenario, the next phase for ABC is to seek recovery.

With help from Marsh, which regularly communicated with insurers as the company responded to the ransomware attack, ABC’s risk management team gets to work capturing loss estimates tied to its downtime following the attack and cataloguing extra expenses incurred while responding. Documenting and capturing decisions regarding activities and resources during the incident as they are made is critical to ABC’s successful claim development — and Marsh supports the process to help maximize insurance recovery

Once this information is in hand, ABC provides its cyber insurer with a detailed submission. Ultimately, the company is able to recoup the reasonable and necessary costs from the incident — subject to self-insured retentions — under the terms of its well-crafted cyber insurance policy.

Post-Incident Steps

The ransomware attack is over; ABC has weathered the storm. But there’s still one final step in the process.

As part of its cyber incident response plan, ABC’s final action is to conduct an after-action review. The purpose of this exercise is to understand and document what went well and what didn’t — and how to address any gaps or weaknesses. That’s a critical step to take in order to ensure ABC learns from the incident and is better prepared for the possibility of a future attack, which may be similar to the last one — or completely different.

With the help of a forensics provider, ABC learns that the ransomware entered its networks through a phishing campaign and was able to spread across its network with ease, scooping up administrative credentials along the way and even credentials for the company’s industrial control systems. Armed with these findings, ABC develops an action plan to harden its cybersecurity with additional phishing tests, new multifactor authentication initiatives, and improved network segmentation based on system and data criticality. ABC also re-evaluates its cyber insurance limits as risk transfer has proven to be both critical and complementary to ABC’s risk mitigation efforts.

As part of this exercise, the both Marsh and ABC review ABC’s cyber incident response plan. Like a number of its peers, ABC’s plan — while robust in many ways — did not specifically address a ransomware attack. But developing a plan specific to ransomware is critical to making timely decisions.

Working with Marsh and external partners, ABC is able to update its internal guidance around ransomware attacks, perform an IoC assessment, identify and document vulnerabilities or gaps, and review its backup strategy – and critically, align all key stakeholders around ABC’s strategies to manage the organization’s cyber risk. The bottom line: ABC is more confident, more aligned, better prepared, and better protected in the event of another ransomware attack in the future.

How Else Can Marsh Help You Manage Ransomware Threats?

Beyond providing support following an attack, Marsh can also help your organization address potential ransomware threats on an ongoing basis. We can offer:

  • Ransomware Insights:  An intelligence briefing detailing the ransomware environment, your potential vulnerabilities, top attack vectors, best practices for you to follow, and potential cost estimates.
  • Insurance Program Design:  Advice and guidance on key policy terms and conditions and program structures, insight into underwriters’ priorities and objectives, and aggressive marketing on your behalf.
  • Ransomware Readiness Assessment:  A review of your current operations, with feedback and analysis based on best practices sourced from assessments of more than 1,400 businesses.
  • Cyber Financial Stress Test:  An estimate of the potential total cost of a ransomware or other cyber incident on your organization, which can inform critical decisions about cyber insurance and risk management strategies and investments.
  • Cyber Incident Response Plan:  Assistance in building or revising an existing plan to help you respond to a cyber event, with specific considerations for ransomware.
  • Cybersecurity Program Review:  A review of an organization’s cybersecurity policies, plans, procedures, and training that culminates in a maturity assessment and actionable recommendations for improvement.

Reid Sawyer

Reid Sawyer

Head, US Cyber Risk Consulting, Marsh

James Holtzclaw

James Holtzclaw

Senior Vice President, Cybersecurity Consulting and Advisory Services, Marsh Risk Consulting (MRC)

Susan Young

Susan Young

Managing Director, Cyber Practice, Marsh US

The Age of Intangibles

Book cover

Ransomware Revolution: The Rise of a Prodigious Cyber Threat pp 65–91 Cite as

Ransomware Case Studies

  • Matthew Ryan 3  
  • First Online: 25 February 2021

1840 Accesses

2 Citations

Part of the Advances in Information Security book series (ADIS,volume 85)

This chapter examines four major ransomware cases, with the first major ransomware attack in 2013 being used as a template for developing an influx of attacks since 2016. The individual case studies were chosen based on their global impact on organisations and high-profile media reports surrounding the attacks. The case study analysis process analysed the attack methodology and the outcome of each attack to determine similarities and evolutionary changes between each subsequent attack. The analysis also sought to detail the method and sophistication level of each attack, the encryption process and request for payment. These components provide the foundation for further understanding the rising threat posed by ransomware in later chapters.

This is a preview of subscription content, log in via an institution .

Buying options

  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
  • Available as EPUB and PDF
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
  • Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Note: Four case studies were deemed to be an appropriate number to accurately demonstrate the evolution of major ransomware attacks profiles over a six-year period.

Note: In 2018, an FBI investigation in WannaCry identified Marcus Hutchins as MalwareTech. Whilst initially Hutchins was hailed a hero for his role in stopping WannaCry, he was later arrested and has plead guilty for the development of Kronos malware. Kronos was a piece of malware used to steal banking credentials. (See Winder 2019 ).

Note: The term “crown jewels” is a cybersecurity term synonymous with high-value data and systems. The term broadly applies to an organisation’s high-value data which typically includes intellectual property, customer data and privileged user account information.

M. Alazab, Profiling and classifying the behavior of malicious codes. J. Syst. Softw. 100 , 91–102 (2015)

Article   Google Scholar  

R. Anderson, GameOver Zeus botnet disrupted: Collaborative effort among international partners, 7 Nov 2014

Google Scholar  

M. Anderson, ‘NotPetya’: Latest ransomware is a warning note from the future, IEEE Spectrum (2017). Available online: https://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future . Accessed 22 Feb 2019

Australian Tax Office, Scam alerts. (2020). Available online: https://www.ato.gov.au/general/online-services/identity-security/scam-alerts/ . Accessed 17 Aug 2020

B. Bechtol, Enabling violence and instability, in North Korean Military Proliferation in the Middle East and Africa , vol. 44, (University Press of Kentucky, 2018)

C. Beek, Necurs Botnet leads the world in sending spam traffic, McAfee Labs . (11 Mar 2018). Available online: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/necurs-botnet-leads-the-world-in-sending-spam-traffic/ . Accessed 13 June 2018

Berry, A., J. Homan, R. Eitzman, WannaCry malware profile, FireEye Threat Research . (2017). Available online: https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html . Accessed 2 Jan 2019

T. Bossert, Press briefing on the attribution of the WannaCry malware attack to North Korea, 19 Dec 2017

T. Brewster, Google warns ransomware boom scored crooks $2 million a month, Forbes . (25 July 2019) 2017 [Online]. Available online: https://www.forbes.com/sites/thomasbrewster/2017/07/25/google-ransomware-multi-million-dollar-business-with-locky-and-cerber/#758974576caf . Accessed 17 Jan 2019

E. Bursztein, K. McRoberts, L. Invernizzi, Tracking desktop ransomware payments, Black Hat . Las Vegas, 2017 Google

S. Chow, Hacked: The Bangladesh Bank Heist, Aljazeera . (24 May 2018) 2018 [Online]. Available online: https://www.aljazeera.com/programmes/101east/2018/05/hacked-bangladesh-bank-heist-180523070038069.html . Accessed 13 Nov 2018

C. Cimpanu, M.E.Doc software was backdoored 3 times, servers left without updates Since 2013, Bleeping Computer . 6 July 2017 (2017)

M. Conti, A. Gangwal, S. Ru, On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Comput. Secur. 79 , 162–189 (2018)

Department of Homeland Security, Alert (TA17-132A): Indicators associated with WannaCry ransomware. (12 May 2017)

P. Ducklin, Ransomware -“Locky” ransomware – what you need to know, Naked Threats . (2016). Available online: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/ . Accessed 24 Feb 2019

K. Eichensehr, Three questions on the WannaCry attribution to North Korea, Just Security . (2017). Available online: https://www.justsecurity.org/49889/questions-wannacry-attribution-north-korea/ . Accessed 10 June 2018

N. Etaher, G. Weir, M. Alazab, From ZeuS to Zitmo: Trends in banking malware, in IEEE International Conference on Trust, Security and Privacy in Computing and Communications , (Trustcom IEEE, Piscataway, 2015)

Federal Bureau of Investigation, FBI Alert – Identification of ransomware variant called Locky, 11 July 2016

L. Garber, Government officials disrupt two major cyberattack systems. Computer 47 (7), 16–21 (2014)

A. Gazet, Comparative analysis of various ransomware virii. J. Comput. Virol. 6 (1), 77–90 (2010)

D. Gerstein, WannaCry virus: A lesson in global unpreparedness. Available online: https://www.rand.org/blog/2017/05/wannacry-virus-a-lesson-in-global-unpreparedness.html . Accessed 3 June 2018

A. Greenberg, The untold story of NotPetya, the most devastating cyber attack in history, WIRED . (2018a). Available online: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ . Accessed 23 Jan 2019

A. Greenberg, The WannaCry ransomware hackers made some real ametuer mistakes, WIRED . (2018b). Available online: https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/ . Accessed 5 June 2018

A. Ivanov, O. Mamedov, ExPetr/Petya/NotPetya is a wiper, not ransomware. (2017). Available online: https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ . Accessed 14 Dec 2018

K. Jarvis, CryptoLocker ransomware, Threats & Defenses Threat Analysis . (2013). Available online: https://www.secureworks.com/research/cryptolocker-ransomware . Accessed 3 Jan 2019

L. Kessem, The Necurs Botnet: A Pandora’s box of malicious spam, IBM Security Intelligence . (24 Apr 2017). Available online: https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/ . Accessed 22 Feb 2019

M. Korolov, Ransomware took in $1 billion in 2016 – improved defenses may not be enough to stem the tide, CSO. 5 Jan 2017 2017 [Online]. Available online: https://www.csoonline.com/article/3154714/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html . Accessed 11 Feb 2019

P. Kruse, Locky spreading through Facebook. (20 Nov 2016). Available online: https://twitter.com/peterkruse/status/800414481545187328 . Accessed 2 Mar 2019

E. Lucas, Cyberphobia: Identity, Trust, Security and the Internet (Bloomsbury Publishing, London, 2015)

L. Matthew, Boeing is the latest WannaCry ransomware victim, Forbes . (2018). Available online: https://www.forbes.com/sites/leemathews/2018/03/30/boeing-is-the-latest-wannacry-ransomware-victim/#218e8ea96634 . Accessed 1 June 2018

D. Maynor, M. Olney, Y. Younan, The medic connection, Cisco TALOS . Available online: https://blog.talosintelligence.com/2017/07/the-medoc-connection.html . Accessed 22 Feb 2019

A. McLean, ​WannaCry reportedly hitting speed cameras in Victoria, ZDNet . (2017). Available online: https://www.zdnet.com/article/wannacry-reportedly-hitting-speed-cameras-in-victoria/ . Accessed 2 April 2018

A. McNeil, How did the WannaCry ransomworm spread?, Blog.Malwarebytes.com . (30 May 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ . Accessed 10 June 2018

D. Meyer, WannaCry ransoms suddenly leave attackers, Bitcoin Wallets . (2017). Available online: http://fortune.com/2017/08/03/wannacry-ransom-bitcoin/ . Accessed 11 June 2018

M. Molloy, Operation Tovar: The latest attempt to eliminate key botnets, Threat Research . (2014). Available online: https://www.fireeye.com/blog/threat-research/2014/07/operation-tovar-the-latest-attempt-to-eliminate-key-botnets.html . Accessed 13 Dec 2018

National Audit Office, Investigation: WannaCry Cyber Attack and the NHS (National Audit Office, London, 2018)

National Health Service, Statement on reported NHS cyber-attack, 13 May 2017

L.H. Newman, The ransomware meltdown experts warned about is here, WIRED . (2017). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ . Accessed 6 June 2018

L.H. Newman, The leaked NSA spy tool that hacked the world, WIRED . (2018). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ . Accessed 6 June 2018

Palisse, A., H. Le Bouder, J.-L. Lanet, C. Le Guernic, A. Legay, Ransomware and the Legacy Crypto API, The 11th International Conference on Risks and Security of Internet and Systems . Roscoff, France, 5th–7th September 2016 (Springer, 2016)

D. Palmer, Locky ransomware: Why this menace keeps coming back, ZDNet. 7 Sept 2017 (2017) [Online]. Available online: https://www.zdnet.com/article/locky-ransomware-why-this-menace-keeps-coming-back/ . Accessed 27 Feb 2019

S. Ragan, Malicious images on Facebook lead to Locky ransomware, CSO . (2016). Available online: https://www.csoonline.com/article/3143173/malicious-images-on-facebook-lead-to-locky-ransomware.html . Accessed 14 Feb 2019

O. Ralph, R. Armstrong, Mondelez sues Zurich in test for cyber hack insurance, Financial Times. New York, 10 Jan 2019–11 Jan 2019

M. Rivero, Locky ransomware returns to the game with two new flavors. (25 Aug 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/08/locky-ransomware-returns-to-the-game-with-two-new-flavors/ . Accessed 25 Feb 2019

J. Saarinen, Hackers launch massive Locky ransomware campaign, itNews. 1 Sept 2017, (2017) [Online]. Available online: https://www.itnews.com.au/news/hackers-launch-massive-locky-ransomware-campaign-472295 . Accessed 21 Feb 2019

J. Shea, How is NATO meeting the challenge of cyberspace? PRISM 7 (2), 18–29 (2017)

J. Smith, Hospital pays hackers $17,000 in Bitcoins to return computer network, ZDNet. 18 Feb 2016 (2016) [Online]. Available online: https://www.zdnet.com/article/hospital-pays-hackers-17000-in-bitcoins-to-return-computer-network/ . Accessed 22 Feb 2019

K. Sood, S. Hurley, NotPetya technical analysis – a triple threat: File encryption, MFT encryption, credential theft. 29 June 2017. Available online: https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ . Accessed 4 Mar 2019

Symantec, Ransom.WannaCry, (2017). Available online: https://www.symantec.com/security-center/writeup/2017-051310-3522-99 . Accessed 7 June 2018

A. Taylor, NotPetya Malware Attributed . (16 Feb 2018)

S. Thakkar, Ransomware – Exploring the electronic form of extortion. Int. J. Sci. Res. Dev. 2 (10), 123–126 (2014)

G. Troy, Locky ransomware attacks ramp up. 28 Apr 2017. Available online: https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase . Accessed 23 Feb 2019

A. Winckles, Here’s how the ransomware attack was stopped – and why it could soon start again, The Conversation . (2017). Available online: https://theconversation.com/heres-how-the-ransomware-attack-was-stopped-and-why-it-could-soon-start-again-77745 . Accessed 21 Nov 2018

D. Winder, WannaCry Hero Marcus Hutchins pleads guilty to creating banking malware, Forbes. 20 Apr 2019 (2019) [Online]. Available online: https://www.forbes.com/sites/daveywinder/2019/04/20/wannacry-hero-marcus-hutchins-pleads-guilty-to-creating-banking-malware/#13f645a4513e . Accessed 23 June 2019

J. Wolff, You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (The MIT Press, Cambridge, 2018)

Book   Google Scholar  

Download references

Author information

Authors and affiliations.

Maroubra, NSW, Australia

Matthew Ryan

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Cite this chapter.

Ryan, M. (2021). Ransomware Case Studies. In: Ransomware Revolution: The Rise of a Prodigious Cyber Threat. Advances in Information Security, vol 85. Springer, Cham. https://doi.org/10.1007/978-3-030-66583-8_5

Download citation

DOI : https://doi.org/10.1007/978-3-030-66583-8_5

Published : 25 February 2021

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-66582-1

Online ISBN : 978-3-030-66583-8

eBook Packages : Computer Science Computer Science (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

  • Publish with us

Policies and ethics

  • Find a journal
  • Track your research
  • Search Menu
  • Editor's Choice
  • Author Guidelines
  • Submission Site
  • Open Access
  • About Journal of Cybersecurity
  • Editorial Board
  • Advertising and Corporate Services
  • Journals Career Network
  • Self-Archiving Policy
  • Journals on Oxford Academic
  • Books on Oxford Academic

Issue Cover

Article Contents

Introduction, review of prior work, hypotheses development, research method and analysis of findings, interpretation and discussion, conclusions, acknowledgements, appendix 1: profile of participant organizations and corresponding attacks characteristics, appendix 2: sample interview questions (phase 1), appendix 3: impact assessment exercise exemplar, appendix 4: sample interview questions (phase 2), appendix 5: criteria used to assess the security posture of organizations, appendix 6: security posture exemplars, appendix 7: profile of organizations.

  • < Previous

An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability

ORCID logo

  • Article contents
  • Figures & tables
  • Supplementary Data

Lena Yuryna Connolly, David S Wall, Michael Lang, Bruce Oddson, An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability, Journal of Cybersecurity , Volume 6, Issue 1, 2020, tyaa023, https://doi.org/10.1093/cybsec/tyaa023

  • Permissions Icon Permissions

This study looks at the experiences of organizations that have fallen victim to ransomware attacks. Using quantitative and qualitative data of 55 ransomware cases drawn from 50 organizations in the UK and North America, we assessed the severity of the crypto-ransomware attacks experienced and looked at various factors to test if they had an influence on the degree of severity. An organization’s size was found to have no effect on the degree of severity of the attack, but the sector was found to be relevant, with private sector organizations feeling the pain much more severely than those in the public sector. Moreover, an organization’s security posture influences the degree of severity of a ransomware attack. We did not find that the attack target (i.e. human or machine) or the crypto-ransomware propagation class had any significant bearing on the severity of the outcome, but attacks that were purposefully directed at specific victims wreaked more damage than opportunistic ones.

In recent years, Europol’s annual Internet Organised Crime Threat Assessment report has consistently identified ransomware as a top priority; their latest bulletin states that ‘ransomware remains one of the, if not the, most dominant threats, especially for public and private organisations within as well as outside Europe’ [ 1 ]. Furthermore, as starkly evidenced by an international survey of 5000 IT managers, the incidence of ransomware attacks is growing exponentially [ 2 ]. Similar trends have been observed by government and law enforcement bodies [ 3 , 4 ]. Ransomware attacks can potentially generate substantial financial rewards for offenders, but the ransom – which in most cases is not paid – is just a fraction of the overall cost of the attack in terms of reputational damage and loss of business [ 3 , 5 ].

Since ransomware first arrived on the scene in a major way about the year 2013, the volume of academic literature produced on this topic has mushroomed. Important advances such as sophisticated detection methods and innovative intrusion prevention systems have been put forward. Organizations are advised to implement effective security education, introduce policies and technical controls, install antivirus software, promote strong e-mail hygiene, upgrade old systems, execute regular patching, apply the ‘least privileges’ approach, segregate the network perimeter and implement effective backup practices [ 6 , 7 ]. Although the aforementioned types of work are of tremendous importance to a preventative strategy, they are not by themselves sufficient. This is because most of the research on ransomware to date has focused primarily on its technical aspects, with comparatively little attention being given to understanding the socio-technical side of the attack or the characteristics of organizations [ 8 ]. So, while there is a strong emphasis on developing ransomware countermeasures, there is a lack of studies that examine the real experiences of organizations that have actually fallen victim to ransomware attacks.

It may be tempting to assume certain things about what makes an organization more or less vulnerable to an attack, but we should not be so presumptuous. Although research on cybercrime victimization has significantly expanded over the past two decades, the majority of studies focus on individual-level offences such as online bullying, harassment and stalking. Holt and Bossler [ 9 ] make the point that for some types of cybercrime, such as malware and ransomware, our understanding of what causes individuals and organizations to fall victim is not well developed. Our work addresses this limitation by focusing on ransomware crime and collecting data from the actual victims of ransomware.

Generally, the risk of cybercrime victimization has been addressed by studying characteristics of the offender [ 10 ], the victim [ 11 ] and the crime itself [ 12 ]. Our article focuses on the latter two and is motivated by several calls in the literature to better understand typical victims of ransomware attacks, with a view towards developing solutions that prevent or mitigate this sinister problem [ 9 , 13 , 14 ].

To date, only a small number of studies have directly looked at the experiences of organizations that have fallen victim to ransomware. Of these few (see Table 1 ), the majority consider things at a rather cursory level. Our study, which is based on a substantial sample of 55 ransomware attacks and draws upon qualitative and quantitative data, helps to address this gap in the literature by presenting detailed findings on the antecedents and consequences of actual ransomware attacks within 50 organizations. Our objectives were to

Previous empirical studies of ransomware attacks on organizations

Assess the degree of severity of ransomware attacks within organizations;

Explore how characteristics of the organization and characteristics of the attack affect the severity of the outcome.

Within the literature on cybercrime in general, there have been various efforts to understand the factors that make individuals more prone to becoming victims. Drawing upon Lifestyle Theory and Routine Activity Theory, Agustina [ 23 ] proposes several behavioural and environmental factors that should, in theory at least, elevate the risk of being victimized. In practice, however, as found by Ngo and Paternoster [ 24 ], these theories do not hold up to empirical scrutiny. Our work differs from these previous studies in two ways: first, we are looking not at cybercrime in general, but specifically at ransomware attacks; secondly, our focus is not on individual victims, but rather on organizations.

Although several reports [ 1–4 ] suggest that the number of ransomware attacks against businesses continues to rise steadily, it is hard to form any clear sense of the true extent of ransomware attacks. The difficulty of accurately measuring and comparing cybercrime rates has been remarked upon by Furnell et al . [ 25 ]. Statistics about the incidence of ransomware attacks vary wildly. In an international study based on 574 participants across 77 countries, BCI [ 26 ] reported that 31% of respondents had been afflicted by ransomware. In contrast, a large-scale survey of Internet users in Germany revealed that only 3.6% of individuals had suffered a ransomware attack [ 27 ]. Simoiu et al . [ 5 ] estimated that about 2–3% of their sample of 1180 American adults were hit by ransomware between 2016 and 2017. Similarly, Ioanid et al . [ 20 ] reported that 2% of their sample of 103 Romanian small-to-medium enterprises (SMEs) were affected by the WannaCry attack that year. Against those low incidence rates, Hull et al . [ 18 ] found that as many as 61% of UK respondents had experienced at least one attack, and Shinde et al . [ 19 ] reported that 20% of respondents to their survey in the Netherlands were victims of ransomware, although it must be acknowledged that both those studies were based on quite small samples. All of these conflicting survey findings create a rather muddled picture. This, of course, can be put down to differences in sampling methods, response rates, temporal factors and units of analysis, but our essential point is this: it is generally agreed that ransomware presents a grave threat and has adversely affected many organizations, yet we know very little about the experiences of organizations that were attacked or the root causes that left them open to a successful violation.

There are very few empirical studies of the impact of ransomware within organizations or the factors that make organizations vulnerable. Al-Rimy et al . [ 28 ] present a literature survey of ransomware threat success factors, but the scope of their work extends only to infection vectors and enabling technologies (i.e. cryptography techniques, payment methods, ransomware development kits). They do not consider any organizational or socio-technical factors.

Our extensive search of the literature revealed just a handful of studies that looked directly at the experiences of organizations that were victims of ransomware (see Table 1 ). To summarize the key findings of these studies: ransomware attacks had major financial and emotional impact on victims, and the common factors that led to the attacks seemed to be a lack of security education or diligence, with organization type and size also emerging as possible factors impacting the likelihood of an attack.

Byrne and Thorpe [ 21 ] observe that ‘there is a gap in the literature with regards to examining the issue [of ransomware] from a company's perspective and that of its user base.’ Our study aims to make a contribution towards addressing this gap. In the next sections, we present a number of factors that we believe might affect the vulnerability of an organization to a ransomware attack, as well as characteristics of the attack weapon and method that could affect the severity of impact.

Organization characteristics: size and sector

As with so much of the reported facts and figures pertaining to ransomware, there is disagreement as to whether an organization’s size makes it more or less susceptible to attack. An international survey conducted by BCI [ 26 ] found that ransomware attacks are a substantially more common problem for large enterprises than they are for SMEs. However, contradictory findings are reported by Beazley [ 27 ] who state that SMEs were disproportionately hit by ransomware attacks in 2018, with 71% of all infections occurring within such organizations.

Many SMEs based in the UK believe that they are not likely to be targeted by ransomware attacks; while they place high value on the importance of IT to their business, they are generally not worried about the threat of data loss [ 29 , 30 ]. SMEs, by their entrepreneurial nature, are more likely to engage in risk-taking behaviour [ 31 ]. However, SMEs may underestimate the value to hackers of their information systems and may not realize that they could be targeted as a hop to gain entry into their partners’ networks. As Smith [ 32 ] puts it, ‘even if you think your company has nothing worth stealing, losing access to all your data is no longer an unlikely event.’ Kurpjuhn [ 33 ] makes the point that SMEs must accept that they are exposed to similar levels of risk as large enterprises but have lower budgets and lesser resources to address those risks.

An argument could be made that larger organizations, simply because they employ more people, are at greater risk of infection due to human error; it only takes one reckless act by a single individual to compromise an entire network. Although not quite the same thing, Bergmann et al . [ 34 ] found no correlation between the size of a household and the rate of cybercrime victimization experienced by members of that household. How that finding would scale up to larger units in a non-domestic setting is a matter of conjecture, but it seems reasonable to assume that the potential for human error increases relative to the size of the unit.

Hypothesis 1a: An organization’s size influences the impact severity of a ransomware attack.
Hypothesis 1b : An organization’s sector influences the impact severity of a ransomware attack.

Security posture

Because ransomware combines technical and social characteristics to create its impact, we explore the organizational victim responses to attacks through the lens of ‘security posture’. Security posture is defined as ‘the security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes’ [ 36 ]. Prior research into ransomware attacks on organizations shows that a lack of basic security practices, or failure to comply with them, was a common failing [ 15 , 18 ]. Organizations that do not have adequate and effective backup strategies are much more likely to end up having to pay the ransom to retrieve their data [ 15 , 28 ]. Connolly and Wall [ 8 ] developed a taxonomy of ransomware countermeasures, emphasizing a multi-layered approach in protecting organizations against ransomware.

While technical defence mechanisms are very important, so too is individual behaviour and good ‘online lifestyle’. Inadequate care by employees when choosing to open e-mail attachments or hyperlinks, downloading ‘free’ versions of software or cracked games, browsing adult content or illegal sports live streams, and installing apps from untrusted sources are all examples of poor online hygiene that can increase the risk of a ransomware infection. Riglietti [ 28 ] observed that ‘looking at what users say, avoiding infection appears to be a matter of spreading the right security culture within an organisation rather than a technical issue.’ A key part of this is education and awareness [ 37 , 38 ]. In their studies of ransomware victims, Shinde et al . [ 19 ] and Zhang-Kennedy et al . [ 27 ] both observed a tendency by employees to assume that cybersecurity was essentially the responsibility of the IT Department. While it is to be expected that the IT Department should take the lead on security and actively promote a strong posture, there is an onus on individuals to utilize good personal security practices and not engage in irresponsible behaviour.

Hypothesis 1c: An organization’s security posture influences the impact severity of a ransomware attack.

Crypto-ransomware propagation class

Since crypto-ransomware was incapable of propagating on networks prior to 2013, we decided to create a simple taxonomy according to the degree of infectiousness (see Table 2 ). Different propagation classes of crypto-ransomware may have a lesser or greater effect on the outcome of a crypto-ransomware attack as a result of the volume of infection spread.

Classification by crypto-ransomware propagation

What we term ‘Generation I’ crypto-ransomware was not particularly effective in extorting money due to several technological shortcomings, such as the use of easy-to-break encryption, inefficient management of decryption keys and limited propagation capabilities. It is highly likely that Generation I variants are obsolete.

We refer to variants such as CryptoWall, CryptoLocker and CryptoDefence as ‘Generation II’. These forms of ransomware initially penetrate networks via desktops or laptops and subsequently take advantage of the local user security context to spread via network paths, encrypting network shares that the user has ‘write’ access to. They can also encrypt devices physically connected to the infected machine.

What we refer to as ‘Generation III.a’ malware are those such as Samas and BitPaymer that tend to breach networks via vulnerabilities found in servers [e.g. a weak password in Remote Desktop Protocol (RDP)]. Once inside the server, attackers manually and/or automatically search for various weaknesses within the network (e.g. poor authentication controls, a flat network structure, the lack of network visibility and detection mechanisms). Such vulnerabilities permit attackers to stay undetected and hijack multiple devices and the entire network in some cases. Crypto-worms like WannaCry (‘Generation III.b’ in our classification) have a similar devastating effect, the chief difference being that they take advantage exclusively of software vulnerabilities in order to propagate.

Hypothesis 2a: The crypto-ransomware propagation class influences the impact severity of a ransomware attack.

Attack type and target

Hypothesis 2b : The attack type, i.e. opportunistic or targeted, influences the impact severity of a ransomware attack.
Hypothesis 2c : The attack target, i.e. human or machine, influences the impact severity of a ransomware attack

This study used a mixed methods approach following an exploratory sequential design [ 43 ]. Phase 1 was qualitative. In order to assess the degree of severity of ransomware attacks (our first objective), we required a measurement instrument. A literature search revealed that there are no readily available tools for this particular purpose. Since crypto-ransomware incidents entail some unique consequences (e.g. encrypted data, disabled systems), we could not use substitutes from other cybercrime studies; the assessment instrument had to be specific to crypto-ransomware attacks. Hence, the aim of Phase 1 was to inductively develop an Impact Assessment Instrument (grounded in empirical data) that can be used to effectively evaluate the severity of crypto-ransomware attacks on organizations in our sample. In Phase 2, we gathered additional quantitative data so as to be able to statistically test our hypotheses.

The Ethics Committee at the University of Leeds approved this research. Consent forms were signed by all study participants. All necessary precautions were followed to ensure the anonymity of study participants and the confidentiality of collected data. The majority of participants were from the UK but there were also a few from North America. Where the names of organizations are subsequently referred to in this article, aliases are used to protect the anonymity of respondents (see   Appendix 1 ). Additionally, interviewees from UK Police Cybercrime Units are given the aliases of CyberRM, CyberLM, CyberTL, CyberBR, CyberBL, CyberTR and CyberCU. Incidents took place between 2014 and 2018.

Sampling strategy and data collection

A purposeful sampling approach was employed to collect data in Phase 1. We conducted 10 semi-structured interviews with professionals from organizations that became victims of ransomware attacks. Interviewees were IT/Security Managers and Executive Managers with an average of 17 years of professional experience. There was one respondent per organization. Since some organizations were attacked more than once, accounts of 15 ransomware incidents were elicited from 10 organizations.   Appendix 1 (please refer to first 15 incidents) contains information about the characteristics of attacks and organizations that were interviewed in Phase 1.

In order to enhance the reliability and richness of data, we sought access to individuals who had direct experience of responding to crypto-ransomware incidents. As for crypto-ransomware attacks, the key selection criteria was to include a range of consequences for the victims, varying from low severity (e.g. minimum disruption to business, minimum loss of information, swift recovery) to high impact (e.g. business disruption that lasted for several months, significant loss of critical information, slow recovery).

An interview guide was designed with the aim to learn about participants’ perceptions of the attacks’ impact and the factors that aggravated or moderated the consequences of these incidents. This exercise guided the development of the Impact Assessment Instrument. Since we planned to use these initial 15 cases in Phase 2 of data analyses, we also ensured to collect profile information about organizations (e.g. size, sector and industry), causes of crypto-ransomware attacks, information about security postures and characteristics of attacks (e.g. attack type, crypto-ransomware propagation class and attack vector). Sample interview questions are provided in   Appendix 2 . Six interviews were conducted face-to-face, three via Skype with overseas respondents and one via e-mail correspondence.

The decision to stop data collection in qualitative research is made when additional insights are not emerging with new observations. This point is typically achieved after a dozen or so observations [ 44 ]. We felt that after examining about 10 ransomware incidents, the incremental learning stopped. But to ensure that the point of ‘theoretical saturation’ is sufficiently reached, we collected data on 15 cases in total.

Impact Assessment Instrument development (qualitative data analysis)

An inductive content analysis method was used to analyse data and develop the Impact Assessment Instrument. Within the interview transcripts, the impact of crypto-ransomware incidents emerged as a major topic. Interviewees eagerly described their experiences of being attacked, particularly focusing on the consequences of crypto-ransomware attacks. For example, respondents from GovSecJN, EducInstFB, LawEnfM, GovSecA and HealthSerJU spoke in great detail about the despair and distress they experienced. An IT/Security Manager from GovSecJN, a large public sector organization, explained how business continuity disruption affected them:

There was an impact on service delivery – we could not do what we were supposed to do. It was significant for us. Besides, all our resources were directed towards the incident instead of doing our job.

An IT/Security Manager from LawEnfJU reported a similar experience:

Ransomware encrypted all of our data files, which, in effect, took the agency offline for about 10 days. This was extremely critical as we could not do our job. We had the server up-and-running in 10 days and then it took another 10 days to manually re-enter all data. So, the attack critically affected the operations of the department for about 20 days … . The overall impact of this attack was severe, definitely.

An Executive Manager from EducInstFB, a large public organization, shared with us that a Generation III.a crypto-ransomware encrypted hundreds of machines (desktops, laptops and servers). As a result, several critical business functions were disabled and important data were inaccessible. The victim disclosed that various security holes – including ineffective backups, poor patching regimes, the lack of network visibility and feeble access control management practices – led to infection and subsequent dramatic consequences.

GovSecA, a large public organization, suffered an unprecedented attack by Generation III.a crypto-ransomware, where close on 100 servers got encrypted, affecting the operations of the organization for months. Most importantly, the victim lost a lot of critical data because they only had partial backups. At the time of the interview, GovSecA was already in post-attack recovery for 8 months. The interviewee shared that the recovery was still not completed at this point. An IT/Security Manager from GovSecA described their experience as follows:

We all came back to work on Tuesday morning after a bank holiday weekend and the sun was streaming in through the windows. The cleaners have been in, the office looked great. Everyone felt refreshed after the long weekend. And it took a while for us to realise what happened; that all computing had been turned to stone [encrypted]. Virtually nothing was left untouched. If half of the building had fallen off, you would understand that something has happened. But everything looked great. But it was not – the organisation could not operate.

An Executive Police Officer from LawEnfM, a public SME, described how the organization suffered two ransomware attacks within 2 weeks, affecting critical data:

We are a full-service law enforcement agency and we have a wide variety of data, some of which is very sensitive. For example, data relevant to criminal incidents like manslaughter cases, child pornography, child sex cases. Several months worth of this data was encrypted, which was pretty significant to us … . While we were recovering after the first attack, we were very unfortunate to get infected by ransomware again.

Comments such as in these few selected excerpts featured regularly in the interviews. We observed that when victims described the impact of ransomware attacks, they focused on factors such as business continuity disruption, recovery time, the number of devices affected, how critical encrypted information was to business and information loss.

On the contrary, interviewees from LawEnfJ and GovSecJ talked about factors that effectively saved the organization from far worse outcomes and emphasized that organizations must be prepared for these attacks or suffer severe consequences. For example, an IT/Security Manager from LawEnfJ, a public SME, shared the following:

We practice good basic security principles. We have backups in multiple locations … . It comes down to basics like staying up to date with industry. Just recently we went through this massive patching for Intel processors and other processes that could be leveraged into a whole host of attacks … . We were well-prepared for the attack … . We restored everything over a weekend. We were infected on Friday and back up-and-running on Monday.

Similarly, an IT/Security Manager from GovSecJ, a large public organization, explained how they were able to recover with little inconvenience:

An Incident Management Plan is crucial during cyber-attacks. Instead of running around with our hands up in the area, screaming for help, our response was logical and structured … . We lost some data due to incremental backups but nothing significant that would have stopped an organisation from functioning … . The infection took place at approximately 9 in the morning. By the end of the day, data was restored, and everything was back to normal.

As a result of our data analysis in Phase 1, five categories of negative outcomes emerged from the data, namely ‘business continuity disruption timeline’, ‘recovery time’, ‘affected devices’, ‘encrypted information critical to business’ and ‘information loss’. Under each of these categories, the data enabled us to build impact descriptors ranging across three degrees of severity (low, medium and high). In Table 3 , we present the severity descriptors for the five impact categories and corresponding attacks.

Impact Assessment Instrument and corresponding victims

Given the broad range of organization types and sectors in our sample, we anticipated that it would be difficult to arrive at a consensus on what constitutes ‘Low’, ‘Medium’ and ‘High’ levels of severity. For example, an outcome that might be regarded as being of ‘Low’ severity by one respondent could possibly be regarded as ‘High’ by another, depending on the nature of their business and level of dependency on critical IT systems. However, there was a remarkable degree of consistency among the respondents. There is a general acceptance that any ransomware attack, however minor, is likely to result in an interruption of at least a few days rather than hours. Thus, recovery times and business continuity disruption of a number of days (up to a week) were rated as being on the ‘Low’ end of the spectrum because, although any disruption is traumatic, in relative terms that is the least amount of time that is expected to be lost. As one interviewee put it,

Considering the impact and seriousness of the ransomware, it is going to sound strange, but I think that to only lose twelve hours worth of data is an acceptable outcome. If we had not backed up, we would have lost 47,000 files, clearly that would have been a far more significant issue. (IT/Security Manager, GovSecJN)

The Impact Assessment Instrument presented in Table 3 is derived from empirical data and reflects the actual consequences of crypto-ransomware attacks as described by the victims. All five of the items shown in the table are components of the overall severity of a ransomware attack. Because the five items are measured on a three-point ordinal scale, as opposed to a multiple-point continuous scale, we used the ordinal alpha coefficient [ 45 ] to test for internal reliability. The value for ordinal α = 0.96 which indicates a high degree of agreement between the five items.

To compute a composite score for overall severity, we considered using the average or median of the five items but decided to use the maximum. The logic behind this reasoning is that if any of the items is evaluated as ‘High’, it means that the attack represented a serious shock to the organization with major consequences. Therefore, a ‘High’ severity value for any single item trumps all the others, even if they all have lesser values. This also gets around the aforementioned problem whereby the assessment instrument might misevaluate a particular item as ‘Low’ when in fact, because of the organization’s circumstances, it should be ‘High’; in such cases, the likelihood is that at least one other item would have a ‘High’ rating and hence the overall severity would correctly be evaluated as ‘High’.

Next, using the Impact Assessment Instrument shown in Table 3 , we analysed all of the initial 15 cases (interview transcripts) to determine the extent of the attack impact. We assigned the degree of severity for all five categories for each impact item. An exemplar of this assessment exercise is provided in   Appendix 3 .

We were conscious of the limitation that the initial version of the Impact Assessment Instrument was based on data collected from 10 public organizations, with no private businesses. To remedy this, as we collected data on a further 45 cases, including both public and private organizations, we asked interviewees to assess the severity of ransomware attacks using our scale (i.e. low, medium, high) and comment on the reasons for their answer. The purpose of this exercise was to validate our instrument and confirm that the categories that emerged initially were relevant across the whole sample. We also validated the instrument by consulting with experienced police officers. We found that the instrument gave a reliable measure of the severity of an incident as perceived by the victim.

In order to test our hypotheses, we required to collect more data on crypto-ransomware incidents. It has been widely acknowledged that collecting data on cyberattacks is extremely difficult. In Phase 1, it took us over 6 months to find organizations that were willing to share sensitive matters relevant to the attacks. Therefore, we made a decision to approach the data collection matter differently in Phase 2. Instead, we sought out police officers from UK Cybercrime Units who had extensive experience in dealing with crypto-ransomware attacks. Mainly, such experience included helping organizations to effectively respond to the attacks, understanding what caused them, providing emotional support to victims if necessary and offering post-attack advice. Our expectation was that each police officer would be able to provide relevant information on several ransomware incidents at the time, which would make the process of data collection more manageable.

We succeeded to connect with 10 police officers (four Detective Sergeants and six Detective Constables) and 1 Civilian Cybercrime Investigator, who provided information on 22 usable ransomware incidents via semi-structured interviews and one focus group. Two police officers were interviewed twice as they were able to add new information. The average professional experience of the study respondents was 19 years. We also managed to collect data on 22 more cases with a Detective Inspector, who, unfortunately, was not able to meet with us face-to-face but agreed to provide data via a structured questionnaire (sent over e-mail). Additionally, we interviewed an IT/Security Manager with over 20 years of professional experience, which added one final case to our database of ransomware incidents. Relevant information is available in   Appendix 1 (Cases 16–60). Due to the aforementioned access constraints, a snowballing technique was used to collect data for Phase 2.

The questionnaire and second phase interview guide (see   Appendix 4 ) were based on the Impact Assessment Instrument and hypotheses. We asked questions that would help us to assess the impact of an attack. We also collected profile information on organizations (e.g. size, sector and industry) and characteristics of attacks (e.g. attack type, crypto-ransomware propagation class and attack target). Additionally, we included questions that would help us classify the security posture of each organization. For this purpose, we used the taxonomy of crypto-ransomware countermeasures developed in our previous work [ 8 ]. The headings from this taxonomy served as a guide for questions. Therefore, in order to assess a security posture of organization victims, we asked interviewees about security education, policies and practices, technical measures and network security, the incident response strategy and the attitudes of management towards cybersecurity (see   Appendix 5 ).

Overall, 45 additional cases of ransomware attacks were examined in Phase 2, bringing the total to 60 cases. For five of the 60 cases, there was insufficient data to be able to determine the overall impact severity, so those cases were discarded as being unusable, leaving us with 55 usable cases. Although a snowballing technique was used to collect data in Phase 2, our overall sample included organizations of different sizes and from different sectors. Attacks were recorded against both humans and machines by different crypto-ransomware propagation classes. Different levels of security posture were noted among participants, ranging from weak to strong. Finally, the sample contained opportunistic attacks as well as targeted ones.

For a few of the cases, we did not have values for all of the five items in the Impact Assessment; in those cases, we evaluated the overall impact based on the maximum of the items for which we had values, supported by an inspection of qualitative data from those cases. We found that this method of computing the composite score for overall severity gave the most accurate results, as validated using participants’ personal assessment of the attack impact and our own judgement based on what we gleaned from interviews. Results of the assessment exercise are available in Table 4 .

Impact Assessment Instrument and observed frequencies among respondents ( n  = 55)

Note: Overall n  = 55 but item response rates ranged from 85% (47) to 96% (53).

Quantitative data analysis

Overall, our sample included 50 organizations of different sizes, sectors (i.e. public or private) and industries (55 usable cases of crypto-ransomware attacks). Totally, 35 (70%) of the organizations were SMEs, while 15 (30%) were large organizations. We used the European Commission guidance to define the organization’s size [ 46 ]. The industries were broad and varied, including IT, government, law enforcement, education, healthcare, financial services, construction, retail, logistics, utility providers and several other categories. Of the 50 organizations, 19 (38%) were in the public sector and 31 (62%) were in the private sector. Five (10%) were located in the North America and 45 (90%) in the UK (see   Appendix 7 ). Security postures were determined for 34 of the 50 organizations (see Table 5 ). Twenty organizations (59%) had a weak security posture, 13 (38%) had a medium-security posture and only one had a strong posture. We used the criteria outlined in Appendices 5 and 6 to assess the security postures of organizations.

Cross-tabulations for Hypotheses 1a, 1 b and 1c

P < 0.05; *** P < 0.001.

Except where otherwise stated, the hypotheses were assessed using two-sided Fisher’s Exact tests. The size of our sample provides acceptable power to detect moderate-to-large relationships between categorical variables using this technique. Where data was missing, cases were excluded; the number of relevant cases ( n ) is stated in the results of each test.

We found that the degree of severity of a ransomware attack did not vary by organizational size, P = 0.542. Indeed, the majority of attacks in both SMEs and large organizations were of high severity (57% and 53%, respectively).

The severity did, however, vary according to organizational sector. Private organizations were considerably more likely than public organizations to experience serious negative consequences as a result of ransomware attacks, P = 0.044. Of the private organizations, 68% were hit by attacks of the highest severity, whereas a much lower percentage (37%) of public organizations were as badly affected. This finding supports Hypothesis 1b.

Most tellingly, impacts also varied with organizational security posture, such that those organizations with weak security postures were far more likely to experience a severe impact than were those with medium or strong postures, n  = 34, P < 0.001. Of the organizations that had a weak posture, 80% had been hit by ransomware attacks of high severity. Thus, Hypothesis 1c is also supported.

Post hoc, we found that security posture did not differ according to organization size, with the majority of organizations – 57% of SMEs and 64% of large organizations – having a weak security posture. However, when looking at the relationship between organization sector and security posture, a significant difference ( P = 0.035) was observed. Public organizations had considerably stronger security postures than those in the private sector. This may partly explain why the impact of attacks on public sector organizations was not as severe.

As can be seen in   Appendix 1 , the 50 organizations spanned 23 different industries (i.e. financial services, healthcare, retail, etc.) so it was not meaningful to conduct correlation analysis on this variable as the numbers were spread too thin. However, one observation that stands out is that of the seven respondents from the IT industry, six of them (86%) experienced attacks of high severity. This is above average and somewhat surprising, although with such a small sub-sample it is not possible to draw reliable inferences.

Looking then at the crypto-ransomware propagation classes, 32 (58%) were of type Generation II, while 23 (42%) were of type Generation III (Generation III.a and Generation III.b classes were merged in data analysis due to similar propagation characteristics). Totally, 38 attacks (72%) were opportunistic and 15 (28%) were targeted. Twenty-five attacks (47%) were targeted at humans and 28 (53%) aimed at machines (see Table 6 ).

Cross-tabulations for Hypotheses 2a, 2 b and 2c

P < 0.1.

The degree of severity did not vary with the crypto-ransomware propagation class (i.e. Generation II vs. Generation III) n  = 55, P = 0.334, nor with the attack target (i.e. human vs. machine), n  = 53, P = 0.813.

The type of the attack (opportunistic vs. targeted) was also considered. Targeted attacks were more likely than opportunistic ones to lead to severe consequences, n  = 53, P = 0.063. 80% of targeted attacks gave rise to impacts of high severity, whereas a considerably lower proportion of opportunistic attacks (45%) had high negative consequences. This difference is statistically significant (Mann–Whitney U = 177, P = 0.02) so we are inclined to accept Hypothesis 2b.

Post hoc, companies with a weak posture were much more likely to be targeted via machine vulnerabilities as a point of entry, whereas companies with medium or strong security postures were more likely to be attacked via social engineering tricks ( n  = 34, P = 0.019). We also observed that 91% of targeted attacks were against organizations that had weak security posture. Table 7 demonstrates results of hypotheses tests.

Results of hypothesis tests

Organization size does not matter, ransomware is indiscriminate

Within the observed sample, organization size, by itself, did not affect the severity of attacks. As outlined in ‘Organisation characteristics: size and sector’ section, prior findings and opinions on the relationship between organization size and the incidence of ransomware attacks are rather inconsistent, with some saying that ransomware is mainly a problem for large enterprises and others saying that SMEs make up the bulk of the victims. Of the organizations that we observed, SMEs and large organizations were similarly impacted by ransomware attacks and in most cases the impact felt was of high severity. This result is consistent with interpretations expressed by police officers from UK Cybercrime Units:

Ransomware is indiscriminate. It does not choose its victims. It chooses computers and those computers can be owned by anybody. (Detective Sergeant, CyberBL)

Ransomware does not target organisations of a particular size. All organisations, small, medium and large, are equally affected. (Detective Sergeant, CyberRM)

We observed several large organizations that experienced severe consequences of crypto-ransomware attacks (e.g. EducInstFB, GovSecA, HealthSerJU, SportClubJ, etc.) as well as SMEs (e.g. LawEnfJU, LawEnfF, ITOrgA, ConstrSupA, etc.). Therefore, regardless of how large or small an organization is, there is no room for complacency. SMEs often baulk at spending their limited funds on IT security measures, weighing things up on the basis of the financial cost of countermeasures vs. the expected probability and expected impact of an attack [ 30 ]. While we cannot offer any insights into the probability of an attack, we can speak about impact. Our findings show that if an organization has weak defence mechanisms, then regardless of whether it is an indigenous start-up or a large multi-national corporation, it is likely to experience very severe consequences in the event of a ransomware attack, such as having critical systems knocked out, heavy data losses and major disruptions of several weeks or more.

Private sector organizations are more likely to experience severe effects

Private sector organizations were more likely to report severe impacts than were those in the public sector in the sample observed in this study. This finding can be explained by the very nature of public organizations as compared to private businesses. Public sector organizations are generally state-owned with an obligation to provide some universal service such as healthcare, education, policing, or civic administration. The private sector, on the contrary, is mainly composed of organizations whose ultimate purpose is not to serve the public but to generate profit. Cyberattacks on profit-driven organizations normally lead to substantial financial losses, reputational damage and loss of customers; the series of security breaches on TalkTalk is one such example [ 47 ]. If public organizations such as councils, state agencies and police departments experience a cyberattack, they may lose public confidence, but as sole suppliers they are not going to lose customers or revenue as they are publicly funded. As an IT/Security Manager from GovSecJN (a public organization fully funded by the UK government) explained:

Yes, there was a financial impact because resources were directed towards dealing with the cyber-attack. But it is difficult for us to quantify the financial impact … . The impact is different for us. It is the impact on service delivery to public. How we care for children. How we care for adults. Even road potholes – people could not report potholes because our systems were down.

Information from interviews with police officers working in the UK Cybercrime Units confirmed our impression that private sector organizations suffer more severe consequences; e.g. a specialist detective within the CyberTL unit told us based on his extensive experience that:

Cybercriminals know that the private sector depends on customer service. They know that these organisations will pay. Especially, we find that a lot of IT companies have been hit. I do not think this is because IT companies are more prone to targeting. It is just because when they are hit by ransomware, it is so much more devastating for them due to their dependency on customers.

This observation is in line with our finding that 86% of respondents from the IT industry experienced attacks of high severity. However, it should be noted that our sample is based on attack victims only and is not representative of the number of potential organizations in each industry. Additionally, public or semi-public institutions may experience an equivalent attack as being less critical simply because they are not in competition with other providers.

Against the threat of ransomware, a vigilant security posture is vital

Our hypothesis that there is a relationship between organizational security posture and attack severity was supported. Most specifically, a weak security posture leads to a preponderance of very severe attacks. This suggests that the attacks were detected late, handled badly, or inadequately isolated. Although this observation is relevant to any type of cybercrime, successful ransomware attacks entail unique and rather devastating consequences such as disabled systems, encrypted data and, subsequently, halted business operations. A security weakness that could be easily fixed might cause substantial damage to the victim and even bankruptcy. For example, LogOrgD was infected via a server vulnerability that was widely documented by academics, security vendors and government bodies. Subsequently, the organization lost access to all critical data, including backups. The victim was rapidly losing its customer base and the business was close to bankruptcy. The business owner was particularly distressed and at some point, even had suicidal thoughts – a lifetime of hard work was about to turn into ashes. Ultimately, the company managed to survive but the recovery was timely, costly and extremely challenging. Therefore, IT/Security professionals must be extremely vigilant when it comes to protecting their organizations against ransomware. There is no simple technological ‘silver bullet’ that will wipe out the crypto-ransomware threat. Rather, a multi-layered approach is needed which consists of socio-technical measures, zealous front-line managers and active support from senior management [ 8 ]. As an IT/Security Manager from LawEnfJ puts it:

You have to have the fundamentals in place. If you are talking about backups after the event, you are dead in the water. You must have your system set up in a way that actively thwarts these attacks. If you are playing catch-up, then I am sorry, but the game is over at that point. You must stay up-to-date. If you are not staying current in the industry, you are going to get in trouble really quick.

Several respondents commented that if vulnerabilities are not closed down following ransomware attacks, organizations will get attacked again. For example, GovSecJ was attacked 4 times within 6 months. Although the IT/Security Manager wrote a report recommending organizational changes, senior management did not act upon it. Subsequently, three more attacks followed.

Though LawEnfM made a decision to implement all appropriate changes following the first ransomware attack, ransomware struck second time during the recovery process, taking advantage of the same vulnerabilities. Since the organization suffered considerably as a result of two consequent attacks, the external IT provider made a decision to pay the ransom as they felt responsible. Following this devastating experience (two attacks within 2 weeks), LawEnfM made several important changes in its approach to cybersecurity. HealthSerJU had to experience two very severe attacks before senior management realized the importance of security controls and measures:

I think both attacks fundamentally came down to the fact that there was an under-appreciation of the importance of IT and, therefore, the focus on ensuring that those systems were properly protected was not there … . If we wanted to take a positive from the attacks, it would be that finally executive management gave IT a profile that it has never had before. (IT/Security Manager, HealthSerJU)

Within our sample, public organizations had considerably stronger security postures than those in the private sector. Totally, 78% of the private organizations that we looked at had weak security postures, as opposed to 38% in the public sector. This may be because public institutions have a stronger regulatory mandate to have IT security policies in place. In the UK, the Cyber Essentials scheme was introduced in 2014 and is required for all central government contracts [ 48 ]. In contrast, in the private sector, the majority of organizations do not mandate their suppliers to have cybersecurity standards in operation [ 4 ].

Of course, the promotion of security standards is one matter, adoption is another and actual compliance yet another again. In the past 12 months, 17 452 Cyber Essentials certificates were issued by the UK government [ 49 ] which, going by the estimated 2.6 million businesses in the country [ 50 ] represents just 0.7% of the population. Within higher education institutions – from which division 29% of our public sector sample was drawn – there has been considerable resistance to the uptake of the Cyber Essentials standard [ 51 ]. The ISO27001 standard has been more widely adopted in the UK, but less so in public administration and educational organizations than elsewhere [ 52 ]. The annual UK Cyber Breaches Surveys of recent years reveal that a growing number of businesses are adopting Cyber Essentials, ISO27001, or other similar policies, but it still remains at about half who have no such measures in place [ 4 ].

Ransomware attacks, even of the less sophisticated type, can wreak havoc

There was no pronounced effect of the crypto-ransomware propagation class upon attack impact in the sample examined in this study. This is an interesting finding because Generation III crypto-ransomware has the ability to propagate across large networks and completely paralyse organizational operations. As a Detective Sergeant from CyberTR pointed out:

When I first started, the virus was very specific to the machine. The machine that clicked on the email was the machine that got the virus and the ransomware and that was it. More recent variants of ransomware have the ability to spread. There is definitely a distinction between ransomware that will hit a computer and encrypt any physically connected devices such as USBs, storage devices, and it is a lot more simple, and the likes of WannaCry that will travel across networks and spread to all computers. We have seen this evolution, where suspects are using vulnerabilities to spread across networks. This type of ransomware is more prevalent than it ever was because it gives hackers an advantage.

Rationally, Generation III should bring more devastation. However, our data show otherwise. For example, SecOrgM was infected with the less sophisticated Generation II crypto-ransomware. The victim declared bankruptcy shortly after the attack because the organization did not have backups, could not operate without hijacked data and at the same time was not able to meet ransom demands. Similarly, GovSecJN was hit with the Generation II ransomware class but it had a detrimental effect on the victim. Although GovSecJN recovered relatively quickly, data critical to high priority functions was encrypted, affecting essential functions of the organization. Such organizations provide vital services to the local community and many people depend on these services.

On the contrary, EducInstFB was attacked with Generation III crypto-ransomware that infected hundreds of devices. EducInstFB and its staff lost access to an enormous volume of data, which had scientific value. Several critical systems were disabled that stopped the victim from performing their normal daily tasks. The management made a decision to pay the ransom. Although the recovery was lengthy and challenging, EducInstFB eventually repaired its systems and recovered the majority of data. Another victim of Generation III crypto-ransomware – HealthSerJU – was attacked twice and on both occasions over a thousand devices were infected. Although these attacks had a significant negative effect on the delivery of services, HealthSerJU had effective backups and, therefore, promptly restored its systems. EducOrgA was also infected with Generation III crypto-ransomware, affecting the whole network. However, due to the nature of its business, EducOrgA continued its work as a primary school and teaching activities were not interrupted (while administrative data were gradually restored).

Following these observations, we concluded that the crypto-ransomware propagation class alone may not have a direct impact on the consequences of these attacks. Rather, a combination of factors (e.g. the nature of business, availability of resources to recover data or pay the ransom, the type of systems affected, level of preparedness, etc.) are at play.

Beware the ‘weakest link’

Although Hypothesis 2c was rejected, indicating that the severity of a ransomware attack is not influenced by the attack target (i.e. human or machine), we observed that organizations with a weak posture were much more likely to be targeted via machine vulnerabilities as a point of entry, whereas those with medium or strong security postures were more likely to be attacked via social engineering tricks. This finding could be explained by the fact that many of our study participants trust that technical controls provide an adequate defence against cyberthreats, which is also a commonly accepted belief among industry professionals. Consequently, IT/Security professionals focus on implementing measures like e-mail hygiene, vulnerability and upgrade management and sophisticated monitoring and detection systems, but seemed to neglect the ‘human factor’ problem and do not have strong security education and training, the importance of which as a security countermeasure is well established [ 6 , 37 , 38 ]. Therefore, these organizations are attacked via ‘the weakest link’ – they may have an adequate defence from a technical perspective, but weak employee security practices. As the IT/Security Manager from GovSecJ put it:

Effective defence always starts with a user. You need to make sure that along with teaching people how to use your applications, IT systems, you incorporate in there a good amount of cyber security.

In our sample, 27 attacks were successful due to humans opening malicious attachments or clicking on links. Several respondents alluded to shortcomings regarding human error and made appropriate changes. For example, LawEnfM replaced online security training with face-to-face tuition after an employee failed to notice rather obvious signs of a malicious e-mail. A staff member from LawEnfJU shut down their own machine after receiving a ransom note and booted several other machines using their credentials. Although the employee hoped to solve the problem, they instead infected more machines and lost precious time to contain infection. Since then, LawEnfJU implemented a new policy that obliges employees to report any out-of-ordinary activity, no matter how insignificant it seems. The organization regularly sends its employees ‘call and verify’ warnings to remind them of this new rule. However, even with effective security education in place, humans are continually prone to make mistakes and do things they know they probably shouldn’t. For example, an employee from GovSecJN who had recently completed security training still proceeded to open an e-mail attachment, even though he felt it was quite suspicious and potentially risky.

Don’t become an easy target, be careful what you reveal about your organization

Targeted attacks were more likely than opportunistic ones to lead to severe consequences in the observed sample. This result is expected as targeted attacks require a lot of preparation, but the ‘prize’ is much higher:

There is a recent trend of a particular variant of ransomware called BitPaymer, which is seen as a big problem. It seems to me to be very targeted because cybercriminals are making extremely large demands on the businesses, which I have never seen before – £30,000 –so they are clearly very targeted. Cybercriminals know the targets they are going after. (Detective Sergeant, CyberTL)

Such attacks suggest that there is some kind of network reconnaissance behind, so cybercriminals know what company they are targeting and how much to ask for. Cybercriminals will say, ‘Wait there, your turnover is £400m so you can pay maybe £2m’. There are victims out there that have paid up to £1,000,000 or even more to get the decryption key. (Detective Constable, CyberBR)

Clearly, such extravagant amounts would have a more severe effect on an organization than, e.g. the typical £300–500 ransom. In our own sample, one small IT company (VirtOrgD) was asked to pay 75 bitcoins (approximate value £352 000 at the time of the attack), a ransom amount the victim could not afford to pay. After intense negotiations, hackers agreed to reduce the ransom amount to 65 bitcoins, but it was still too high for VirtOrgD. The victim had no choice but to recover from partial backups. In the first stages of recovery the management was not sure if the business was going to survive this attack as the VirtOrgD was rapidly losing its customer base. Through tremendous efforts of staff and with the help of external specialists, VirtOrgD managed to restore its business, although, inevitably, some substantial losses occurred. Similarly, another company (ITOrgJL) was asked to pay 100 bitcoins (approximate value of £470 000 at the time of the attack). ITOrgJL was able to negotiate the ransom down to 15 bitcoins and effectively recovered with a decryption key provided by hackers.

Both organizations VirtOrgD and ITOrgJL had weak security postures, which allowed hackers not only to penetrate their networks but also stay undetected for several days searching for loopholes to spread within the network and encrypt multiple devices, including servers that contained crucial data and systems. This confirms our observation that the majority of targeted attacks were executed against organizations that had weak security posture. The lethality of targeted attacks lies within hackers’ ability to execute network reconnaissance in order to find the most critical company’s assets (e.g. backup server, customer data, etc.) and security weaknesses that will allow to hijack these assets. It is up to organizations to take appropriate measures to avoid such dramatic consequences.

Our research findings demonstrate that several factors, including ‘organization sector’, ‘security posture’ and ‘attack type’, influence the degree of severity of ransomware attacks. More specifically, within our sample, private organizations were more likely to experience severe consequences compared to public ones. Interestingly, public organizations investigated in this study had considerably stronger security postures than those in the private sector. Private organizations typically operate to generate profit and any interruptions to services can cause grave damage to them. Public organizations, on the contrary, are funded by the government to serve the public. Subsequently, financial implications are not always relevant to them. We assert that private organizations need to recognize this vulnerability and ‘up their game’ in the security realm.

Furthermore, organizations that had weak security postures suffered harsher outcomes of ransomware attacks as opposed to companies with stronger postures. This finding indicates that the need to strengthen security postures in a bid to defend organizational assets against ransomware attacks is greater than ever. Hackers are relentlessly taking advantage of well-documented issues (e.g. RDP brute-force, poor security training, insufficient vulnerability management). It is important to note that organizations must focus on technical and non-technical controls as both are vital; one without the other is futile. As our results demonstrate, targeted attacks are mainly preying on technical shortcomings but even if all technical loopholes are closed down, hackers can still hit a potential victim by exploiting human weaknesses.

Moreover, targeted attacks brought more devastation to affected organizations in our sample compared to those who were hit opportunistically. Offenders normally invest more effort into targeted attacks and hence, expect higher yields. For example, a thorough investigation of the target may take place, so the hackers can understand how profitable the business is, what information is critical to its continuity and how much the victim can potentially afford to pay. Whether or not the victim pays, they are still going to suffer substantially. In a scenario where they pay, the ransom is going to be very high and the organization is going to experience considerable financial losses. In a situation where the victim does not pay, they are going to suffer not only financially (in many cases, recovery is more expensive than the ransom payment), but also experience significant disruptions to business operations. Therefore, it is worth making cybersecurity investments rather than face consequences of the targeted ransomware attacks. As our findings suggest, organizations with stronger security postures are less vulnerable to targeted attacks.

Our results also indicate that ‘organization size’, ‘crypto-ransomware propagation class’ and ‘attack target’ have no significant impact on the severity level of ransomware attacks. Within our sample, organizations of all sizes were afflicted by ransomware attacks, with consequences ranging from less severe (e.g. relatively short business continuity disruption timeline and insignificant information loss) to highly severe, where organizations faced a challenging recovery and, in many cases, came very close to business bankruptcy. In fact, one organization in our sample (SecOrgM) did not survive the ransomware attack. This finding underlines the indiscriminate nature of ransomware and serves as caution against common but dangerous attitudes such as ‘hackers could not possibly gain anything from attacking us – we are too small’, ‘we do not hold any state secrets or any other sensitive information that would be of interest to hackers’, ‘hackers are normally after banks as this is where the money is’, etc.

Since 2013, ransomware has evolved considerably and become much more technically advanced and dangerous. Generation III is substantially more of a menace than Generation II because of its greater degree of contagiousness and ability to self-propagate across infected networks. However, we found that the propagation class of crypto-ransomware by itself had no effect on the severity of crypto-ransomware attacks in the observed sample. Regarding the attack target (i.e. machine vs. human), crypto-ransomware equally impacts victims despite the network access method.

As ransomware attacks continue to hurt businesses around the globe, our results convey several important messages. First, we urge organizations of all sizes, small, medium and large, to strengthen their security posture. Secondly, we specifically stress that the vulnerabilities of private companies to ransomware attacks must be realized and addressed. Offenders are aware of their dependency on data and systems and take advantage of it. Thirdly, we conclude that the strength of ransomware is not in its technical capabilities and rapid evolution; rather, it lies within relentlessness of hackers who are persistently searching for a range of weaknesses within organizations. Security holes are widely exploited by perpetrators, but hackers also understand the sentimental value organizations may have to their owners who possibly spent a lifetime building their business (e.g. LogOrgD case). Criminals exploit the sense of responsibility that IT and Cyber Security professionals may experience if a company is significantly suffering from an attack (e.g. LawEnfM), or the responsibility management may feel because their staff is facing very challenging working conditions during attacks and potential harsh consequences post-attacks (e.g. EducInstFB). All of these factors inevitably make ransomware attacks ever so painful, while hackers are persistently doing their homework on potential victims; and this is why targeted attacks hit even harder.

This work makes a number of valuable contributions to the existing body of academic literature on ransomware. It increases knowledge about factors that can make crypto-ransomware attacks absolutely unbearable for affected organizations. We urge readers to learn from the experiences of victims presented in this work and take appropriate preventative actions to avoid, transfer or mitigate the risks of a crypto-ransomware attack. The article also introduces (see ‘Crypto-ransomware propagation class’ section) a simple but useful set of terms that can be used by various parties (e.g. academics, industry professionals, government bodies, etc.) to refer to different classes of this threat according to the degree of infectiousness, i.e. ‘Generation I’, ‘Generation II’, etc. Finally, we developed an Impact Assessment Instrument, which can be applied in further academic works that specifically focus on the crypto-ransomware impact.

This study has a number of limitations. As always, studying cybercrime is a challenge because researchers are faced with incomplete data, skewed surveys and questionable assumptions. The majority of our respondents were based in one country (the UK). Our sample size of 55, though respectable, is still quite small. Therefore, statistically speaking, the findings cannot be generalized outside the given sample and are only applicable within the observed 55 ransomware attacks. A logical follow-on would be to test our conclusions against a larger, more international data set – but a practical problem is how to readily obtain such data. Typically, ransomware victims do not disclose the full reality of their experiences in official complaints or incident reports [ 3 ]. Insurance companies such as Advisen have databases of incidents, but these only include organizations that were insured against cyberattacks and made claims. Unfortunately, these sorts of sampling and access issues are typical in cybersecurity research [ 25 ] and, as we earlier saw in Table 1 , it greatly complicates comparability between studies. We executed our study as rigorously as we could, combining quantitative and qualitative data, and although we believe it is robust and broadly generalizable, that is a point of conjecture.

Furthermore, in terms of limitations, in Phase 1, we interviewed one participant per organization. This is a very common limitation in qualitative data collection, where the principal interviewee typically plays the role of a ‘gatekeeper’, especially when the subject matter pertains to highly sensitive and confidential matters within the organization. We used a snowballing sampling strategy in Phase 2 of data collection which, though not ideal, was the only pragmatic way we could collect data on ransomware attacks.

As regard future research, in the next step we are planning to learn what makes ransomware so effective in a wider cybercrime eco-system. While in this study we assessed factors that make these attacks impactful, ransomware is a very complex threat and organized criminals employ various tactics to make these attacks successful. Therefore, we intend to learn about numerous vulnerabilities that cybercriminals prey on (whether technical, social or psychological), specifically focusing on victims’ decision-making processes regarding ransom payments. The ultimate purpose of this study will be to identify a series of measures that could potentially reduce ransom payments.

We would like to extend our sincere gratitude to all study participants for their invaluable contribution to this research. We greatly appreciate interviewees’ time and genuine effort. We realize some questions may have brought back emotions experienced by victims during attacks; we would like to thank you for your bravery and willingness to tell your story. It is very important that other organizations learn from your experiences. Special thanks to Robert McArdle, the Director of Cybercrime Research Team at Trend Micro, who provided expert advice on technical measures against crypto-ransomware attacks. We would like to acknowledge the relentless commitment of police officers from UK Regional Cybercrime Units in providing data and advising on study results. Please note that the views expressed in this work are ours alone and do not necessarily reflect those of the participants, the commentators or the funding body.

This work was supported by the Engineering and Physical Sciences Research Council [EP/P011721/1].

Europol. Internet Organised Crime Threat Assessment , 2020 .   https://www.europol.europa.eu/sites/default/files/documents/internet_organised_crime_threat_assessment_iocta_2020.pdf

Sophos . The State of Ransomware 2020: Results of an independent survey across 26 countries , 2020 . https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

FBI . 2019 Internet Crime Report , 2020 . https://pdf.ic3.gov/2019_IC3Report.pdf [Accessed January 2020]

UK Government . Cyber Security Breaches Survey 2020 , 2020 . https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

Simoiu C , Gates C , Bonneau J , et al.  “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In: Proceedings of USENIX Symposium on Usable Privacy and Security (SOUPS) , Santa Clara, CA, 11–13 August 2019 .

Connolly LY , Lang M , Gathegi J , et al.    Organisational culture, procedural countermeasures, and employee security behaviour: a qualitative study . Inf Comp Secur   2017 ; 25 : 118 – 36 .

Google Scholar

Richardson R , North M.   Ransomware: evolution, mitigation and prevention . Int Manage Rev   2017 ; 13 : 10 – 21 .

Connolly L , Wall SD.   The rise of crypto-ransomware in a changing cybercrime landscape: taxonomising countermeasures . Comput Secur   2019 ; 87 : 1 – 18 .

Holt T , Bossler A.   An assessment of the current state of cybercrime scholarship . Deviant Behav   2014 ; 35 : 20 – 40 .

Rege A. Incorporating the human element in anticipatory and dynamic cyber defense. In: Proceedings of the 2016 IEEE International Conference on Cybercrime and Computer Forensic , Vancouver, BC, 12–14 June 2016 , 1 – 7 .

Connolly L , Borrion H. Your money or your business: Decision-making processes in ransomware attacks. In: Proceedings of 2020 International Conference in Information Systems . Association for Information Systems, 14–16 December 2020 .

Payne BK , Hawkins B , Xin C.   Using labelling theory as a guide to examine the patterns, characteristics, and sanctions given to cybercrimes . Am J Crim Justice   2019 ; 44 : 230 – 47 .

Maimon D , Louderback E.   Cyber-dependent crimes: an interdisciplinary review . Annu Rev Criminol   2019 ; 2 : 191 – 216 .

Atapour-Abarghouei A , Bonner S , McGough AS. Volenti non fit injuria: ransomware and its victims. In: 2019 IEEE International Conference on Big Data , IEEE, December 2019 , 4701 – 7 .

Choi KS , Scott TM , LeClair DP.   Ransomware against police: diagnosis of risk factors via application of cyber-routing activities theory . Int J Forensic Sci Pathol   2016 ; 4 : 253 – 8 .

Zhao JY , Kessler EG , Yu J , et al.    Impact of trauma hospital ransomware attack on surgical residency training . J Surg Res   2018 ; 232 : 389 – 97 .

Zhang-Kennedy L , Assal H , Rocheleau J , et al.  The aftermath of a crypto-ransomware attack at a large academic institution. In: Proceedings of the 27th USENIX Security Symposium . Baltimore, MD, 15–17 August 2018 , 1061 – 78 . ISBN 978-1-939133-04-5.

Hull G , John H , Arief B.   Ransomware deployment methods and analysis: views from a predictive model and human responses . Crime Science   2019 ; 8 : 2 – 22 .

Shinde R , Van der Veeken P , Van Schooten S , et al.  Ransomware: studying transfer and mitigation. In: Proceedings of the 2016 International Conference on Computing, Analytics and Security Trends (CAST) . Pune: IEEE, 19–21 December 2016 , 90 – 5 .

Ioanid A , Scarlat C , Militaru G.  The effect of cybercrime on Romanian SMEs in the context of wannacry ransomware attacks. In: Proceedings of the European Conference on Innovation and Entrepreneurship , Paris : Academic Conferences International Limited , 21–22 September 2017 , 307 – 13 .

Google Preview

Byrne D , Thorpe C.  Jigsaw: an investigation and countermeasure for ransomware attacks. In: Proceedings of the European Conference on Cyber Warfare and Security . Dublin : Academic Conferences International Limited , 29–30 June 2017 , 656 – 65 .

Riglietti G.   Cyber security talks: a content analysis of online discussions on ransomware . Cyber Secur   2017 ; 1 : 156 – 64 .

Agustina JR.   Understanding cyber victimization: digital architectures and the disinhibition effect . Int J Cyber Criminol   2015 ; 9 : 35 – 54 .

Ngo FT , Paternoster R.   Cybercrime victimization: an examination of Individual and situational level factors . Int J Cyber Criminol   2011 ; 5 : 773 – 93 .

Furnell S , Emm D , Papadaki M.   The challenge of measuring cyber-dependent crimes . Comput Fraud Secur   2015 ; 2015 : 5 – 12 .

Business Continuity Institute [BCI]. BCI Cyber Resilience Report . Business Continuity Institute, 2018 .

Beazley. Breach Briefing , 2019 . https://www.beazley.com/Documents/2019/beazley-breach-briefing-2019.pdf

Al-Rimy BAS , Maarof MA , Shaid SZM.   Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions . Comput Secur   2018 ; 74 : 144 – 66 .

Mansfield-Devine S.   Securing small and medium-size businesses . Network Secur   2016 ; 2016 : 14 – 20 .

Renaud K.   How smaller businesses struggle with security advice . Comput Fraud Secur   2016 ; 2016 : 10 – 18 .

Browne S , Lang M , Golden W. Linking threat avoidance and security adoption: a theoretical model for SMEs. BLED 2015 Proceedings , 2015 , 35. http://aisel.aisnet.org/bled2015/35

Smith R. Ransomware is indiscriminate – secure your systems now, Petri , June 7, 2017 . https://www.petri.com/ransomware-indiscriminate-secure-systems-now

Kurpjuhn T.   The SME security challenge . Comput Fraud Sec   2015 ; 2015 : 5 – 7 .

Bergmann MC , Dreißigacker D , Skarczinski B , et al.    Cyber-dependent crime victimization: the same risk for everyone?   Cyberpsychol Behav Soc Network   2018 ; 21 : 84 – 90 .

Parkinson S. Are public sector organisations more at risk from cyber-attacks on old computers?, The Conversation , 16 May 2017 . https://theconversation.com/are-public-sector-organisations-more-at-risk-from-cyber-attacks-on-old-computers-77802

NIST . Guide for Conducting Risk Assessments, Information Security, NIST Special Publication 800-30 . National Institute of Standards and Technology, Gaithersburg, MD, 2012 . https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Connolly L , Lang M , Wall DS.   Information security behavior: a cross-cultural comparison of employees in Ireland and United States . Inf Syst Manage   2019 ; 36 : 306 – 22 .

Connolly L , Lang M , Tygar JD.  Employee security behaviour: the importance of education and policies in organisational settings. In: Paspallis N , Raspopulos M , Barry C , et al.  (eds.), Advances in Information Systems Development Methods, Tools and Management. Lecture Notes in Information Systems and Organisation . Springer : New York , 2018 : 79 – 96 .

Brewer R.   Ransomware attacks: detection, prevention and cure . Network Secur   2016 ; 2016 : 5 – 9 .

Connolly L , Wall SD. Hackers are making personalised ransomware to target the most profitable and vulnerable, The Conversation , 2019 . https://theconversation.com/hackers-are-making-personalised-ransomware-to-target-the-most-profitable-and-vulnerable-113583

Williams M. 10 disturbing facts about employees and cyber security, Pensar , 13 December 2018 . https://www.pensar.co.uk/blog/infographic-10-disturbing-facts-about-employees-and-cyber-security

Browne S , Lang M , Golden W. The insider threat - understanding the aberrant thinking of the rogue ‘Trusted Agent’. In: Proceedings of European Conference on Information Systems , Münster, Germany, 26–29 May 2015 .

Creswell JW , Plano Clark VL.   Designing and Conducting Mixed Methods Research , 2nd edn. Thousand Oaks, CA : Sage Publications , 2011 .

Eisenhardt KM.   Building theories from case study research . Acad Manage Rev   1989 ; 14 : 532 – 50 .

Zumbo BD , Gadermann AM , Zeisser C.   Ordinal versions of coefficients alpha and theta for Likert rating scales . J Mod Appl Stat Meth   2007 ; 6 : 21 – 9 .

Eurostat . Your key European statistics, Eurostat , 2020 . https://ec.europa.eu/eurostat/web/structural-business-statistics/structural-business-statistics/sme

Porcedda MG , Wall DS.  Cascade and chain effects in big data cybercrime: lessons from the TalkTalk hack. In: Proceedings of WACCO 2019: 1st Workshop on Attackers and Cyber-Crime Operations , IEEE EuroS&P 2019, Stockholm , 20 June 2019 .

48. UK Government . Procurement Policy Note 09/14: Cyber Essentials Scheme Certification , 2014 . https://www.gov.uk/government/publications/procurement-policy-note-0914-cyber-essentials-scheme-certification

UK National Cyber Security Centre: Certificate Search . https://www.ncsc.gov.uk/cyberessentials/search

Eurostat, 2020b . https://ec.europa.eu/eurostat/tgm/table.do? tab=table&init=1&language=en&pcode=tin00170&plugin=1

Chapman J , Chinnaswamy A , Garcia-Perez A. The severity of cyber attacks on education and research institutions: a function of their security posture. In: Proceedings of ICCWS 2018 13th International Conference on Cyber Warfare and Security . Academic Conferences and Publishing Limited, 2018 , 111 – 9 .

ISO. ISO Survey, 2019 . https://www.iso.org/the-iso-survey.html

 alt=

Email alerts

Citing articles via, affiliations.

  • Online ISSN 2057-2093
  • Print ISSN 2057-2085
  • Copyright © 2024 Oxford University Press
  • About Oxford Academic
  • Publish journals with us
  • University press partners
  • What we publish
  • New features  
  • Open access
  • Institutional account management
  • Rights and permissions
  • Get help with access
  • Accessibility
  • Advertising
  • Media enquiries
  • Oxford University Press
  • Oxford Languages
  • University of Oxford

Oxford University Press is a department of the University of Oxford. It furthers the University's objective of excellence in research, scholarship, and education by publishing worldwide

  • Copyright © 2024 Oxford University Press
  • Cookie settings
  • Cookie policy
  • Privacy policy
  • Legal notice

This Feature Is Available To Subscribers Only

Sign In or Create an Account

This PDF is available to Subscribers Only

For full access to this pdf, sign in to an existing account, or purchase an annual subscription.

CoverLink Insurance - Ohio Insurance Agency

Cyber Case Study: UVM Health Network Ransomware Attack

by Kelli Young | Dec 6, 2021 | Case Study , Cyber Liability Insurance

UVM Health Network Ransomware Attack

In October 2020, the University of Vermont (UVM) Health Network—a six-hospital health care organization that serves over 1 million patients throughout Vermont and upstate New York—discovered that its systems had been compromised by cybercriminals in a ransomware attack. The UVM Health Network ransomware attack led to major disruptions across the organization’s infrastructure, shutting down critical technology and delaying patient care.

This attack—which ultimately stemmed from an employee error—resulted in significant recovery costs and reputational damages for UVM Health Network, emphasizing the severity of cyber incidents within the health care industry. There are various cybersecurity lessons that organizations can learn by reviewing the details of this incident, its impact and the mistakes UVM Health Network made along the way.

The Details of the UVM Health Network Ransomware Attack

At the beginning of October 2020, a UVM Health Network employee took their work laptop on vacation with them. During this vacation, the employee used the laptop to check their personal emails. One of these emails was from the employee’s local homeowners association. Although the email seemed legitimate, the homeowners association had recently been hacked by cybercriminals. As a result, the email was actually a phishing scam. By opening the email, the employee unknowingly allowed cybercriminals to launch malware on their work laptop. When the employee came back to work and connected their laptop to the UVM Health Network’s systems, the cybercriminals then utilized that malware to target the entire organization.

UVM Health Network Ransomware Attack

While the text file didn’t contain a specific ransom demand, UVM Health Network’s IT department was fairly confident that contacting the cybercriminals would only result in such a demand—a demand that the organization did not want to satisfy. After all, there was no guarantee that the cybercriminals would actually restore the organization’s systems and data after the ransom was paid. Therefore, instead of complying with the cybercriminals’ orders, the organization contacted the FBI for assistance. From there, UVM Health Network worked closely with the FBI to identify the source of the attack and resolve the incident. In the coming weeks, Vermont Gov. Phil Scott also deployed the state’s National Guard to further assist in the matter.

Fortunately, the organization confirmed that no sensitive data (e.g., patient records or employee information) was stolen or exposed during the attack. Rather, UVM Health Network’s existing cybersecurity measures allowed the organization to regain access to most of its data through safely stored back-up copies. Nevertheless, the attack still largely disrupted the organization’s operations for several weeks while it worked to fully recover its data, remove the malware (as well as any digital backdoors created by the malware) from all infected technology and rebuild its damaged infrastructure. During this time, hundreds of employees were unable to perform their job responsibilities due to the computer and phone systems remaining shut down. What’s worse, many patients faced delayed test results, experienced appointment cancellations and had to reschedule elective medical procedures while UVM Health Network recovered from the incident. In total, it took multiple months for the organization to totally restore its infrastructure.

The Impact of the UVM Health Network Ransomware Attack

UVM Health Network ransomware attack caused a range of consequences, including the following:

Recovery costs and lost revenue The organization incurred significant recovery expenses as a result of the attack. This includes costs related to UVM Health Network rebuilding 1,300 damaged servers, restoring 600 disabled applications, scanning and cleaning 5,000 malware-ridden computers, and repopulating its overall infrastructure with backed-up data. In addition, the organization lost a considerable amount of revenue in the time it took to recover from the incident—totaling nearly $1.5 million per day. As a whole, the attack is estimated to have cost UVM Health Network over $63 million . These costs greatly exceeded the organization’s existing cyber insurance protection, as it was only insured for $30 million.

Reputational damages Apart from recovery expenses, the organization encountered widespread scrutiny due to the attack. Specifically, UVM Health Network was criticized for allowing employees to access their personal emails on workplace devices—a flaw that essentially led to the incident. Although the organization’s existing cybersecurity measures effectively prevented the attack from resulting in a data breach, UVM Health Network was still scrutinized for its lengthy incident recovery process, especially considering that this process resulted in delayed patient care.

Delayed system updates Lastly, the attack forced the organization to modify its timeline for rolling out an updated electronic health record system. This system was intended to replace the organization’s current patchwork of health record applications and create a more integrated system to be utilized for both inpatient and outpatient care. While UVM Health Network had already implemented the first phase of this rollout in November 2019, the second and third phases were pushed back to November 2021 and April 2022, respectively.

Lessons Learned

There are several cybersecurity takeaways from the UVM Health Network ransomware attack. In particular, the incident showcased these key lessons:

Employee education can’t be ignored. Employees are often the first line of defense against cyberattacks. In fact, as many as 90% of such attacks stem from human error. This issue was certainly emphasized during UVM Health Network’s cyber incident. If the organization had educated its employees on safe email protocols and phishing detection measures, it’s possible that this attack could have been avoided altogether. As such, it’s crucial to share the following cybersecurity best practices with employees:

  • Avoid opening or responding to emails from unfamiliar individuals or organizations. If an email claims to be from a trusted source, verify their identity by double-checking the address.
  • Never click on suspicious links or pop-ups, whether they’re in an email or on a website. Don’t download attachments or software programs from unknown sources or locations.
  • Utilize unique, complicated passwords for all workplace accounts. Never share credentials or other sensitive information online.
  • Only browse safe and secure websites on workplace devices. Refrain from using these devices for answering personal emails or browsing the internet on topics unrelated to work.
  • Contact a supervisor or the IT department if suspicious activity arises.

Effective secu rity software is a must. After the attack, UVM Health Network made it a priority to block employees’ access to their personal emails on all workplace devices, as well as equip this technology with more advanced security software. While this software may seem like an expensive investment, it’s worth it to minimize the impacts of potentially devastating cyber incidents. Software to consider includes network-monitoring systems, antivirus programs, firewalls, endpoint-detection products and patch-management tools. Also, it’s valuable to conduct routine penetration testing to determine whether this software possesses any security gaps. If such testing reveals any problems, these issues should be addressed immediately.

Cyber incident response plans make a difference. UVM Health Network took an extended period of time to recover from this incident, ultimately increasing disruption concerns, delaying patient care and compounding the overall costs of the attack. Such lengthy recovery issues highlight how essential it is to have an effective cyber incident response plan in place. This type of plan can help an organization establish timely response protocols for remaining operational and mitigating losses amid a cyber event. A successful incident response plan should outline potential cyberattack scenarios, methods for maintaining key functions during these scenarios and the individuals responsible for carrying out such functions. This plan should be routinely reviewed through different activities—such as tabletop exercises—to ensure effectiveness and identify ongoing vulnerabilities. Based on the results from these activities, the plan should be adjusted as needed.

UVM Health Network Ransomware Attack

Proper coverage can provide much-needed protection. Finally, this attack made it clear that no organization—not even a major health care organization—is immune to cyber-related losses. That’s why it’s crucial to ensure adequate protection against potential cyber incidents by securing proper coverage. Considering how expensive cyber events can be (especially ransomware attacks), it’s best to carefully select a policy limit that will provide sufficient protection amid a costly incident. Consult a trusted insurance professional when navigating these coverage decisions.

We are here to help.

If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our  eBook , or if you’re ready to make Cyber Liability Insurance a part of your insurance portfolio, Request a Proposal or download our Cyber & Data Breach Insurance Application  and we’ll get to work for you.

Recent Posts

  • The Insurance Hard Market 101: AI Developments
  • The Insurance Hard Market 101: Economic Pressures
  • Cyber Solutions: Tailgating & Piggybacking Explained
  • Live Well Work Well – February 2024
  • The Insurance Hard Market 101: Trends to Watch in 2024
  • Quick links
  • 10 Trends Shaping 2024
  • Global Private Equity Risk Index Highlights Risky Insight From Digital Chatter
  • 2023 Fraud and Financial Crime Report
  • Popular topics
  • Valuation Advisory Services
  • Compliance and Regulation
  • Corporate Finance and Restructuring
  • Investigations and Disputes
  • Digital Technology Solutions
  • Business Services
  • Environmental, Social and Governance Advisory Services (ESG)
  • OUR EXPERTS
  • Environmental, Social and Governance
  • Consumer and Retail
  • Financial Services
  • Industrials
  • Technology, Media and Telecom
  • Energy and Mining
  • Healthcare and Life Sciences
  • Real Estate
  • Client Stories
  • Transactions
  • Restructuring Administration Cases
  • Settlement Administration Cases
  • Find an Expert
  • Board of Directors

Thu, Mar 16, 2023

Seamless Response to Ransomware and a Cyber Resilience Upgrade

Seamless Response Ransomware Cyber Resilience Upgrade

The Challenge

Kroll's solution.

A major logistics company was hit by a ransomware attack at a time when it was reviewing and upgrading its cybersecurity defense. Kroll provided seamless incident response to enable the company to act quickly to mitigate and minimize the damage caused by the attack. The company also deployed Kroll Responder, Kroll’s award-winning Managed Detection and Response (MDR) solution, giving it comprehensive 24/7 visibility and management of threats and enhancing its long-term cyber resilience.

  • Ransomware attack affecting key systems
  • Small in-house security team
  • Lack of 24/7 threat detection and response specialists

Kroll Services

  • Kroll Digital Forensics and Incident Response

Kroll Responder MDR

  • Swift recovery from ransomware attack
  • 24/7 threat monitoring
  • Enhanced cyber resilience

The company was in the process of rolling out its EDR solution with the aim of understanding the typical volume of alerts it received around-the-clock, before deciding on further enhancements needed to its cybersecurity strategy. As part of this, the company was reviewing how its team managed alerts; while it had a 24/7 response team, it was not dedicated specifically to security operations. The company was looking for a way to cost-effectively scale up the team and its capabilities, using a specialist in threat response.

As the rollout of the EDR solution was taking place, along with the conversation of handling out-of-hours alerts, the company was hit by a ransomware attack. In response, the company appointed Kroll as its digital forensics and incident response firm.

Kroll's Solution

Kroll’s Incident Response team worked fast with the company to contain the threat, prevent further damage and investigate the events leading up to the attack. Kroll installed its managed detection and response solution, Kroll Responder, to provide 24/7 threat management. All while being cognizant of the company’s longer-term objective to maintain its security strategy.

As a result, the company was quickly able to move out of incident response mode and transition back to business-as-usual. With consensus around the success of the recovery, the company was keen to retain the 24/7 security monitoring provided by Kroll Responder and build on the other security gains made. The next stage was to create a  transition plan, with a view to moving in full to the company’s endpoint detection and response solution of choice as planned prior to the ransomware attack.

The company takes advantage of a hybrid, collaborative model with Kroll, giving it a high degree of control and visibility, while maintaining 24/7 support.

Seamless Incident Response Support

The rapid incident response delivered by Kroll’s global network of certified security and digital forensics experts enabled the ransomware attack to be managed and mitigated effectively and quickly, allowing the company to get back up and running as soon as possible.

Comprehensive Attack Analysis & Recovery

Kroll's digital forensics experts analyzed the ransomware attack to quickly and safely uncover critical information to aid recovery. This enabled the company to gain a comprehensive understanding of the vulnerabilities that may have led to the attack, highlighting critical areas for improvement and enhancing its resilience against future attacks.

Actionable Threat Intelligence

The company benefits from the intelligence Kroll gains through responding to 3,000+ incidents every year, with insights drawn from multiple events, clients, sources and experts. Continually updated threat intelligence passed back into triage helps to inform the company’s in-house team and enhances detection capabilities.

360-Degree Threat Visibility

The company now has continual and comprehensive visibility of threats. Kroll Responder’s tech-agnostic approach allows this intelligence to fuel detection and build a more resilient, integrated organization, from Security Information and Event Management (SIEM) and EDR to vulnerability scanning and behavioral monitoring.

Maximize In-House Security Team

Kroll Responder’s 24/7 monitoring capabilities have maximized the benefits of company’s in-house security team, allowing it to focus its attention on systems that are particularly complex or difficult to manage. The company security team now benefits from Kroll’s world-class team of threat analysts, seeing frontline threat intelligence from incident response cases in real time, while alleviating the requirement of recruiting and maintaining the skillset of an in-house, out-of-hours security team.

Alongside this, the regular service reviews provided as part of the Kroll Responder MDR service enable the company to stay continually up to date with the profile and level of its risk. Kroll provides a vital checkpoint while also removing the administrative burden from the company.

Enhanced Cyber Resilience

The company gained valuable insights through Kroll’s incident response and post-incident investigation. This, combined with the ongoing monitoring and threat intelligence provided by Kroll Responder, means that the company is much better placed to defend against ransomware attacks and other cyber threats in the future, ultimately creating a stronger foundation for the company’s ongoing cybersecurity strategy.

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Kroll is headquartered in New York with offices around the world.

More About Kroll

  • Trending Topics
  • Media Inquiry

More About Kroll

  • Accessibility
  • Code of Conduct
  • Data Privacy Framework
  • Kroll Ethics Hotline
  • Modern Slavery Statement
  • Privacy Policy

EU 2024 Program available!

USA 2024 Call for Papers Open!

DFIR Rapid Review is open for papers

Ransomware Simulations: Hands-on Case Studies

Authors: Ali Hadi and Mariam Khader

DFRWS USA 2023

Ali Hadi

Dr. Ali Hadi is a highly accomplished and experienced Senior Cybersecurity Specialist with 14+ years of professional experience in Information Technology. He is currently working as a full-time professor and researcher at the Computer and Digital Forensics and Cybersecurity Departments of Champlain College, USA. Ali is a Co-Founder and the Chief Technology Officer of Cyber 5W. He holds a PhD and MSc degree in Computer Information Systems, as well as a BSc degree in Computer Science. Throughout his professional career, Ali has earned more than 20 professional certifications. Ali is a sought-after consultant in the field of cybersecurity, offering expertise in areas such as digital forensics, incident response, adversary simulation, offensive security, and malware analysis. He is also an established author, speaker, and freelance instructor, having provided technical training to government and private firms as well as other organizations. Ali continues to be an influential figure in the digital forensics community and is dedicated to promoting forensics education and research.

  • Website:  https://www.ashemery.com/
  • Twitter:  https://twitter.com/binaryz0ne
  • LinkedIn:  https://www.linkedin.com/in/ali-hadi/

Mariam Khader

Mariam Khader

Dr. Mariam Khader is an Assistant Professor at Champlain College, USA, who is highly recognized for her expertise in Computer Science, IT Security and Digital Criminology. She has earned her PhD and MSc in the respective fields and is currently a researcher at the Leahy Center, where she focuses on Mobile and Operating System Forensics as well as Big Data Forensics. Her research has been published in numerous international journals and presented at various conferences, where she has been able to share her insights with a wide range of audiences. In addition to working as a course author and speaker, Mariam has also worked as a freelance instructor, providing technical instruction to government and private firms as well as other organizations. She has obtained numerous professional certifications, such as CHFI, ECIH, CCNA, CCME, CCO, CCMP, and CCPA.

  • DFRWS EU 2024
  • DFRWS USA 2024
  • Submission Criteria DFRWS APAC/EU/USA
  • Past Conferences
  • Papers & Presentations
  • DFIR Review
  • Forensic Challenges
  • Board of Directors
  • Sponsorship Opportunities
  • Student Scholarships
  • Code Of Conduct
  • Diversity and Inclusion Policy
  • TPC Conflict of Interest Policy
  • Privacy Policy

U.S. flag

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

  • Publications
  • Account settings
  • Advanced Search
  • Journal List
  • Elsevier - PMC COVID-19 Collection

Logo of pheelsevier

Ransomware: Recent advances, analysis, challenges and future research directions

Craig beaman.

a Canadian Institute for Cybersecurity, Faculty of Computer Science, University of New Brunswick, Canada

Ashley Barkworth

Toluwalope david akande, saqib hakak, muhammad khurram khan.

b Center of Excellence in Information Assurance, College of Computer and Information Sciences, King Saud University, Riyadh 11653, Saudi Arabia

The COVID-19 pandemic has witnessed a huge surge in the number of ransomware attacks. Different institutions such as healthcare, financial, and government have been targeted. There can be numerous reasons for such a sudden rise in attacks, but it appears working remotely in home-based environments (which is less secure compared to traditional institutional networks) could be one of the reasons. Cybercriminals are constantly exploring different approaches like social engineering attacks, such as phishing attacks, to spread ransomware. Hence, in this paper, we explored recent advances in ransomware prevention and detection and highlighted future research challenges and directions. We also carried out an analysis of a few popular ransomware samples and developed our own experimental ransomware, AESthetic, that was able to evade detection against eight popular antivirus programs.

1. Introduction

The COVID-19 pandemic has led to an increase in the rate of cyberattacks. As the workplace paradigm shifted to home-based scenarios—resulting in weaker security controls—attackers lured people through COVID-19 themed ransomware phishing emails. For example, many phishing campaigns prompted users to click on specific links to get sensitive information related to a COVID-19 vaccine, shortage of surgical masks, etc. Attackers made good use of fake COVID-19 related information as a hook to launch more successful phishing campaigns. Higher levels of unemployment can be another factor that motivates people towards cybercrime, such as launching ransomware attacks and disrupting critical IT services, in order to support themselves ( Lallie et al., 2020 ).

Cyber extortion methods have existed since the 1980s. The first ransomware sample dates back to 1989 with the PC Cyborg Trojan ( Tailor and Patel, 2017 ). After the target computer was restarted 90 times, PC Cyborg hid directories and encrypted the names of all files on the C drive, rendering the system unusable. In the 1990s and early 2000s, ransomware attacks were mostly carried out by hobbyist hackers who aimed to gain notoriety through cyber pranks and vandalism ( Srinivasan, 2017 ). Modern ransomware emerged around 2005 and quickly became a viable business strategy for attackers ( Richardson, North, 2017 , Wilner, Jeffery, Lalor, Matthews, Robinson, Rosolska, Yorgoro, 2019 ). Targets shifted from individuals to companies and organizations in order to fetch larger ransoms ( Muslim et al., 2019 ). The following industries were particularly targeted: transportation, healthcare, financial services, and government ( Alshaikh et al., 2020 ). The number of ransomware attacks has grown exponentially thanks to easily obtainable ransomware toolkits and ransomware-as-a-service (RaaS) that allows novices to launch ransomware attacks ( Sharmeen et al., 2020 ).

Ransomware is a type of malware designed to facilitate different nefarious activities, such as preventing access to personal data unless a ransom is paid ( Khammas, 2020 , Komatwar, Kokare, 2020 , Meland, Bayoumy, Sindre, 2020 ). This ransom typically uses cryptocurrency like Bitcoin, which makes it difficult to track the recipient of the transaction and is ideal for attackers to evade law enforcement agencies ( Kara, Aydos, 2020 , Karapapas, Pittaras, Fotiou, Polyzos, 2020 ). There has been a surge in ransomware attacks in the past few years. For example, during the ongoing COVID-19 pandemic, an Android app called CovidLock was developed to monitor heat map visuals and statistics on COVID-19 ( Saeed, 2020 ). The application tricked users by locking user contacts, pictures, videos, and access to social media accounts as soon as they installed it. To regain access, users were asked to pay some ransom in Bitcoin; otherwise, their data was made public ( Hakak et al., 2020c ). Another notorious example of ransomware is the WannaCry worm, which spread rapidly across many computer networks in May 2017 ( Akbanov, Vassilakis, Logothetis, 2019 , Mackenzie, 2019 ). Within days, it had infected over 200,000 computers spanning across 150 countries ( Mattei, 2017 ). Hospitals across the U.K. were knocked offline ( Chen and Bridges, 2017 ); government systems, railway networks, and private companies were affected as well ( Cosic et al., 2019 ).

Ransomware can be categorized into three main forms - locker, crypto, and scareware ( Gomez-Hernandez, Alvarez-Gonzalez, Garcia-Teodoro, 2018 , Kok, Abdullah, Jhanjhi, Supramaniam, 2019 ) - as shown in Fig. 1 . Scareware may use pop-up ads to manipulate users into assuming that they are required to download certain software, thereby using coercion techniques for downloading malware. In scareware, the cyber crooks exploit the fear rather than lock the device or encrypt any data ( Andronio et al., 2015 ). This form of ransomware does not do any harm to the victim’s computer. The aim of locker ransomware is to block primary computer functions. Locker ransomware may encrypt certain files which can lock the computer screen and/or keyboard, but it is generally easy to overcome and can often be resolved by rebooting the computer in safe mode or running an on-demand virus scanner ( Adamu and Awan, 2019 ). Locker ransomware may allow limited user access. Crypto ransomware encrypts the user’s sensitive files but does not interfere with basic computer functions. Unlike locker ransomware, crypto ransomware is often irreversible as current encryption techniques (e.g., AES and RSA) are nearly impossible to revert if implemented properly ( Gomez-Hernandez, Alvarez-Gonzalez, Garcia-Teodoro, 2018 , Nadir, Bakhshi, 2018 ). Table 1 presents a few popular ransomware families. Crypto ransomware can use one of three encryption schemes: symmetric, asymmetric, or hybrid ( Cicala and Bertino, 2020 ). A purely symmetric approach is problematic as the encryption key must be embedded in the ransomware ( Dargahi et al., 2019 ). This makes this approach vulnerable to reverse engineering. The second approach is to use asymmetric encryption. The issue with this approach is that asymmetric encryption is slow compared to symmetric encryption and hence struggles to encrypt larger files ( Bajpai et al., 2018 ).

Fig. 1

Categories of ransomware ( Andronio et al., 2015 ).

List of popular ransomware strains.

The most effective approach (i.e., the hardest to decrypt) is hybrid encryption, which uses both symmetric and asymmetric encryption. An overview of the hybrid approach is given in Fig. 2 . For hybrid encryption, the first step is to create a random symmetric key. The ransomware usually creates this key by calling a cryptographic API on the user’s operating system ( Zimba et al., 2019 ). The symmetric key encrypts the victim’s files as the ransomware traverses through the file system. Once all files are encrypted, a public-private key pair is generated by a command and control (C&C) server which the ransomware connects to. The public key is sent to the ransomware and is used to encrypt the symmetric key, while the private key is held by the C&C server. The plaintext version of the symmetric key is then deleted to ensure that the victim cannot use it to recover their files. Instructions for how to pay the ransom are left for the victim. If the ransom is paid, then the decryption process will begin. Decryption starts by requesting the private key from the C&C server. Once obtained, the private key is used to decrypt the symmetric key. Finally, the symmetric key is used to recover the victim’s files. Generally, a unique public-private key pair is generated for each new ransomware infection; this prevents victims from sharing private keys with other victims to enable them to recover the symmetric key.

Fig. 2

The typical steps used by ransomware to encrypt and decrypt a user’s data. This illustrates a hybrid approach where both symmetric and asymmetric cryptography are used.

Ransomware attacks can cause significant financial damage, reduce productivity, disrupt normal business operations, and harm the reputations of individuals or companies ( Jain, Rani, 2020 , Zhang-Kennedy, Assal, Rocheleau, Mohamed, Baig, Chiasson, 2018 ). The global survey ‘The State of Ransomware 2021’ commissioned by Sophos announced in its findings that, among roughly 2000 respondents whose organizations had been hit by a ransomware attack, the average total cost to an organization to rectify the impacts of a ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) was US$1.85 million, which is more than double the US$761,106 cost reported in 2020 ( ran, 2021 ). These attacks may also result in a permanent loss of information or files. Paying the ransom does not guarantee that the locked system or files will be released ( for Cyber Security, 2018 ). For companies who pay the ransom, the cost of recovering from the attack doubles on average ( Ltd., 2020 ). By the end of the year 2021, ransomware attacks are expected to cost the world $20 billion, up from $325 million in 2015 ( Alshaikh et al., 2020 ). These attacks have been particularly devastating since the COVID-19 pandemic and started by targeting hospitals, vaccine research labs, and contact tracing apps ( Pranggono and Arabo, 2020 ). From all these statistics, it is clear that we need to understand the behaviour of ransomware and its variants to effectively detect and mitigate future attacks. Due to its profitability, new variants of ransomware continue to emerge that circumvent traditional antivirus applications and other detection methods. Hence, it is critical to come up with a new generation of efficient countermeasures.

There is an emerging need to highlight the recent advancements in the area of ransomware. The contribution of this paper is as follows:

  • • Recent state-of-the-art ransomware detection and prevention approaches are presented.
  • • Different ransomware samples are tested in a virtual environment.
  • • A new experimental ransomware known as AESthetic is proposed and tested on eight popular antivirus programs.
  • • The effectiveness of a few popular ransomware countermeasures on implemented ransomware samples is analyzed.
  • • Future research challenges and directions are identified and elaborated on.

The rest of the article is organized as follows. Section 2 surveys the recent literature on ransomware detection and prevention approaches. Section 3 presents our new ransomware sample, AESthetic, and the experimental test-bed setup along with in-depth analysis. A discussion of our literature survey and test results is in Section 4 . Section 5 highlights future research challenges and directions. Finally, Section 6 concludes the article.

2. Literature review

Before our own survey, we searched for and identified relevant surveys on ransomware and summarized their contributions in Table 2 . Most existing surveys were outdated and focused on papers from 2014 to 2017. Hence, for our own literature review, we sourced papers on ransomware solutions from 2017 onwards. The papers came from the following article databases: IEEE Xplore, ACM, Science Direct, and Springer. Our searches were made using combinations of the following keywords: ‘ransomware detection’, ‘ransomware prevention’, ‘crypto-ransomware’, ‘malware detection’, ‘key backup’, ‘data backup’, ‘access control’, ‘honeypots’, ‘machine learning’, and ‘intrusion/anomaly detection’. We categorized the surveyed papers into ransomware prevention and detection approaches. Most of the existing works within these two categories involved the preliminary step of malware analysis, which is explained below:

Existing review studies.

2.1. Malware analysis

Malware analysis is a standard approach to understand the components and behaviour of malware, ransomware included. This analysis is useful to detect malware attacks and prevent similar attacks in the future. Malware analysis is broadly categorized into static and dynamic analysis. Static analysis analyzes binary file contents, whereas dynamic analysis studies the behaviour and actions of a process during execution ( Or-Meir, Nissim, Elovici, Rokach, 2019 , Sharafaldin, Lashkari, Hakak, Ghorbani, 2019 , Shijo, Salim, 2015 ).

Signature-based malware detection is a static analysis approach that uses the unique patterns within the malicious file in order to detect it. For ransomware, this includes the unique sequences of bytes within the binary file, the order of function calls, or the analysis of ransomware notes ( Alshaikh, Nagy, Hefny, 2020 , Aslan, Samet, 2020 , Nahmias, Cohen, Nissim, Elovici, 2020 ). The signature can then be checked against the signatures of known malware samples. The main advantages of signature-based detection are that it is fast and has a low false-positive rate; for these reasons, signature-based detection is very popular. However, if malware is concealed through code obfuscation techniques like binary packing, then it may evade detection ( Khan et al., 2020 ). Dynamic analysis is less susceptible to these evasion techniques because, unlike static analysis, it does not rely on analyzing the binary code itself and instead looks for meaningful patterns or signatures that imply the maliciousness of the analyzed file ( Or-Meir et al., 2019 ). Additionally, signature-based approaches will fail against newly created malware ( Aghakhani, Gritti, Mecca, Lindorfer, Ortolani, Balzarotti, Vigna, Kruegel, 2020 , Kok, Abdullah, Jhanjhi, Supramaniam, 2019 ).

Analysis can reveal some of the steps ransomware takes to infect a user’s computer. For example, Bajpai and Enbody ( Bajpai and Enbody, 2020a ) performed static and dynamic analysis on decompiled .NET ransomware samples and found that .NET ransomware first attempts to gain execution privileges and then contacts a C&C server to obtain the encryption key. Zimba and Mulenga ( Zimba and Mulenga, 2018 ) examined the static and behavioural properties of WannaCry ransomware; they discovered that WannaCry retrieves the network adapter properties to determine whether it’s residing in a private or public subnet in order to effectuate substantial network propagation and subsequent damage. Malware analysis can discover the unique characteristics of ransomware which can then be used to help design prevention or detection mechanisms.

2.2. Recent advances in ransomware research

As mentioned previously, most existing studies have analyzed the nature of malware. Based on their analysis, they have proposed different approaches to prevent or detect ransomware. We have classified the existing studies based on their goal, which is to either prevent ransomware infection or to detect ransomware once it has infected the system. A classification diagram of the utilized tools from the reviewed studies can be found in Fig. 3 .

Fig. 3

An overview of the utilized tools observed in literature for both ransomware prevention/mitigation and detection.

2.2.1. Ransomware prevention approaches

Preventative solutions aim to block, mitigate, or reverse the damage done by ransomware. Common preventative approaches include: enforcing strict access control, storing data and/or key backups, and increasing user awareness and training. Raising user awareness of ransomware attacks and training users on how to avoid them can prevent attacks before they occur. A summary of the utilized tools found to be used in the surveyed literature on ransomware prevention can be found in Table 3 .

Overview of surveyed literature on ransomware prevention.

Access Control

Access control prevents ransomware encryption by restricting access to the file system.

Parkinson Parkinson (2017) examined how to use built-in security controls to prevent ransomware from executing in the host computer via elevated privileges. One way that ransomware gains access to files is through a user’s credentials if the user has a high level of permissions. He proposed implementing least privilege and separation of duties through role-based access control; restricting data access as far up the directory hierarchy as possible; and routinely auditing permissions and roles.

Kim and Lee Kim and Lee (2020) proposed an access control list that whitelists specific programs for each file type. Only whitelisted programs are allowed to access files. This implicitly blocks malicious processes from accessing and encrypting files. Whereas a blacklist cannot stop ransomware that it does not contain a code signature for, a whitelist can effectively block new and unknown ransomware.

Ami et al. Ami et al. (2018) developed a solution known as AntiBotics containing three key components: a policy enforcement driver, a policy specification interface, and a challenge-response. This program makes use of both biometric authentication (e.g., a fingerprint) and human response (e.g., CAPTCHA) to prevent the deletion or modification of data. AntiBotics enforces access control by presenting periodic identification challenges. This program assigns access permissions to executable objects based on a rule specified by an administrator as well as the feedback of the challenges presented upon attempts to modify or delete files. One of this program’s limitations is that it is only tested on Windows OS. Also, although modern ransomware failed to evade AntiBotics , it’s possible that future ransomware could adapt to AntiBotics . For example, ransomware could avoid AntiBotics by injecting itself into a permitted process while waiting until the process is granted permission. A case where ransomware may attempt to rename a protected folder and conceal itself may arise, but AntiBotics can block such a process by presenting a challenge when a rename operation is carried out.

McIntosh et al. McIntosh et al. (2021) proposed a framework that enables access control decision making to a filesystem to be deferred when required, in order to observe the consequence of such an access request to the file system and to roll back changes if required. The authors suggested that their framework could be applied to implement a malware-resilient file system and potentionally deter ransomware attacks. They demonstrated the practicality of their framework through a prototype testing, capturing relevant ransomware situations. The experimental results against a large ransomware dataset showed that their framework can be effectively applied in practice.

Genç et al. Genç et al. (2018) developed an access control mechanism with the insight that without access to true randomness, ransomware relies on the pseudo random number generators that modern operating systems make available to applications in order to generate keys. They proposed a strategy to mitigate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs, and stops unauthorized applications that call them. Their strategy was tested against 524 active real-world ransomware samples and stopped 94% of them, including WannaCry, Locky, CryptoLocker, CryptoWall, and NotPetya samples.

Data Backup

Keeping regular backups of the data stored on a computer or network can greatly minimize the impact of ransomware. Instead, the damage is simply limited to any data that has been created since the last backup. There is overhead in backing up large amounts of data, and so choosing how often backups should be taken and how long they will be kept are important decisions to be made.

Huang et al. Huang et al. (2017) proposed a solution called FlashGuard that does not rely on software at all. Instead, it uses the fact that Solid State Drives (SSD) don’t overwrite data right away - a garbage collector does this after a while. The authors modified SSD firmware so the garbage collector doesn’t remove data as quickly, and hence lost data can be restored. When tested against ransomware samples, FlashGuard successfully recovered encrypted data with little impact on SSD performance and life span.

Thomas and Galligher Thomas and Galligher (2018) conducted a literature review of the ransomware process, functional backup architecture paradigms, and the ability of backups to address ransomware attacks. They also provided suggestions to improve the information security risk assessments to better address ransomware threats, and presented a new tool for conducting backup system evaluations during information security risk assessments that enables auditors to effectively analyze backup systems and improve and organization’s ability to combat and recover from a ransomware attack.

Min et al. Min et al. (2018) proposed Amoeba, an autonomous backup and recovery SSD system to defend against ransomware attacks. Amoeba contains a hardware accelerator to detect the infection of pages by ransomware attacks at high speed, as well as a fine-grained backup control mechanism to minimize space overhead for original data backup. To evaluate their system, the authors extended the Microsoft SSD simulator to implement Amoeba and evaluated it using realistic block-level traces collected while running the actual ransomware. Their experiments found that Amoeba had negligible overhead and outperformed in performance and space efficiency over the state-of-the-art SSD, FlashGuard.

Kharraz and Kirda Kharraz and Kirda (2017) proposed Redemption, a system that requires minimal modification of the operating system to maintain a transparent buffer for all storage I/O. Redemption monitors the I/O request patterns of applications on a per-process basis for signs of ransomware-like behavior. If I/O request patterns are observed that indicate possible ransomware activity, the offending processes can be terminated and the data restored. The evaluation of their system showed that Redemption can ensure zero data loss against current ransomware families without detracting from the user experience or inducing alarm fatigue. Additionally, they proved that Redemption incurs modest overhead, averaging 2.6% for realistic workloads.

Key Management

Key management refers to recovering the encryption key that was used to encrypt files and using that to decrypt them without paying the ransom. For some ransomware samples, such as samples that hard code the key directly into their executable binary, this may be rather straightforward. For hybrid models, this can be more challenging, as the key is only available in plaintext while the files are actively being encrypted.

Bajpai and Enbody Bajpai and Enbody (2020a) decompiled eight different .NET ransomware variants and determined that some ransomware samples use poor key generation techniques that call common libraries. This insight can be utilized by ransomware countermeasures by keeping a backup of an attacker’s symmetric encryption key. This key can be used to recover any encrypted files later on. For example, Lee et al. Lee et al. (2018) observed that many ransomware programs use the CNG library, a cryptographic library for Windows machines, to generate the encryption key. They developed a prevention system that hooks these functions such that when ransomware calls them, the system stores the encryption key. For the evaluation of their system, Lee et al. Lee et al. (2018) implemented a sample ransomware program. They also implemented their prevention solution which attempts hooking into the process from the ransomware program that performs encryption so that it can extract the encryption key. After hooking, the prevention program displays the extracted encryption key when the sample ransomware generates the key for the encryption. In experiments where the ransomware program attempted encryption 10, 100, 1,000, 10,000, and 100,000 times, their ransomware prevention program was able to extract the encryption key 100% of the time. One limitation of this solution is the assumption that ransomware calls a specific library to obtain the encryption key; if the assumption is invalid, the solution fails.

Some ransomware programs use a symmetric session key for encryption. This key is stored in the victim’s computer which then encrypts the user’s files. Kolodenker et al. Kolodenker et al. (2017) developed a key backup solution called Paybreak which relies on signatures. PayBreak implements a key escrow approach that stores session keys in a vault, including the symmetric key that the attacker uses. When tested, PayBreak successfully recovered all files encrypted with known encryption signatures.

The security of the symmetric encryption key is vital for ransomware developers. Furthermore, a large subset of current ransomware exclusively deploy AES for data encryption. With this in mind, Bajpai and Enbody Bajpai and Enbody (2020) developed a side-channel attack on ransomware’s key management to extract exposed ransomware keys from system memory during the encryption process. Their attack leverages the knowledge that the encryption process is a white box on the host system; this approach is successful regardless of which cryptographic API is being used by the malware and regardless of whether a cryptographic API is being used by the malware at all. Their attack was able to identify exposed AES keys in ransomware process memory with a 100% success rate in preliminary experiments, including against NotPetya, WannaCry, LockCrypt, CryptoRoger, and AutoIT samples.

User Awareness

Chung Chung (2019) looked at preventing ransomware attacks within companies and organizations, arguing that they should help individual employees take precautions against ransomware scams. This is especially important since, as mentioned previously, ransomware attacks are increasingly targeting institutions such as financial or healthcare organizations. The author listed five prevention tips for employees to follow: install antivirus or anti-malware software on every computer and mobile device in use; choose strong and unique passwords for personal and work accounts; regularly back up files to an external hard drive; never open suspicious email attachments; and use mirror shielding technology such as NeuShield as a failsafe data protection measure.

Thomas Thomas (2018) also examined how users and employees within organizations can avoid ransomware attacks, but this paper focused on how individuals can avoid falling for phishing attacks, which are a common first step for ransomware. The author surveyed several security professionals and, based on the findings from the survey, proposed several recommendations. The first recommendation was to segment company employees based on factors such as their familiarity with phishing and the impact level of their jobs. After segmentation, the next recommendation was to develop targeted training for each group; this training should include real-life examples highlighting the seriousness and damage caused by phishing, use real case studies, and include actual incidents within the company. Sharing these actual and personal examples will result in a strong realization of the dangerous impact of spear phishing and will evoke a more personal protection response.

2.2.2. Ransomware detection approaches

Researchers have proposed various detection solutions to spot ongoing ransomware attacks. Once ransomware programs have been spotted, they can be stopped and removed. Below is a classification of different detection approaches. A summary of the tools used in the surveyed literature on ransomware detection can be found in Table 4 . An overview of the experimental results, which includes sensitivity and specificity rates, of the surveyed literature on ransomware detection can be found in Table 5 .

Overview of surveyed literature on ransomware detection.

Experimental results from the surveyed ransomware detection literature.

* Entries that contain a dash were not found in the reviewed source.

Analyzing System Information

A few of the surveyed papers used system information, such as log files or changes to the Windows Registry, as a method of detecting ransomware. A brief summary of all those works is presented below.

Monika et al. Monika et al. (2016) noted that ransomware samples tend to add and modify many Windows registry values. They suggested that the continuous monitoring of Windows registry values, along with file system activity, can be used to detect ransomware attacks. Chen et al. Chen and Bridges (2017) analyzed system log files to detect ransomware activity. This was done by extracting various features from the log files that are relevant to malware activity. Ultimately they found that malware (ransomware included) can be effectively detected using their approach, even when the logs contain mostly benign events, and that their solution is resilient to polymorphism.

Ransom Note Analysis

After the execution of a ransomware attack, a ransom note is usually left behind. This note could be saved to the user’s computer in the form of a text file or displayed on the user’s screen. This note informs the user that their personal files have been encrypted - or, in the case of locker ransomware, are inaccessible - and gives steps on how to pay and retrieve them. Static and dynamic analysis can reveal the traits of ransomware notes. For example, Groenewegen et al. Groenewegen et al. (2020) performed static and dynamic behaviour analysis to identify the traits of the NEFILIM ransomware strain that targets Windows machines. They found that if a NEFILIM sample is executed with administrative privileges, the accompanying ransom note is written to the root directory of the machine (C:); otherwise, it is written to the user’s ”AppData” directory. Furthermore, the ransomware calls the ”CreateFileW” and ”WriteFile” Windows functions to create the ransomware note and write to it, respectively. Lastly, they determined that the ransomware note file is always named ”NEFILIM-DECRYPT.txt”. In the case where the ransom note is displayed on the screen, some researchers took screen captures and used image and text analysis methods to detect the presence of a ransom note ( Alzahrani, Alshehri, Alshahrani, Alharthi, Fu, Liu, Zhu, 2018 , Kharaz, Arshad, Mulliner, Robertson, Kirda, 2016 ).

As mentioned in Section 2.1 , ransomware typically displays a ransom note on the user’s computer to receive payment. Some researchers used static and/or dynamic analysis to detect the presence of such a note to ascertain whether a ransomware attack is underway.

Alzahrani et al. Alzahrani et al. (2018) proposed RanDroid, a framework to detect ransomware embedded in malicious Android applications by looking for ransom notes displayed during the app’s execution. RanDroid measures the structural similarity between a set of images collected from the inspected application and a set of threatening images collected from known ransomware variants. The framework first decompiles the Android Application Package (APK) which contains a set of files and folders. It then extracts images from the resources folder and XML layout files using static analysis. Dynamic analysis is performed with a UI-guided test input generator to interact with the application without instrumentation, in order to trigger the app’s events, capture the activities that appear while the app is running, and collect additional images. Several pre-processing steps are applied to the images, including extracting the text from the images. Image and text similarity measurements are calculated against a database of images and texts collected from known ransomware variants; both measurements are used for a final classification. RanDroid was tested by running 300 applications (100 ransomware and 200 goodware applications) and achieved a 91% accuracy rate.

Kharraz et al. Kharaz et al. (2016) designed a system called UNVEIL to detect ransomware; a core component of UNVEIL is aimed at detecting screen locker ransomware, with the key insight that ransom notes generally cover a significant part, if not all, of the display. UNVEIL monitors the desktop of the victim machine and takes screenshots of the desktop before and after a sample is executed. The series of screenshots are then analyzed and compared with image analysis methods to determine if a large part of the screen has changed substantially between captures. When evaluated against 148,223 samples, UNVEIL achieved a 96.3% detection rate with zero false positives.

File Analysis

Crypto ransomware modifies a file when encrypting it. Large changes made to many files in a computer’s file system could indicate that a ransomware attack is underway. There are several metrics that can be used to detect significant changes in files. The three metrics identified from the surveyed literature are entropy, file type, and file differences (i.e. similarity). In addition, several researchers analyzed file I/O operations to detect suspicious activity. These four methods of file analysis are defined below.

  • • File entropy: This measures the ”randomness” of a file. Encrypted and compressed files have high entropy compared to plaintext files. Hence, calculating the entropy of the file and comparing the value to previous calculations for the same file can be used to determine whether a file has been infected by ransomware. Scaife et al. Scaife et al. (2016) calculated file entropy with Shannon’s formula and used it as one feature to detect ransomware. Mehnaz et al. Mehnaz et al. (2018) also used Shannon entropy as a metric for detecting ransomware. Lee et al. Lee et al. (2019) applied machine learning to classify infected files based on file entropy analysis.
  • • File type: A file’s type refers to its extension. Ransomware typically changes the extension of any file that it encrypts. In addition to entropy, both Scaife et al. Scaife et al. (2016) and Mehnaz et al. Mehnaz et al. (2018) used file type changes as a feature to determine the presence of ransomware. The detection system designed by Ramesh and Menen Ramesh and Menen (2020) monitors for changes such as large numbers of files being created with the same extension or any files with more than one extension.
  • • Similarity: In comparison with benign file changes, such as modifying parts of a file or adding new text, the contents of a file encrypted by ransomware should be completely dissimilar from the original plaintext content. Hence, measuring the similarity of two versions of the same file can be used to detect whether ransomware is present. Scaife et al. Scaife et al. (2016) measured the similarity between two files with a hash function sdhash, which outputs a similarity score from 0 to 100 that describes the confidence of similarity between two files. Comparisons between previous versions of a file and the encrypted version of the file should yield a score close to 0, as the ciphertext should be indistinguishable from random data. Mehnaz et al. Mehnaz et al. (2018) also used sdhash to perform similarity checks between file versions to determine if a file has been encrypted by ransomware.
  • • File I/O: These operations are used to access the host computer’s file system. Examples of I/O operations include open, close, read, and write fil (2021) . Ransomware typically performs read operations to read user files without the user’s permission. It executes write operations either to create encrypted copies of the target files or to overwrite the original files. In the case of the former option, ransomware performs additional operations to delete the original files. Baek et al. Baek et al. (2018) developed a system to detect ransomware in SSDs which learns the behavioural characteristics of ransomware by observing the request headers of the I/O operations that it performs on data blocks. These request headers include the logical block address, the type of operation (read/write), and the size of the data. Natanzon et al. Natanzon et al. (2018) developed a system that generates a ransomware probability by comparing recent I/O activity to historical I/O activity; if the ransomware probability exceeds a specified threshold value, the system takes actions to mitigate the effects of ransomware within the host. The detection system proposed by Kharraz et al. Kharaz et al. (2016) extracts features from I/O requests during a sample’s execution such as the type of request (e.g., open, read, write). These events are then matched against a set of I/O access pattern signatures as evidence that the sample is in fact ransomware.

Finite State Machines

An abstract mathematical model that can be used to represent the state of a system and track changes. It has been noted that many ransomware samples tend to carry out similar sets of actions once they reach a target system. Also, the changes made by ransomware differ significantly from benign programs. Hence, ransomware can be quickly identified in most cases. FSM’s can be used to track those actions by associating system events with transitions between the states in the FSM. The state of the FSM can be monitored and if certain states are reached, the FSM can signal that a ransomware attack is underway. Monitoring the state changes that occur in the computer system in terms of utilization, persistence, and the lateral movement of resources can detect ransomware ( Ramesh and Menen, 2020 ).

Ramesh and Menen Ramesh and Menen (2020) proposed a finite state machine (FSM) with eight total states. The changes represented in the FSM include: changes in file entropy, as encrypted files have higher levels of entropy; changes in retention state, which occurs if a process has been added to the Run registry or startup directory; lateral movement, which checks for suspicious file names such as doubled file extensions (e.g..pdf.exe); and system resources, which looks for processes that modify the system-restore settings or stop a large number of other processes in a short amount of time. If the FSM ever moves into one of its four final states, then the system is considered to be under a ransomware attack. Their method was tested against 475 different ransomware samples and 1500 benign programs. It detected 98.1% of the tested samples and had a 0% false positive rate. The main drawbacks of this approach are its inability to detect locker-type ransomware and its inability to detect ransomware samples that use sophisticated code-obfuscation and incremental unpacking techniques, such as NotPetya.

Honeypots (or honeyfiles) are decoy files set up for the ransomware to attack. Once these files are attacked, the attack is detected and stopped. Honeyfiles are easy to set up and require little maintenance. However, there is no guarantee the attacker will target these decoys, so an attacker may encrypt other files while leaving the honeyfiles untouched Moore (2016) . Gómez-Hernández and Álvarez-González Gomez-Hernandez et al. (2018) proposed R-Locker , a tool for Unix platforms containing a ”trap layer” with a series of honeyfiles. Any process or application that accesses the trap layer is detected and stopped. Unfortunately, R-Locker only protects part of the complete file system, and the tool can be defeated by deleting the central trap file.

Similarly, Kharraz et al. Kharaz et al. (2016) designed UNVEIL to limit the damage that can be done by attackers before they are detected with honeyfiles. UNVEIL generates a virtual environment that aims to attract attackers. It then monitors its file system I/O and detects any presence of a screen locker. Their solution detected 96.3% of ransomware samples and had zero false positives.

Shaukat and Rebeiro Shaukat and Ribeiro (2018) proposed RansomWall , a multi-layered defense system that incorporates honeyfiles to protect against crypto-ransomware. When the trap layer suspects a process is malicious, any modified files are backed up until it is classified as either ransomware or benign by other layers. When tested, RansomWall had a 98.25% accuracy rate and generated zero false positives. One challenge is that some ransomware samples have limited file system activity.

Network Traffic Analysis

Network traffic analysis intercepts network packets and analyzes communication traffic patterns to detect ongoing malware attacks. For certain ransomware families, the communication between the victim host and the C&C server behaves much differently compared to normal conditions. This anomalous behavior can be revealed by studying certain traffic features. The four main features of network traffic used by researchers to detect ransomware are discussed below.

  • • Packet size: The size of messages exchanged may be unusually large if they contain an encryption key or encryption instructions. Cabaj et al. Cabaj et al. (2018) analyzed CryptoLocker and Locky ransomware samples under execution and extracted the message size from HTTP packet headers to determine the average size of messages exchanged between the infected host and the C&C server, then used these statistics to build an anomaly detection system based on message size. Bekerman et al. Bekerman et al. (2015) used TCP packet size as a feature in a supervised-based system for detecting ransomware.
  • • Message frequency: Determining an uptick in certain kinds of traffic can be used to detect the presence of a ransomware attack. Almasshadani et al. Almashhadani et al. (2019) observed that Locky ransomware significantly increases the number of HTTP POST request packets within the traffic stream compared to the normal traffic. Additionally, they found that there are numerous TCP RST and TCP ACK packets in Locky’s traffic used to terminate the malicious TCP connections abnormally. The authors used these features and others as part of a multi-classifier intrusion detection system. Bekerman et al. Bekerman et al. (2015) used the number of TCP RST packets, TCP ACK packets, and duplicate ACK packets as well as the number of sessions in communication as features for their supervised ransomware classification model.
  • • Malicious domains: Communication between the ransomware and the C&C server can be blocked if the server’s domain is identified as malicious. Cabaj and Mazurczyk Cabaj and Mazurczyk (2016) proposed a software-defined networking solution that relies on dynamic blacklisting of proxy servers to block communication between the infected computer and the C&C server. Their proposal forwards all DNS traffic to a controller that checks the domains with a blacklist database. If a malicious domain is detected, the DNS message is discarded and traffic from the host is blocked.
  • • DGA detection: Rather than using hardcoded domain addresses, which are susceptible to domain blacklisting, some types of ransomware employ a Domain Generation Algorithm (DGA) to generate a large number of domain names that can be used as rendezvous points for their C&C servers. Some detection systems such as the one proposed by Chadha and Kumar Chadha and Kumar (2017) and Salehi et al. Salehi et al. (2018) work by determining the DGA and subsequently blocking all generated domains.
  • • Other features: Hundreds of other extracted network features from various OSI layers can also be used for ransomware detection. Many of these are outlined in Bekerman et al. (2015) , where they did not focus on ransomware detection specifically, but instead on general malware detection.

Machine Learning

Many studies proposed machine learning models that detect ransomware by classifying computer programs as either benign or ransomware based on their behaviour. With sufficient training data, these models can spot attacks with a high degree of accuracy. Additionally, they are frequently able to detect ransomware before it has a chance to encrypt any files. However, finding a suitable model requires trial and error, and biasness or overfitting may occur if proper measures are not taken ( Kok et al., 2019b ). What distinguishes the models proposed by different researchers are the classifier algorithms that are applied and the features that are used for training. The features used in the surveyed literature include the following:

  • • APIs / System calls : API calls are functions that facilitate the exchange of data among applications, while system calls are service requests made by the ransomware to the OS or kernel api (2018) . Often, ransomware makes API calls to the C&C server to obtain an encryption or decryption key. Other API calls can be made to maintain execution privileges on the host computer, enumerate the list of files to encrypt, and access or modify files. Ransomware and benign programs have specific call patterns or a unique order of calls that can be used to differentiate them. Examples of system calls include create, delete, execute, and terminate Bajpai and Enbody (2020b) ; Qin et al. (2020) ; api (2018) .
  • • Log files: Log files can come from a variety of sources and record information that can indicate whether a ransomware attack is underway. For instance, Herrera Silva and Hernández-Alvarez ( Silva and Hernandez-Alvarez, 2017 ) found that both WannaCry and Petya ransomware exploit DNS and NetBIOS and can be spotted by analyzing DNS and NetBIOS logs. I/O request packets are generated for each file operation and contain parameters such as the type of operation and the address and size of the data being read or written to. These parameters can be extracted from I/O request packet logs and used as features.
  • • File I/O: Ransomware typically executes many more read operations than benign programs, since it must read every file it encrypts. Additionally, it executes more write operations on average. File operation metrics such as the number of files written to or read from; the average entropy of file-write operations; the number of file operations performed for each file extension; and the total number of files accessed can be used to gauge if the file operations being performed are benign or part of a ransomware attack( Continella, Guagnelli, Zingaro, Pasquale, Barenghi, Zanero, Maggi, 2016 , Sgandurra, Muñoz-González, Mohsen, Lupu, 2016 ).
  • • HPC values: Hardware Performance Counters (HPCs) are a set of special-purpose registers that were first introduced to verify the static and dynamic integrity of programs in order to detect any malicious modifications to them ( Alam et al., 2020 ). The time-series data collected from these counters can be fed into a model to learn the behaviour of a system and detect malicious programs through any statistical deviations in the data.
  • • Network traffic: Network traffic features include average packet size, the number of packets exchanged between the host and other machines, and the source and/or destination IP addresses contained within packet headers. Ransomware frequently displays anomalous communications patterns. For example, the work by Cabaj et al. Cabaj and Mazurczyk (2016) found that CryptoWall and Locky ransomware samples involve a defined sequence of HTTP packets exchanged between the host and a C&C server to distribute the encryption key; in addition, these packets tend to be larger than average. Machine learning models can learn normal and anomalous traffic features to distinguish normal communication from malicious communication. Chadha and Kumar Chadha and Kumar (2017) analyzed network traffic to obtain the names of benign and malicious domains to use as features for their model, which detects ransomware by predicting if incoming or outgoing packets transmitted to or from the host contains a malicious domain.
  • • Opcode/Bytecode sequences: Opcodes (”operation codes”) specify the basic processor instructions to be performed by a machine, whereas bytecode is a form of instruction designed to be executed by a program interpreter (e.g., Java Virtual Machine). These sequences have rich context and semantic information that provide a snapshot of the program’s behaviour. This information can be extracted through dynamic analysis and fed into a model to predict if a given program is benign or malicious.
  • • Process actions: This refers to the sequence of events that occur while a program or application is running. Ransomware will typically cause different events to occur compared to a benign program; these events can be transformed into feature vectors and learned by a model by extracting information such as text and encoding it as numerical values ( Homayoun et al., 2019 ).
  • • Others: Many other features were used by researchers and extracted from assorted sources. Some of these features are derived from the raw bytes extracted from executable files using static analysis ( Khammas, 2020 ). Other features related to web domains (e.g., the length of the domain name, the number of days a domain is registered for Quinkert et al. (2018b) ) or DNS (e.g., the number of DNS name errors, the number of meaningless domain names ( Almashhadani et al., 2019 )). Portable Executable (PE) file headers, which show the structure of a file and contain important information about the nature of the executable file, have components that be used as features. Other sources for features include the CPU (e.g., power usage), k-mer substrings (e.g., frequencies), volatile memory, and the Windows Registry ( Azmoodeh, Dehghantanha, Conti, Choo, 2018 , Cohen, Nissim, 2018 , Sgandurra, Muñoz-González, Mohsen, Lupu, 2016 ).

A complete list of the works that focused on detecting ransomware using machine learning is highlighted in Table 6 .

Overview of surveyed machine learning detection approaches.

SVM: Support Vector Machines, ANN: Artificial Neural Networks, KNN: k -nearest neighbors, LDA: Linear discriminant analysis, CART: Classification and regression trees, SGD: Stochastic Gradient Descent, CNN: Convolutional Neural Networks, LSTM: Long short-term memory

3. Ransomware implementation and evaluation

In this section, we have highlighted the motivation of implementing existing ransomware samples and testing the effectiveness of existing countermeasures against those ransomware samples. A brief description of our new ransomware is also presented.

3.1. Motivation

From the literature review, few studies were found to test the effectiveness of existing ransomware countermeasures, such as antivirus products. There seems to be a research gap between research-based proposed solutions and existing practical solutions. To validate our claim, we decided to test different AV products against random known ransomware samples and a simple ransomware created by us. This was done to evaluate the effectiveness of existing practical countermeasures against both known and unknown ransomware samples. Also, our aim is not to claim that existing AV products are not able to detect ransomware samples, as it is possible that the tested AV products are able to detect other samples from other known ransomware families. Through these experiments, our motive is just to highlight the need of effective countermeasures against known/unknown ransomware samples.

3.2. Experimental setup

Testing was done using a VirtualBox virtual machine running the latest version of Windows 10. VirtualBox Guest Additions were not installed as some malware samples are known to detect these additions ( gue, 2017 ). Ransomware samples were taken from the work of sam (2021) . The samples were in a binary format and had to be extracted from an encrypted ZIP file before use. In most cases, the file extensions were manually added before the execution of the ransomware. To conduct the tests safely on these ransomware samples, a few precautions were taken. This included setting the network adaptor to host only, ensuring all software was up-to-date, and removing any shared folders between the guest and the host operating systems. On the host side, data was backed up to an external hard drive and the internet connection was disconnected. The reason for disconnecting the internet was to make sure ransomware did not escape the environment of the virtual machine. The ransomware samples were all taken from https://github.com/ytisf/theZoo in January of 2021.

Several test folders were placed in different areas of the file system including Desktop, Documents, and Picture folders. Test folders were also placed in protected areas of the file system such as Program Files, Program Files (x86), and Windows. One of the folders was placed in the Recycle Bin to analyze if the ransomware scans Recycle Bin or not. The test folders contained four different file formats that included rich-text, text, PDF, and image files. All these respective files had a non-zero size.

3.3. Testing

Testing consisted of three parts, where in each part various ransomware samples are pitted against various antivirus products. The first test was on well-known ransomware samples. The second test used a RaaS generator. The third and final test used a novel custom-made ransomware sample. All of the antivirus products were the most up-to-date versions as of January, 2021.

3.3.1. Well-Known ransomware tests

The first round of testing was simply a control test to see the impact of the ransomware samples when no security controls were in place; all antivirus applications were turned off. The User Access Control Settings of Windows were set to default. The ransomware samples tested were WannaCry ( Akbanov et al., 2019 ), Cerber ( Hassan, 2019 ), Thanos, and Jigsaw ( Hull et al., 2019 ). The results are shown in Table 7 , where it can be seen that most of the files within the Desktop, Documents, etc., got encrypted except for the protected operating system folders. Cerber ransomware failed to encrypt folders that the other samples encrypted. The explanation for this behaviour is unknown, but it could have just been programmed in that way.

Control test results where ransomware samples were tested without any form of protection.

Other ransomware samples were also tested, but unfortunately, we were not able to analyze them. As mentioned earlier, some forms of ransomware need to connect via the internet to a C&C server before they can be executed. In our scenario, due to the testing being done offline, it was not possible to analyze that category of ransomware.

The same ransomware samples were then tested against eight popular antivirus programs. In all cases, the ransomware samples were rapidly detected and removed before any test files became encrypted. The samples were often removed before they were even clicked on.

3.3.2. RAASNet Testing

The second round of testing was done using a RaaS generator called RAASNet, which can be downloaded from https://github.com/leonv024/RAASNet . RAASNet is a free, cross-platform, and open-source software project designed to educate the public about how easy it is to create and use ransomware. It allows for custom ransomware to be created and tested. Although RAASNet generates real ransomware, the decryption key can be freely obtained from the author’s website.

A control test was performed for two different RAASNet generated ransomware samples with no antivirus software running. These two samples were identical except for the fact that one ran with administrator privileges while the other did not. The payloads of both samples were generated using the default settings of RAASNet. The results of this control test can be seen in Table 8 . Both of the samples were set to target all of the listed folder locations. The sample with administrator privileges was tested to see if it would be able to infect the protected operating system folders, but this was unsuccessful. The only difference between the two tests was that the one with administrator privileges generated a user account control (UAC) prompt message, but allowing access still did not let the ransomware modify the files.

A control test of two different RAASNet payloads, one with administrator privileges and one without.

The advantage of testing RAASNet ransomware over well-known ransomware samples (e.g. Jigsaw) is that RAASNet generated samples are not included in all antivirus signature databases. One of the generated payloads was uploaded to VirusTotal.com, and only 20 out of 72 antivirus engines detected the payload as malicious. Comparatively, Jigsaw’s sample was also uploaded and this was detected by 67 out of 72 engines. This means that the antivirus programs can be tested for their dynamic detection abilities rather than strictly through static-based detection. This is important since it is a better indication of how they might do against novel ransomware samples in the future where static analysis is more likely to fail.

A RAASNet generated payload (created with default settings and without administrator privileges) was then tested against several popular antivirus programs. The results of these tests can be found in Table 9 . Folders were placed in different locations across the file system and marked as either encrypted or safe depending on whether the ransomware encrypted them or not. The worst performing antivirus programs were Microsoft Defender, MalwareBytes (Free), and Avira (Free). All of the antivirus programs had real-time protection turned on. Overall, the antivirus programs did quite well and quickly caught the ransomware before it could do any real damage. However, the antivirus programs with the best results appeared to detect the ransomware samples through static analysis. This is evidenced by the fact that many of these antivirus programs gave messages indicating that they detected the ransomware by preemptively scanning the file, seemingly before they could run.

RAASNet test results for different antivirus software. Both Microsoft Defender and Avira failed to stop the sample.

It is worth noting that many antivirus programs, such as Microsoft Defender, do have an effective form of ransomware protection built-in. This protection comes in the form of folder protection which checks if a process is trusted. If it is not, the antivirus software denies the process from modifying the folder contents. A protected folder was set up on the Desktop using Microsoft Defender, and the contents in this folder were successfully protected. It would appear that a similar form of protection also safeguards important operating system folders, as evidenced by the fact that no ransomware sample was able to encrypt files in these areas of the file system.

3.3.3. AESthetic Ransomware testing

The final tests were done using the AESthetic ransomware sample. This sample was custom-made for this research and was created in Java. We created AESthetic using Java’s standard cryptographic package, javax.crypto. AESthetic uses a hybrid encryption approach with the help of a C&C server that runs on localhost. It starts by generating a symmetric key using secure cryptographic modules. It then recursively crawls through the file system from a specified target directory and will encrypt all specified file types using AES-256 in CBC mode. A unique and randomly generated initialization vector is used for each file, which gets appended to the beginning of the encrypted file for later use. A ransom note is placed in every directory that AESthetic traverses through. Once all of the files are encrypted, AESthetic connects to the C&C server to obtain an RSA public key that it uses to encrypt the symmetric key. Once the symmetric key is encrypted, the plaintext version of the symmetric key is deleted. New files are created to store the encrypted data and the original plaintext files are deleted. After ten seconds, it will automatically start to decrypt the encrypted files. To do this, it once again connects to the C&C server to obtain the corresponding RSA private key to decrypt the encrypted AES symmetric key. This sample was tested against eight popular antivirus programs (which are the same as those listed in Table 9 ). All of the test files got encrypted by AESthetic. None of the antivirus programs reported any suspicious activity. Both the source code and an executable JAR file were uploaded to VirusTotal.com, and in both cases, this resulted in zero detections. There were zero detections since the malware was made just for this research and its signature has not yet been added to any signature database.

4. Discussion

From the results of our literature review and experiments, we can make several observations on the current trends and limitations of ransomware countermeasure solutions. Most papers preferred to study ransomware using dynamic analysis over static analysis, or used a combination of the two. This is perhaps unsurprising, as static analysis can frequently be evaded through code obfuscation or polymorphic/metamorphic attacks ( Shaukat and Ribeiro, 2018 ). However, some papers found that certain dynamic analysis approaches can be evaded as well. For instance, the virtual environment in UNVEIL ( Kharaz et al., 2016 ) could potentially be detected and avoided by attackers. One limitation of both types of analysis is that the results cannot usually be generalized to all ransomware variants. For example, the key backup technique proposed by Lee et al. Lee et al. (2018) relies on their analysis that ransomware calls specific functions in the CNG library. The HTTP traffic characteristics that Cabaj et al. Cabaj et al. (2018) used to detect ransomware comes from studying ransomware families: CryptoWall and Locky. Almashhadani et al. Almashhadani et al. (2019) based their detection system on the behavioural analysis of one family – Locky.

Preventative techniques such as access control and key or data backups can reduce the damage that ransomware can inflict on systems and possibly deter future attacks. However, these prevention-based approaches suffer from several shortcomings as well. Firstly, they can have significant overhead. Access control or key backup schemes can incur significant computational costs ( Wang et al., 2015 ). Creating data backups can cause the system to take a significant performance hit, especially under high workloads ( Alshaikh et al., 2020 ).

Machine learning models were the most common technique for detecting ransomware. These models can be trained to recognize the general behaviour patterns of ransomware through suspicious behaviour or specific basic processor instruction patterns. The ability for machine learning to detect the general behaviour of ransomware is important, as ransomware is constantly evolving and can easily change its code signature, but has difficulty changing its attack pattern ( Kok et al., 2019b ). However, many of these models require an attack to already be underway in order to detect suspicious activity, such as file access or communication to a malicious domain. Khan et al.’s Khan et al. (2020) use of digital DNA sequencing is a promising approach since it is designed to detect ransomware before infection.

Based on the results of our experiments, which were conducted on a number of different ransomware samples, we have learned a few interesting things about ransomware. Our tests using RAASNet have shown how easy it is to acquire and use ransomware through RaaS software. RaaS lets ransomware developers sell or lease their ransomware variants to affiliates, who use these variants to perform attacks; both developers and affiliates get a cut of any profits. As previously mentioned, RaaS enables users without technical expertise to launch ransomware attacks, meaning that ransomware is no longer limited to the developers who create it. For developers, RaaS reduces their risk since they do not launch the attacks themselves. The RaaS model has gained popularity amongst cybercriminals and has caused a dramatic increase in the rate of ransomware attacks in recent years ( Al-rimy et al., 2018 ).

Although antivirus programs were successful against previously known samples, they did not fare quite so well against the lesser-known RAASNet sample and the completely novel AESthetic sample. The novel sample of course is not present in antivirus signature databases and it was completely undetected. This highlights that current antivirus software likely rely too heavily on simple signature-based static analysis detection and hence should invest more into the approaches seen in literature, especially in regards to dynamic analysis or honeypot approaches. For example, our ransomware AESthetic was designed with many tell-tale ransomware behaviors in mind, such as leaving ransom notes, reading and writing to many files throughout the file system, and using cryptographic libraries. These behaviors could have potentially been used to detect AESthetic as malicious using dynamic analysis. The only tested antivirus countermeasure that successfully repelled all of the tested ransomware samples was ransomware folder protection, such as ”Controlled folder access” which is offered by Windows Defender. Such an approach requires the user to manually decide which folders to protect however and it is not very user-friendly, as one needs to manually allow benign programs through the protection wall.

5. Research challenges and future research directions

In this section, we have highlighted key research challenges based on the literature review and explored future research directions. The identified research challenges include unawareness among users, lack of open-access ransomware libraries, and inadequate detection and false-positive rates for ransomware. Future research directions include edge and fog-assisted ransomware, DeepFake ransomware, remote working vulnerabilities, blockchain-based countermeasures, increases in RaaS attacks, and expansion to AESthetic.

5.1. Research challenges

1. Unawareness among users: Awareness among users is one of the fundamental challenges that needs to be addressed to reduce the impact of ransomware. For example, there is no full-proof automatic system that is able to consistently counter ransomware attacks that propagate through phishing campaigns. Although existing spam filters are efficient, there is always a possibility that some malicious emails will make their way into your inbox. In that scenario, basic knowledge of recognizing spam can save a victim from being infected. There are currently many workshops, programs, and online websites available to educate users of such threats, but based on the statistics of ransomware attacks, it seems more efforts are needed.

2. Lack of Open-Access Ransomware Libraries: In order to propose and develop new solutions that can tackle ransomware, there is an emerging need for open ransomware libraries. The availability of such libraries will help researchers to better understand the varying features behind existing ransomware samples, including their working mechanism, etc. Based on that understanding, researchers can propose better solutions in a faster time span. As it stands, it is a tedious task to implement a particular ransomware sample and then test out the countermeasure. However, collecting many of the existing ransomware samples is itself a big research challenge that needs international research collaboration, as well as a huge amount of funding to obtain the necessary resources, etc.

3. Inadequate Detection and False Positive Rates: Existing ransomware detection systems face a difficult challenge achieving both a high detection rate and few false alarms. A large number of false alarms is frustrating for administrators, whereas a low detection rate makes the system ineffective ( Maimó et al., 2019 ). Signature-based detection systems may miss attacks if the signature is too specific; conversely, the system may flag too many benign programs as ransomware if the signature is too generic. Anomaly-based detection systems flag behaviour that is sufficiently far from normal ( Kathareios et al., 2017 ). However, not all abnormal behaviour is malicious. Consequently, these systems can generate a high number of false alarms and require a human to manually review each alarm. This manual validation adds to the system workload and reduces the system’s practicality. Al-Rimy et al. Al-rimy et al. (2018) were able to achieve both high detection and low false-positive rates by combining two behavioural detection methods into a single model. However, their system relies on a time-based threshold. Hence, more research is needed to improve ransomware detection models and to increase their applicability.

5.2. Future research directions

1. Edge and Fog-assisted Ransomware Detection and Prevention using Federated Learning: There have been huge advancements in the area of Edge and Fog-based related technologies. Mukherjee et al. (2018) , Hakak et al. (2020c) , Hakak et al. (2020) , Pham et al. (2020) . Besides, with the arrival of federated learning ( Yang et al., 2019 ), numerous opportunities in terms of improving state-of-the-art machine-learning-based approaches have emerged. There is a huge possibility of utilizing these concepts to detect and prevent ransomware, based on machine learning approaches ( Liu et al., 2020 ). One of the possibilities arises by training and deploying machine learning-based algorithms into Edge/Fog-based nodes to detect and prevent ransomware. Through Federated learning, we can personalize the learning process of each respective node.

2. DeepFake Ransomware : Deepfakes are the manipulated digital representations such as images, videos where an attacker tries to mimic the real person ( Güera and Delp, 2018 ). In the future, it could be possible for attackers to create ransomware that will automatically generate DeepFake content of a victim performing some incriminatory or intimate action which he/she never did. The victim will be asked to pay the ransom in order to avoid that content being published online. To mitigate such ransomware attacks will be challenging due to the velocity of data and the availability of numerous social media channels to spread the content.

3. Remote Working Vulnerabilities : The recent COVID-19 pandemic made it mandatory for several institutions to initiate the work-from-home scenarios or implement bring your own devices (BYOD) policies ( Palanisamy et al., 2020 ). As a result of which, several vulnerabilities ( Curran, 2020 ) were exploited by the attackers that resulted in several ransomware attacks. In one of the reports by SkyBox Security, the ransomware attacks witnessed 72 percent growth compared to the previous years. Hence, it is one of the future research directions to look at mitigating such attacks during remote working scenarios.

4. Blockchain-based Countermeasures : Blockchain is an immutable decentralized ledger that makes tampering difficult ( Hakak et al., 2020a ) due to its decentralized nature along with linked hash function, timestamp function and consensus mechanism ( Hakak, Khan, Gilkar, Imran, Guizani, 2020 , Hakak, W.Z. Khan, Gilkar, Haider, Imran, Alkatheiri, 2020 ). It seems to have potential and it is an interesting research direction where blockchain-based solutions can be used to mitigate ransomware-based attacks. The first step in this direction is the work of Delgado-Mohatar et al. (2020) where the authors have highlighted the use of smart contracts for the limited payment of ransoms to get the decryption keys.

5. Increase in Ransomware-as-a-service (RaaS) Attacks : Ransomware as a service or RaaS is gaining popularity from the past few years ( Keijzer, 2020 ). In RaaS model, an experienced attacker creates ransomware and offers that code to script kiddies or gray-hat hackers for some price ( Meland, Bayoumy, Sindre, 2020 , Puat, Rahman, 2020 ). The script kiddies or gray-hat hackers then use that code to carry out their own attacks. The Cerber ransomware attack is one example of the RaaS model in action. With emerging technologies and an increasing number of internet users, there is a strong possibility for a surge in these types of attacks. Hence, mitigating such attacks in the future seems to be a potential research direction.

6. AESthetic Ransomware Artifact Development : The source code of AESthetic ransomware has been posted to GitHub at https://github.com/kregg34/AESthetic and has been made private. As we are still in initial phases of developing decryption tool for AESthetic, we aim to create artifacts for AESthetic ransomware so that researchers can evaluate the efficacy of their solutions against ransomware. On the other hand, once the decryption tool is finalised, we will release the code of AESthetic.

7. AESthetic Performance : The antivirus products were likely able to detect the other, well-known samples due to their known signatures. However, our ransomware AESthetic has no known signatures and went undetected. This may indicate that these products are relying on static analysis too much, and not effectively utilizing dynamic analysis. Dynamic analysis may be able to detect AESthetic as this was designed to have many of the tell-tale-signs of ransomware behaviour. However, to validate this claim, more research is needed owing to the blackbox nature of antivirus products.

6. Conclusion

In this work, recent advances in ransomware analysis, detection, and prevention were explored. It was found that the focus of the state-of-the-art ransomware detection techniques mostly revolve around honeypots, network traffic analysis, and machine learning based approaches. Prevention techniques mostly focused on access control, data and key backups, and hardware-based solutions. However, it seems that there is a trend in using machine learning based approaches to detect ransomware. We have conducted a number of experiments on ransomware samples, through which it was observed that there is a need for more intelligent approaches to detect and prevent ransomware. Through the experiments, it was also observed that ransomware can be easily created and used. In the end, we highlighted the existing research challenges and enumerated some future research directions in the field of ransomware.

Credit Author Statment

Craig Beaman conducted the literature review, worked on implementation details, and was involved in drafting the manuscript.

Ashley Barkworth conducted the literature review and was involved in drafting the manuscript, with particular focus on Ransomware Prevention Approaches and subsections 2.2.2.3 and 2.2.2.5-2.2.2.7 under Section 2.2.2 (“Ransomware Detection Approaches”).

Toluwalope David Akande conducted the literature review and was involved in drafting the manuscript.

Saqib Hakak designed the study, assisted in classification, worked on future research challenges & directions section, and coordinated the whole work.

M.Khurram Khan provided potential useful recommendations and directions to improve the work, assisted in addressing reviewer comments and proof-reading.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgements

All persons who have made substantial contributions to the work reported in the manuscript (e.g., technical help, writing and editing assistance, general support), but who do not meet the criteria for authorship, are named in the Acknowledgements and have given us their written permission to be named. If we have not included an Acknowledgements, then that indicates that we have not received substantial contributions from non-authors. The work of Muhammad Khurram Khan is supported by King Saud University, Riyadh, Saudi Arabia under the project number (RSP-2021/12).

Biographies

Craig Beaman is a graduate student at the University of New Brunswick, where he is completing a Master of Applied Cybersecurity. Craig received a B.Sc. (Honours) from the University of New Brunswick with a major in physics and minors in mathematics and computer science. His research interests include cryptography, network security, and malware detection and prevention.

Ashley Barkworth is a graduate student at the University of New Brunswick, where she is completing a masters in applied cybersecurity. Ashley received a B.Sc. (Honours) from the University of British Columbia with a major in computer science and a minor in mathematics in 2020. Her research interests include information security, cryptography, and data management in centralized systems.

Toluwalope David Akande is a graduate student at the University of New Brunswick, where he is completing a Master of Applied Cybersecurity. He received a B.Sc. (Honours) from Obafemi Awolowo University with a major in Computer Engineering. His research interests include network security, intrusion detection using machine learning and cloud computing security.

Saqib Hakak is an assistant professor at the Canadian Institute for Cybersecurity (CIC), Faculty of Computer Science, University of New Brunswick (UNB). Having more than 5+ years of industrial and academic experience, he has received several Gold/Silver awards in international innovation competitions and is serving as the technical committee member/reviewer of several reputed conference/journal venues. His current research interests include Risk management, Fake news detection using AI, Security and Privacy concerns in IoE, Applications of Federated Learning in IoT, and blockchain technology.

Muhammad Khurram Khan is currently working as a Professor of Cybersecurity at the Center of Excellence in Information Assurance, King Saud University, Kingdom of Saudi Arabia. He is founder and CEO of the ‘Global Foundation for Cyber Studies and Research’, an independent and non-partisan cybersecurity think-tank in Washington D.C, USA. He is the Editor-in-Chief of ‘Telecommunication Systems’ published by Springer-Nature with its recent impact factor of 2.314 (JCR 2021). He is also the Editor-in-Chief of Cyber Insights Magazine. He is on the editorial board of several journals including, IEEE Communications Surveys & Tutorials, IEEE Communications Magazine, IEEE Internet of Things Journal, IEEE Transactions on Consumer Electronics, Journal of Network & Computer Applications (Elsevier), IEEE Access, IEEE Consumer Electronics Magazine, PLOS ONE, and Electronic Commerce Research, etc. He has published more than 400 papers in the journals and conferences of international repute. In addition, he is an inventor of 10 US/PCT patents. He has edited 10 books/proceedings published by Springer-Verlag, Taylor & Francis and IEEE. His research areas of interest are Cybersecurity, digital authentication, IoT security, biometrics, multimedia security, cloud computing security, cyber policy, and technological innovation management. He is a fellow of the IET (UK), a fellow of the BCS (UK), and a fellow of the FTRA (Korea). His detailed profile can be visited at http://www.professorkhurram.com .

  • Adamu U., Awan I. 2019 7th International Conference on Future Internet of Things and Cloud (FiCloud) 2019. Ransomware prediction using supervised learning algorithms; pp. 57–63. [ CrossRef ] [ Google Scholar ]
  • Aghakhani H., Gritti F., Mecca F., Lindorfer M., Ortolani S., Balzarotti D., Vigna G., Kruegel C. Network and Distributed Systems Security (NDSS) Symposium 2020. 2020. When malware is packin’heat; limits of machine learning classifiers based on static analysis features. [ Google Scholar ]
  • Akbanov M., Vassilakis V., Logothetis M. Wannacry ransomware: analysis of infection, persistence, recovery prevention and propagation mechanisms. Journal of Telecommunications and Information Technology. 2019 [ Google Scholar ]
  • Al-Rimy B., Maarof M., Alazab M., Alsolami F., Shaid S., Ghaleb F., Al-Hadhrami T., Ali A. A pseudo feedback-based annotated tf-idf technique for dynamic crypto-ransomware pre-encryption boundary delineation and features extraction. IEEE Access. 2020; 8 :140586–140598. [ Google Scholar ]
  • Al-rimy B., Maarof M., Prasetyo Y., Shaid S., Ariffin A. Zero-day aware decision fusion-based model for crypto-ransomware early detection. International Journal of Integrated Engineering. 2018; 10 (6) [ Google Scholar ]
  • Al-rimy B., Maarof M., Shaid S. Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Computers & Security. 2018; 74 :144–166. [ Google Scholar ]
  • Al-rimy B., Maarof M., Shaid S. Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection. Future Generation Computer Systems. 2019; 101 :476–491. [ Google Scholar ]
  • Alam M., Bhattacharya S., Dutta S., Sinha S., Mukhopadhyay D., Chattopadhyay A. 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) 2019. Ratafia: ransomware analysis using time and frequency informed autoencoders; pp. 218–227. [ Google Scholar ]
  • Alam M., Sinha S., Bhattacharya S., Dutta S., Mukhopadhyay D., Chattopadhyay A. Rapper: ransomware prevention via performance counters. arXiv preprint arXiv:2004.01712. 2020 [ Google Scholar ]
  • Alhawi O., Baldwin J., Dehghantanha A. Cyber Threat Intelligence. Springer; 2018. Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection; pp. 93–106. [ Google Scholar ]
  • Almashhadani A., Kaiiali M., Sezer S., O’Kane P. A multi-classifier network-based crypto ransomware detection system: a case study of locky ransomware. IEEE Access. 2019; 7 :47053–47067. [ Google Scholar ]
  • Alshaikh H., Nagy N.R., Hefny H. Ransomware prevention and mitigation techniques. Int J Comput Appl. 2020; 177 (40):31–39. [ Google Scholar ]
  • Alzahrani A., Alshehri A., Alshahrani H., Alharthi R., Fu H., Liu A., Zhu Y. 2018 IEEE International Conference on Electro/Information Technology (EIT) IEEE; 2018. Randroid: Structural similarity approach for detecting ransomware applications in android platform; pp. 0892–0897. [ Google Scholar ]
  • Ami O., Elovici Y., Hendler D. Proceedings of the 33rd Annual ACM Symposium on Applied Computing. 2018. Ransomware prevention using application authentication-based file access control; pp. 1610–1619. [ Google Scholar ]
  • Andronio N., Zanero S., Maggi F. Springer-Verlag; Berlin, Heidelberg: 2015. Heldroid: Dissecting and detecting mobile ransomware; pp. 382–404. [ CrossRef ] [ Google Scholar ]
  • Aslan O., Samet R. A comprehensive review on malware detection approaches. IEEE Access. 2020; 8 :6249–6271. [ Google Scholar ]
  • Aurangzeb S., Aleem M., Iqbal M., Islam M., et al. Ransomware: a survey and trends. J. Inf. Assur. Secur. 2017; 6 (2):48–58. [ Google Scholar ]
  • Ayub M.A., Continella A., Siraj A. 2020. An i/o request packet (irp) driven effective ransomware detection scheme using artificial neural network; pp. 319–324. [ CrossRef ] [ Google Scholar ]
  • Azmoodeh A., Dehghantanha A., Conti M., Choo K.-K.R. Detecting crypto-ransomware in iot networks based on energy consumption footprint. J Ambient Intell Humaniz Comput. 2018; 9 (4):1141–1152. [ Google Scholar ]
  • Bae S., Lee G., Im E. Ransomware detection using machine learning algorithms. Concurrency and Computation: Practice and Experience. 2020; 32 (18):e5422. [ Google Scholar ]
  • Baek S., Jung Y., Mohaisen A., Lee S., Nyang D. 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS) IEEE; 2018. Ssd-insider: Internal defense of solid-state drive against ransomware with perfect data recovery; pp. 875–884. [ Google Scholar ]
  • Bajpai P., Enbody R. Attacking key management in ransomware. IT Prof. 2020; 22 (2):21–27. [ Google Scholar ]
  • Bajpai P., Enbody R. Dissecting.net ransomware: key generation, encryption and operation. Network Security. 2020; 2020 (2):8–14. [ Google Scholar ]
  • Bajpai P., Enbody R. 2020 IEEE International Conference on Electro Information Technology (EIT) 2020. An empirical study of api calls in ransomware; pp. 443–448. [ CrossRef ] [ Google Scholar ]
  • Bajpai P., Sood A.K., Enbody R. 2018 APWG Symposium on Electronic Crime Research (eCrime) 2018. A key-management-based taxonomy for ransomware; pp. 1–12. [ CrossRef ] [ Google Scholar ]
  • Baldwin J., Dehghantanha A. Cyber Threat Intelligence. Springer; 2018. Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-ransomware; pp. 107–136. [ Google Scholar ]
  • Bekerman D., Shapira B., Rokach L., Bar A. 2015 IEEE Conference on Communications and Network Security (CNS) IEEE; 2015. Unknown malware detection using network traffic classification; pp. 134–142. [ Google Scholar ]
  • Berrueta Irigoyen E., Morató Osés D., Magaña Lizarrondo E., Izal Azcárate M. A survey on detection techniques for cryptographic ransomware. IEEE Access, 2019, 7, 144925–144944. 2019 [ Google Scholar ]
  • Brewer R. Ransomware attacks: detection, prevention and cure. Network Security. 2016; 2016 (9):5–9. [ Google Scholar ]
  • Cabaj K., Gregorczyk M., Mazurczyk W. Software-defined networking-based crypto ransomware detection using http traffic characteristics. Computers & Electrical Engineering. 2018; 66 :353–368. [ Google Scholar ]
  • Cabaj K., Mazurczyk W. Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Netw. 2016; 30 (6):14–20. [ Google Scholar ]
  • Chadha S., Kumar U. 2017 International Conference on Computing, Communication and Automation (ICCCA) IEEE; 2017. Ransomware: Let’s fight back! pp. 925–930. [ Google Scholar ]
  • Chen Q., Bridges R.A. 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA) 2017. Automated behavioral analysis of malware: A case study of wannacry ransomware; pp. 454–460. [ CrossRef ] [ Google Scholar ]
  • Chung M. Why employees matter in the fight against ransomware. Computer Fraud & Security. 2019; 2019 (8):8–11. [ Google Scholar ]
  • Cicala F., Bertino E. Analysis of encryption key generation in modern crypto ransomware. IEEE Trans Dependable Secure Comput. 2020 doi: 10.1109/TDSC.2020.3005976. [ CrossRef ] [ Google Scholar ] 1–1
  • Cohen A., Nissim N. Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst Appl. 2018; 102 :158–178. [ Google Scholar ]
  • Continella A., Guagnelli A., Zingaro G., Pasquale G.D., Barenghi A., Zanero S., Maggi F. Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016. Shieldfs: a self-healing, ransomware-aware filesystem; pp. 336–347. [ Google Scholar ]
  • Cosic J., Schlehuber C., Morog D. 2019 IEEE 15th International Scientific Conference on Informatics. 2019. New challenges in forensic analysis in railway domain; pp. 000061–000064. [ CrossRef ] [ Google Scholar ]
  • Creating a simple free malware analysis environment, 2017 https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysis-environment.html .
  • Curran K. Cyber security and the remote workforce. Computer Fraud & Security. 2020; 2020 (6):11–12. [ Google Scholar ]
  • Cusack G., Michel O., Keller E. Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. 2018. Machine learning-based detection of ransomware using sdn; pp. 1–6. [ Google Scholar ]
  • file i/o, 2021 https://www.pcmag.com/encyclopedia/term/file-io .
  • for Cyber Security, C. C., 2018. Ransomware: How to prevent and recover (itsap.00.099). https://www.cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099 .
  • Dargahi T., Dehghantanha A., Bahrami P.N., Conti M., Bianchi G., Benedetto L. A cyber-kill-chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques. 2019; 15 :277–305. [ Google Scholar ]
  • Delgado-Mohatar O., Sierra-Cámara J., Anguiano E. Blockchain-based semi-autonomous ransomware. Future Generation Computer Systems. 2020 [ Google Scholar ]
  • Genç Z., Lenzini G., Ryan P. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer; 2018. No random, no ransom: a key to stop cryptographic ransomware; pp. 234–255. [ Google Scholar ]
  • Gomez-Hernandez J., Alvarez-Gonzalez L., Garcia-Teodoro P. R-Locker: thwarting ransomware action through a honeyfile-based approach. Computers & Security. 2018; 73 :389–398. [ Google Scholar ]
  • Groenewegen A., Alqabandi M., Elamin M., Paardekooper P. 2020. A behavioral analysis of the ransomware strain nefilim. [ CrossRef ] [ Google Scholar ]
  • Güera D., Delp E. 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS) IEEE; 2018. Deepfake video detection using recurrent neural networks; pp. 1–6. [ Google Scholar ]
  • Hakak S., Khan W., Gilkar G., Assiri B., Alazab M., Bhattacharya S., Reddy G. Recent advances in blockchain technology: a survey on applications and challenges. arXiv preprint arXiv:2009.05718. 2020 [ Google Scholar ]
  • Hakak S., Khan W., Gilkar G., Imran M., Guizani N. Securing smart cities through blockchain technology: architecture, requirements, and challenges. IEEE Netw. 2020; 34 (1):8–14. [ Google Scholar ]
  • Hakak S., Khan W., Imran M., Choo K., Shoaib M. Have you been a victim of covid-19-related cyber incidents? survey, taxonomy, and mitigation strategies. IEEE Access. 2020; 8 :124134–124144. [ PMC free article ] [ PubMed ] [ Google Scholar ]
  • Hakak, S., Ray, S., Khan, W., Scheme, E., 2020. A framework for edge-assisted healthcare data analytics using federated learning.
  • Hakak S., W.Z. Khan W.Z., Gilkar G.A., Haider N., Imran M., Alkatheiri M.S. Industrial wastewater management using blockchain technology: architecture, requirements, and future directions. IEEE Internet of Things Magazine. 2020; 3 (2):38–43. [ Google Scholar ]
  • Hassan N. Ransomware Revealed. Springer; 2019. Ransomware Families; pp. 47–68. [ Google Scholar ]
  • Homayoun S., Dehghantanha A., Ahmadzadeh M., Hashemi S., Khayami R., Choo K., Newton D. Drthis: deep ransomware threat hunting and intelligence system at the fog layer. Future Generation Computer Systems. 2019; 90 :94–104. [ Google Scholar ]
  • Huang J., Xu J., Xing X., Liu P., Qureshi M.K. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017. Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware; pp. 2231–2244. [ Google Scholar ]
  • Hull G., John H., Arief B. Ransomware deployment methods and analysis: views from a predictive model and human responses. Crime Sci. 2019; 8 (1):2. [ Google Scholar ]
  • Jain G., Rani N. Springer Singapore; 2020. Awareness learning analysis of malware and ransomware in bitcoin; pp. 765–776. [ Google Scholar ]
  • Javaheri D., Hosseinzadeh M., Rahmani A. Detection and elimination of spyware and ransomware by intercepting kernel-level system routines. IEEE Access. 2018; 6 :78321–78332. [ Google Scholar ]
  • Jung S., Won Y. Ransomware detection method based on context-aware entropy analysis. Soft comput. 2018; 22 (20):6731–6740. [ Google Scholar ]
  • Kara I., Aydos M. 2020 11th IEEE Annual Ubiquitous Computing, Electronics Mobile Communication Conference (UEMCON) 2020. Cyber fraud: Detection and analysis of the crypto-ransomware; pp. 0764–0769. [ CrossRef ] [ Google Scholar ]
  • Karapapas C., Pittaras I., Fotiou N., Polyzos G.C. 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC) 2020. Ransomware as a service using smart contracts and ipfs; pp. 1–5. [ CrossRef ] [ Google Scholar ]
  • Kathareios G., Anghel A., Mate A., Clauberg R., Gusat M. Catch it if you can: real-time network anomaly detection with low false alarm rates. 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA) 2017 doi: 10.1109/icmla.2017.00-36. [ CrossRef ] [ Google Scholar ]
  • Keijzer N. The new generation of ransomware: an in depth study of Ransomware-as-a-Service. University of Twente; 2020. [ Google Scholar ]
  • Khammas B. Ransomware detection using random forest technique. ICT Express. 2020; 6 (4):325–331. [ Google Scholar ]
  • Khan F., Ncube C., Ramasamy L.K., Kadry S., Nam Y. A digital dna sequencing engine for ransomware detection using machine learning. IEEE Access. 2020; 8 :119710–119719. doi: 10.1109/ACCESS.2020.3003785. [ CrossRef ] [ Google Scholar ]
  • Kharaz A., Arshad S., Mulliner C., Robertson W., Kirda E. 25th { USENIX } Security Symposium ( { USENIX } Security 16) 2016. { UNVEIL } : A large-scale, automated approach to detecting ransomware; pp. 757–772. [ Google Scholar ]
  • Kharraz A., Kirda E. International Symposium on Research in Attacks, Intrusions, and Defenses. Springer; 2017. Redemption: Real-time protection against ransomware at end-hosts; pp. 98–119. [ Google Scholar ]
  • Kim D., Lee J. Blacklist vs. whitelist-based ransomware solutions. IEEE Consum. Electron. Mag. 2020; 9 (3):22–28. doi: 10.1109/MCE.2019.2956192. [ CrossRef ] [ Google Scholar ]
  • Kok S., Abdullah A., Jhanjhi N. Early detection of crypto-ransomware using pre-encryption detection algorithm. Journal of King Saud University-Computer and Information Sciences. 2020 [ Google Scholar ]
  • Kok S., Abdullah A., Jhanjhi N., Supramaniam M. Prevention of crypto-ransomware using a pre-encryption detection algorithm. Computers. 2019; 8 (4):79. [ Google Scholar ]
  • Kok S., Abdullah A., Jhanjhi N., Supramaniam M. Ransomware, threat and detection techniques: areview. Int. J. Comput. Sci. Netw. Secur. 2019; 19 (2):136. [ Google Scholar ]
  • Kolodenker E., Koch W., Stringhini G., Egele M. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 2017. Paybreak: Defense against cryptographic ransomware; pp. 599–611. [ Google Scholar ]
  • Komatwar R., Kokare M. A survey on malware detection and classification. Journal of Applied Security Research. 2020:1–31. [ Google Scholar ]
  • Lallie H., Shepherd L., Nurse J., Erola A., Epiphaniou G., Maple C., Bellekens X. Cyber security in the age of covid-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic. arXiv preprint arXiv:2006.11929. 2020 [ Google Scholar ]
  • Lee K., Lee S., Yim K. Machine learning based file entropy analysis for ransomware detection in backup systems. IEEE Access. 2019; 7 :110205–110215. [ Google Scholar ]
  • Lee K., Yim K., Seo J. Ransomware prevention technique using key backup. Concurrency and Computation: Practice and Experience. 2018; 30 (3):e4337. [ Google Scholar ]
  • Liu X., Li H., Xu G., Lu R., He M. Adaptive privacy-preserving federated learning. PEER-TO-PEER NETWORKING AND APPLICATIONS. 2020 [ Google Scholar ]
  • Ltd., S., 2020. Paying the ransom doubles cost of recovering from a ransomware attack, according to sophos. https://www.globenewswire.com/news-release/2020/05/12/2031961/0/en/Paying-the-Ransom-Doubles-Cost-of-Recovering-from-a-Ransomware-Attack-According-to-Sophos.html .
  • Mackenzie P. Wannacry aftershock. Sophos, disponible en ligne: https://www. sophos. com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock. pdf. 2019 [ Google Scholar ]
  • Maimó L., Celdran A., Gomez A., Clemente F., Weimer J., Lee I. Intelligent and dynamic ransomware spread detection and mitigation in integrated clinical environments. Sensors. 2019; 19 (5):1114. doi: 10.3390/s19051114. [ PMC free article ] [ PubMed ] [ CrossRef ] [ Google Scholar ]
  • Manavi F., Hamzeh A. A new method for ransomware detection based on pe header using convolutional neural networks. 2020 17th International ISC Conference on Information Security and Cryptology (ISCISC) 2020 doi: 10.1109/ISCISC51277.2020.9261903. [ CrossRef ] [ Google Scholar ]
  • Mattei T. Privacy, confidentiality, and security of health care information: lessons from the recent wannacry cyberattack. World Neurosurg. 2017; 104 :972–974. [ PubMed ] [ Google Scholar ]
  • McIntosh T., Watters P., Kayes A., Ng A., Chen Y. Enforcing situation-aware access control to build malware-resilient file systems. Future Generation Computer Systems. 2021; 115 :568–582. doi: 10.1016/j.future.2020.09.035. [ CrossRef ] [ Google Scholar ]
  • Mehnaz S., Mudgerikar A., Bertino E. International Symposium on Research in Attacks, Intrusions, and Defenses. Springer; 2018. Rwguard: A real-time detection system against cryptographic ransomware; pp. 114–136. [ Google Scholar ]
  • Meland P., Bayoumy Y., Sindre G. The ransomware-as-a-service economy within the darknet. Computers & Security. 2020:101762. [ Google Scholar ]
  • Min D., Park D., Ahn J., Walker R., Lee J., Park S., Kim Y. Amoeba: an autonomous backup and recovery ssd for ransomware attack defense. IEEE Comput. Archit. Lett. 2018; 17 (2):245–248. [ Google Scholar ]
  • Monika, Zavarsky P., Lindskog D. Experimental analysis of ransomware on windows and android platforms: evolution and characterization. Procedia Comput Sci. 2016; 94 :465–472. [ Google Scholar ]
  • Moore C. 2016 Cybersecurity and Cyberforensics Conference (CCC) IEEE; 2016. Detecting ransomware with honeypot techniques; pp. 77–81. [ Google Scholar ]
  • Morato D., Berrueta E., Magaña E., Izal M. Ransomware early detection by the analysis of file sharing traffic. Journal of Network and Computer Applications. 2018; 124 :14–32. [ Google Scholar ]
  • Mukherjee M., Shu L., Wang D. Survey of fog computing: fundamental, network applications, and research challenges. IEEE Communications Surveys & Tutorials. 2018; 20 (3):1826–1857. [ Google Scholar ]
  • Muslim A., Dzulkifli D., Nadhim M.H., Abdellah R. 2019. A study of ransomware attacks: Evolution and prevention. [ Google Scholar ]
  • Nadir I., Bakhshi T. 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET) 2018. Contemporary cybercrime: A taxonomy of ransomware threats mitigation techniques; pp. 1–7. [ CrossRef ] [ Google Scholar ]
  • Nahmias D., Cohen A., Nissim N., Elovici Y. Deep feature transfer learning for trusted and automated malware signature generation in private cloud environments. Neural Networks. 2020; 124 :243–257. [ PubMed ] [ Google Scholar ]
  • Naseer A., Mir R., Mir A., Aleem M. Windows-based ransomware: a survey. Journal of Information Assurance & Security. 2020; 15 (3) [ Google Scholar ]
  • Natanzon, A., Derbeko, P., Stern, U., Bakshi, M., Manusov, Y., 2018. Ransomware detection using i/o patterns. US Patent 10,078,459.
  • Or-Meir O., Nissim N., Elovici Y., Rokach L. Dynamic malware analysis in the modern era’a state of the art survey. ACM Computing Surveys (CSUR) 2019; 52 (5):1–48. [ Google Scholar ]
  • Or-Meir O., Nissim N., Elovici Y., Rokach L. Dynamic malware analysis in the modern era’a state of the art survey. ACM Comput. Surv. 2019; 52 (5) doi: 10.1145/3329786. [ CrossRef ] [ Google Scholar ]
  • Palanisamy R., Norman A., Kiah M. Byod policy compliance: risks and strategies in organizations. Journal of Computer Information Systems. 2020:1–12. [ Google Scholar ]
  • Parkinson S. Use of access control to minimise ransomware impact. Network Security. 2017; 2017 (7):5–8. [ Google Scholar ]
  • Pham Q., Fang F., Ha V., Piran M., Le M., Le L., Hwang W., Ding Z. A survey of multi-access edge computing in 5g and beyond: fundamentals, technology integration, and state-of-the-art. IEEE Access. 2020; 8 :116974–117017. [ Google Scholar ]
  • Poudyal S., Dasgupta D., Akhtar Z., Gupta K. 14th International Conference on Malicious and Unwanted Software” MALCON. 2019. A multi-level ransomware detection framework using natural language processing and machine learning. [ Google Scholar ]
  • Poudyal S., Subedi K.P., Dasgupta D. 2018 IEEE Symposium Series on Computational Intelligence (SSCI) IEEE; 2018. A framework for analyzing ransomware using machine learning; pp. 1692–1699. [ Google Scholar ]
  • Pranggono B., Arabo A. Covid-19 pandemic cybersecurity issues. Internet Technology Letters. 2020; n/a (n/a) doi: 10.1002/itl2.247. [ CrossRef ] [ Google Scholar ]
  • Puat H., Rahman N. Ransomware as a service and public awareness. PalArch’s Journal of Archaeology of Egypt/Egyptology. 2020; 17 (7):5277–5292. [ Google Scholar ]
  • Qin B., Wang Y., Ma C. 2020 International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE) 2020. Api call based ransomware dynamic detection approach using textcnn; pp. 162–166. [ CrossRef ] [ Google Scholar ]
  • Quinkert, F., Holz, T., Hossain, K., Ferrara, E., Lerman, K., 2018a. Raptor: Ransomware attack predictor. 1803.01598.
  • Quinkert F., Holz T., Hossain K., Ferrara E., Lerman K. Raptor: ransomware attack predictor. arXiv preprint arXiv:1803.01598. 2018 [ Google Scholar ]
  • Ramesh G., Menen A. Automated dynamic approach for detecting ransomware using finite-state machine. Decis Support Syst. 2020; 138 :113400. [ Google Scholar ]
  • Richardson R., North M. Ransomware: evolution, mitigation and prevention. International Management Review. 2017; 13 (1):10–21. [ Google Scholar ]
  • Saeed M. Malware in computer systems: problems and solutions. IJID (International Journal on Informatics for Development) 2020; 9 (1):1–8. [ Google Scholar ]
  • Salehi S., Shahriari H., Ahmadian M.M., Tazik L. 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC) 2018. A novel approach for detecting dga-based ransomwares; pp. 1–7. [ CrossRef ] [ Google Scholar ]
  • Scaife N., Carter H., Traynor P., Butler K.R.B. 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS) 2016. Cryptolock (and drop it): Stopping ransomware attacks on user data; pp. 303–312. [ CrossRef ] [ Google Scholar ]
  • Sgandurra D., Muñoz-González L., Mohsen R., Lupu E.C. Automated dynamic analysis of ransomware: benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020. 2016 [ Google Scholar ]
  • Sharafaldin I., Lashkari A., Hakak S., Ghorbani A. 2019 International Carnahan Conference on Security Technology (ICCST) IEEE; 2019. Developing realistic distributed denial of service (ddos) attack dataset and taxonomy; pp. 1–8. [ Google Scholar ]
  • Sharmeen S., Ahmed Y.A., Huda S., Koçer B.A., Hassan M.M. Avoiding future digital extortion through robust protection against ransomware threats using deep learning based adaptive approaches. IEEE Access. 2020; 8 :24522–24534. doi: 10.1109/ACCESS.2020.2970466. [ CrossRef ] [ Google Scholar ]
  • Shaukat S., Ribeiro V. 2018 10th International Conference on Communication Systems & Networks (COMSNETS) IEEE; 2018. Ransomwall: A layered defense system against cryptographic ransomware attacks using machine learning; pp. 356–363. [ Google Scholar ]
  • Shijo P., Salim A. Integrated static and dynamic analysis for malware detection. Procedia Comput Sci. 2015; 46 :804–811. [ Google Scholar ]
  • Silva J., Hernandez-Alvarez M. 2017 IEEE Second Ecuador Technical Chapters Meeting (ETCM) IEEE; 2017. Large scale ransomware detection by cognitive security; pp. 1–4. [ Google Scholar ]
  • Srinivasan C. Hobby hackers to billion-dollar industry: the evolution of ransomware. Computer Fraud & Security. 2017; 2017 (11):7–9. doi: 10.1016/S1361-3723(17)30081-7. [ CrossRef ] [ Google Scholar ]
  • Tailor J., Patel A. A comprehensive survey: ransomware attacks prevention, monitoring and damage control. International Journal of Research and Scientific Innovation (IJRSI) 2017; 4 :2321–2705. [ Google Scholar ]
  • Takeuchi Y., Sakai K., Fukumoto S. Proceedings of the 47th International Conference on Parallel Processing Companion. 2018. Detecting ransomware using support vector machines; pp. 1–6. [ Google Scholar ]
  • Thezoo, 2021 https://github.com/ytisf/theZoo/tree/master/malwares/Binaries .
  • Thomas J. Individual cyber security: empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. Thomas, JE (2018). Individual cyber security: Empowering employees to resist spear phishing to prevent identity theft and ransomware attacks. International Journal of Business Management. 2018; 12 (3):1–23. [ Google Scholar ]
  • Thomas J., Galligher G. Improving backup system evaluations in information security risk assessments to combat ransomware. Computer and Information Science. 2018; 11 (1) [ Google Scholar ]
  • url, 2021 https://www.sophos.com/en-us/press-office/press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year.aspx .
  • Walker A., Sengupta S. MILCOM 2019-2019 IEEE Military Communications Conference (MILCOM) IEEE; 2019. Insights into malware detection via behavioral frequency analysis using machine learning; pp. 1–6. [ Google Scholar ]
  • Wang Z., Huang D., Zhu Y., Li B., Chung C. Efficient attribute-based comparable data access control. IEEE Trans. Comput. 2015; 64 (12):3430–3443. [ Google Scholar ]
  • What is the difference between api and system call. 2018 https://pediaa.com/what-is-the-difference-between-api-and-system-call .
  • Wilner A., Jeffery A., Lalor J., Matthews K., Robinson K., Rosolska A., Yorgoro C. On the social science of ransomware: technology, security, and society. Comparative Strategy. 2019; 38 (4):347–370. [ Google Scholar ]
  • Yang Q., Liu Y., Chen T., Tong Y. Federated machine learning: concept and applications. ACM Transactions on Intelligent Systems and Technology (TIST) 2019; 10 (2):1–19. [ Google Scholar ]
  • Yaqoob I., Ahmed E., ur Rehman M., Ahmed A., Al-garadi M., Imran M., Guizani M. The rise of ransomware and emerging security challenges in the internet of things. Comput. Networks. 2017; 129 :444–458. [ Google Scholar ]
  • Zhang B., Xiao W., Xiao X., Sangaiah A., Zhang W., Zhang J. Ransomware classification using patch-based cnn and self-attention network on embedded n-grams of opcodes. Future Generation Computer Systems. 2020; 110 :708–720. [ Google Scholar ]
  • Zhang-Kennedy L., Assal H., Rocheleau J., Mohamed R., Baig K., Chiasson S. 27th { USENIX } Security Symposium ( { USENIX } Security 18) 2018. The aftermath of a crypto-ransomware attack at a large academic institution; pp. 1061–1078. [ Google Scholar ]
  • Zimba A., Mulenga M. A dive into the deep: demystifying wannacry crypto ransomware network attacks via digital forensics. International Journal on Information Technologies and Security. 2018; 10 :57–68. [ Google Scholar ]
  • Zimba A., Wang Z., Chen H., Mulenga M. Recent advances in cryptovirology: state-of-the-art crypto mining and crypto ransomware attacks. KSII Trans. Internet Inf. Syst. 2019; 13 :3258–3279. doi: 10.3837/tiis.2019.06.027. [ CrossRef ] [ Google Scholar ]

U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics/case-study-series

Small Business Cybersecurity Corner

Small business cybersecurity case study series.

Ransomware, phishing, and ATM skimming are just a few very common and very damaging cybersecurity threats that Small Businesses need to watch out for. The following Case Studies were created by the National Cyber Security Alliance , with a grant from NIST, and should prove useful in stimulating ongoing learning for all business owners and their employees.

  • Case 1: A Business Trip to South America Goes South Topic: ATM Skimming and Bank Fraud
  • Case 2: A Construction Company Gets Hammered by a Keylogger Topic: Keylogging, Malware and Bank Fraud
  • Case 3: Stolen Hospital Laptop Causes Heartburn Topic: Encryption and Business Security Standards
  • Case 4: Hotel CEO Finds Unwanted Guests in Email Account Topic: Social Engineering and Phishing
  • Case 5: A Dark Web of Issues for a Small Government Contractor Topic: Data Breach

7 real and famous cases of ransomware attacks

  • Updated at March 19, 2021
  • Threat Research , Blog

Hacker showing message in a computer from one of many famous cases of ransomware attacks

Ransomware is a type of malware that hijacks and blocks files or systems, preventing the user from having access to them. Ransomware is a hijacker. Using encryption, it holds files and systems hostage. Theoretically, when the victim pays the ransom amount, he receives the decryption key, releasing blocked files or systems.

We used the word “theoretically” because, in many cases, the victim pays the amount that was required and still doesn’t receive the key . By the way, it’s usually required that the ransom is paid in cryptocurrency, such as, for example, bitcoin and monero. The point is precisely to make it difficult to track the cybercriminal.

Ransomware has been terrifying individuals and, most importantly, companies for about 30 years. The worse is that, over time, they have become more advanced and sophisticated threats. New tactics and technologies are used, either to deceive detection solutions, to encrypt different types of files, or to convince the user to pay the ransom amount.

Both the FBI and Europol point to ransomware as one of the main threats in the digital world. In fact, the European agency says ransomware is a key cybercrime threat for years . The US agency pointed out that, in 2020, about 2,474 ransomware attacks were registered in the world , resulting in losses of more than USD 29 million.

The examples of ransomware attacks listed below show you how these attacks can work, giving an idea of the damage that ransomware do to companies and people. In this article, we’ll cover the following examples of ransomware:

Table of Contents

ransomware case study presentation

Check out 7 examples of ransomware attacks

1. ryuk, 2019 and 2020.

Like most infections caused by ransomware, Ryuk is spread mainly via malicious emails , or phishing emails, containing dangerous links and attachments . The ransom amount to be paid to release an entire system can exceed USD 300,000, making Ryuk one of the most expensive ransomware in history, well above the average.

According to the FBI, Ryuk’s attacks have already caused more than USD 60 million in damage worldwide since this type of ransomware gained prominence in 2018 after stopping the operations of major newspapers in the United States. More than 100 companies suffered attacks.

In 2020, for example, EMCOR Group (engineering and industrial construction company) and Epiq Global (legal services company) suffered incidents involving Ryuk.

An interesting fact is that Ryuk’s ransom notes contain contact emails with the end @protonmail.com or @tutanota.com. The victim needs to send a message to find out how much they must pay for the decryption key.

2. SamSam, 2018

SamSam ransomware was identified a few years ago, more precisely in late 2015. But it was in 2018 that it gained much more prominence after infecting the city of Atlanta, the Colorado Department of Transportation and the Port of San Diego, in the U.S., abruptly stopping services.

In the same year, two Iranian hackers were accused of using SamSam against more than 200 organizations and companies in the U.S. and Canada, including hospitals, municipalities and public institutions. A loss of USD 30 million is estimated as a result of the attacks.

Just the city of Atlanta spent more than USD 2 million to repair the damage. Hancock Health, an Indiana hospital, paid a ransom of USD 55,000. To spread, this type of ransomware often exploits vulnerabilities in Remote Desktop Protocols (RDP) and File Transfer Protocol (FTP).

A curious fact about SamSam is that the victim is asked to make a first payment for a first key, which would unlock only a few machines. It would be like a sign of honesty.

“With buying the first key you will find that we are honest”, says the ransomware message. Would you believe that?

Finding this article interesting? So you will probably like this one about 11 real and famous cases of malware attacks . Check it out!

3. WannaCry, 2017

One of the most devastating ransomware attacks in history in terms of loss volume was caused by WannaCry, launched in 2017. The estimated value at the time was USD 4 billion in losses. The amount required to release each machine was around USD 300.

WannaCry spread via email scams, or phishing. Worldwide, more than 200 thousand people and companies were affected, such as, for example, FedEx, Telefonica, Nissan and Renault. WannaCry exploits a vulnerability in Windows.

By the way, even today there are phishing emails claiming that you were infected by WannaCry, demanding ransom payment. But they’re plain emails, with no files. Pay attention!

4. Petya, 2016

Petya is a ransomware that started to be propagated in 2016, via emails with malicious attachments . Since its launch, it’s estimated that different variations of Petya have caused more than USD 10 billion in financial losses.

Petya acts by infecting the boot record of machines that use the Windows system. That is, it blocks the entire operating system. To unlock, you need to pay a ransom of around USD 300 per user.

This type of ransomware affected different organizations in the world, such as banks and companies in the areas of transportation, oil, food and health. Let us cite as an example the National Bank of Ukraine, Mondelez (food company), Merck (pharmaceutical company) and Rosneft (oil company).

5. TeslaCrypt, 2015

Like other types of ransomware, TeslaCrypt has several versions. But the attacks of this one became famous because, in the beginning, it infected game files, blocking maps and user profiles, for example. We’re talking about games like Call of Duty, Minecraft and Warcraft.

The evolved versions of TeslaCrypt were able to encrypt other files, such as PDF and Word, for example.

In any case, the victim was forced to pay at least USD 250 to release the files. But there are cases where the hijacker required USD 500 per machine.

6. CryptoLocker, 2013

The CryptoLocker ransomware has been added to our list because it was a milestone for its time. When it was launched in 2013, CryptoLocker used a large, non-standard encryption key, which has challenged cybersecurity experts.

This type of ransomware is believed to have caused losses of more than USD 3 million, infecting more than 200 thousand Windows-based computers. CryptoLocker was distributed mainly via email, using malicious files.

7. AIDS Trojan or PC Cyborg, 1989

AIDS Trojan, also known as PC Cyborg, is the first registered ransomware in history. That is why its creator, Joseph Popp, a Harvard-trained biologist, can be considered the father of ransomware.

AIDS Trojan was distributed using infected floppy disks. They were sent to participants at the World Health Organization’s international AIDS conference, in Stockholm, Sweden, in 1989.

After hiding file directories and blocking file names, this type of ransomware asked the victim to send USD 189 to a mailbox in Panama. Only then could the data be recovered. But since it had weak encryption, there were no major problems.

This story is also told in our new ebook about Ransomware . Have you seen it? We tell you everything about this type of malware.

Ransomware fighting project: No More Ransom

Have you heard of the No More Ransom (NMR) project? This is a worldwide initiative by Europol and several government agencies and cybersecurity companies to fight ransomware . Gatefy is a partner of the project.

No More Ransom helps victims of infections caused by ransomware to recover blocked data without having to pay the ransom amount. For more information, visit nomoreransom.org .

Email is the primary vector for ransomware attacks: invest in protection

In the case of a ransomware intrusion, the recommendation is to not pay the requested ransom. As seen in the cases and examples of ransomware attacks that we presented, the main form of ransomware delivery are emails. In fact, email is the platform most used by cybercriminals to commit fraud and scams.

To solve this security problem, Gatefy has an email gateway solution that protects companies of all sizes against various types of threats, including ransomware , malware , phishing and BEC (Business Email Compromise) . It’s based on artificial intelligence and machine learning . And it’s compatible with several email providers, such as Office 365 , G Suite , Exchange , and Zimbra .

We also offer a DMARC-based anti-fraud solution , so that you have control and visibility over the use of your business’s domain.

Request a demo or more information .

Spear phishing white paper cover

10 real and famous cases of BEC (Business Email Compromise)

Email delivered at a mail box passing by dmarc

8 reasons to use DMARC in your business

Man sitting on a mail server

What is mail server?

Lockbit ransomware gang's origins, tactics and past targets - and what next after policing breakthrough

The provider of the world's top ransomware threat may have finally been thwarted by Operation Cronos, an international policing effort to hack the hackers led by the UK. Here's everything you need to know about the notorious criminal gang.

ransomware case study presentation

News reporter

Tuesday 20 February 2024 17:43, UK

Cybercriminals may be using WormGPT

An infamous cyber crime gang has been disrupted by the National Crime Agency (NCA) and a coalition of international police agencies.

Lockbit and its affiliates have hacked some of the world's largest organisations in recent months, but as of Monday their extortion website displays a message saying it is "under the control of the National Crime Agency of the UK".

Five Russian nationals have been charged .

But what is Lockbit, what are its criminal tactics and who has fallen victim to it? Here's what we know...

What Lockbit does

The gang makes money by stealing sensitive data and threatening to leak it if victims fail to pay an extortionate ransom.

Its affiliates are like-minded criminal groups that are recruited to wage attacks using Lockbit's digital extortion tools.

US officials have described Lockbit as the world's top ransomware threat. The group has hit organisations in nearly every industry; from financial services and food to schools, transportation and government departments.

The gang has caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery, according to the UK's National Cyber Security Centre (NCSC).

Lockbit's website, until Monday, displayed an ever-growing gallery of victim organisations that was updated almost daily.

Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.

Lockbit ransomware has been deemed responsible for at least 1,700 attacks in the US alone by the FBI.

What are the group's tactics?

The NCSC and America's Cyber Defence Agency (ACDA) shed some light on Lockbit's tactics last year as it had become "the most deployed ransomware variant across the world".

In an extensive mitigation advisory , they described how the Lockbit operation uses a "ransomware-as-a-service" model where cyber criminals sell access to their ransomware variant to unconnected affiliates and provide them with support in carrying out attacks.

It also highlighted the risk of double extortion - a common tactic used by ransomware actors where they encrypt a victim's system and extract information, with threats that they will post it online unless a ransom is paid.

Lockbit's strategies are, of course, incredibly complex, but here are some summarised highlights from ACDA's advisory:

  • It has three main strains: Lockbit, Lockbit Red and Lockbit Black - and the latter is the group's signature ransomware. It scrambles computer files and demands payment in cryptocurrencies that are hard to trace in exchange for unscrambling them
  • Lockbit's core group not only allows affiliates to use its ransomware, but it lets those affiliates receive ransom payments first-hand before sending the core group a cut. This is in stark contrast to similar groups, which tend to pay themselves before affiliates
  • Its ransomware is kept simple with a point-and-click interface, making it accessible to a wide array of cyber criminals - even those with a lower degree of technical skill.

Essentially, Lockbit keeps things as simple as possible for potential affiliates because the more criminals it appeals to, the more cuts the core group gets from second-hand extortion cases.

But the group's tactics go to even greater depths, according to ACDA, essentially advertising through methods such as:

  • Disparaging other similar groups in online forums to make Lockbit look like the best ransomware on the market
  • Paying people to get Lockbit tattoos
  • Putting a $1m (£794,163) bounty on information related to the real-world identity of Lockbit's lead, who goes by the persona "LockBitSupp".

What do we know of Lockbit's origins and motives?

On its website, the group said it was "located in the Netherlands, completely apolitical and only interested in money".

But its malicious software was first discovered on Russian-language cyber crime forums in 2020, leading some security analysts to believe the gang is based in Russia.

Since then the group has been detected all over the world, with organisations in the UK, United States, India and Brazil among common targets, according to cybersecurity firm Trend Micro.

Please use Chrome browser for a more accessible video player

Russia cyberattack

High-profile cases

With worldwide reach, Lockbit has been in the news frequently since 2020.

The most prominent case in the UK came early last year when the Royal Mail faced severe disruption after a Lockbit attack .

Royal Mail's investigation found the gang infected machines that print customs labels for parcels being sent overseas, leaving more than half a million parcels and letters stuck in limbo.

The gang also threatened to publish stolen data on the dark web, making printers at a Northern Irish Royal Mail distribution centre "spurt" out copies of the ransom note - a signature scare tactic of the gang.

Royal Mail asked customers to temporarily stop submitting any export items while the NCSC helped it resolve the issue.

Car dealership threats

The year before, Lockbit affiliates tried to hold UK car dealership group Pendragon to a $60m (£54m) ransom, but the company refused to pay up, saying the hack had not affected its ability to operate and that it "took immediate steps to contain the incident".

Children's hospital deemed a stretch too far

Another infamous incident came in December 2022 when Lockbit ransomware was used to attack SickKids in Canada, causing a system failure.

Bizarrely, the core gang claimed it released a free decryptor for the hospital to use, saying a member had broken its "policies".

It said affiliates were prohibited from encrypting medical institutions where attacks could lead to death.

Security firm hit

In August last year, Lockbit hackers allegedly acquired top secret security information on some of the country's most sensitive military sites, including the HMNB Clyde nuclear submarine base on the west coast of Scotland and the Porton Down chemical weapons lab, according to the Sunday Mirror.

Thousands of pages of data leaked onto the dark web after private security firm Zaun was targeted.

The company, which provides security fencing for sites related to the Ministry of Defence, confirmed in a statement it had been the victim of a "sophisticated cyber attack".

A Zaun spokesperson added it had taken "all reasonable measures to mitigate any attacks on our systems" and explained that it had referred the matter to the NCSC.

Click to subscribe to the Sky News Daily wherever you get your podcasts

Latest big case

There were reports of Lockbit activity just last week, when India's Motilal Oswal Financial Services said it had detected malicious activity on the computers of some employees.

The company said it remedied the issue within an hour, adding its operations were unaffected.

"This incident has not affected any of our business operations and IT environment. It is business as usual," the company worth an estimated $15.3bn told Reuters.

What's happening now after NCA's Lockbit takeover?

The full post on Lockbit's website that went up on Monday reads: "This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, 'Operation Cronos'."

The NCA reveals details of an international disruption campaign targeting the world’s most harmful cyber crime group, Lockbit. Watch our video and read on to learn more about Lockbit and why this is a huge step in our collective fight against cyber crime. pic.twitter.com/m00VFWkR9Z — National Crime Agency (NCA) (@NCA_UK) February 20, 2024

Europol and other international police organisations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany all aided in the rare law enforcement operation.

An NCA spokesperson confirmed that the agency had disrupted the gang and said the operation was "ongoing and developing".

In a statement on Tuesday, the NCA added: "The NCA has taken control of Lockbit's primary administration environment, which enabled affiliates to build and carry out attacks, and the group's public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims.

"Instead, this site will now host a series of information exposing Lockbit's capability and operations, which the NCA will be posting daily throughout the week."

Be the first to get Breaking News

Install the Sky News app for free

ransomware case study presentation

The US Department of Justice has announced two defendants accused of using Lockbit to carry out ransomware attacks have been criminally charged, are in custody, and will face trial in the US.

A representative for Lockbit posted messages on an encrypted messaging app saying it had backup servers not affected by the law enforcement action.

Related Topics

  • Cyberattacks

IMAGES

  1. Resource

    ransomware case study presentation

  2. Ransomware Case Studies

    ransomware case study presentation

  3. A Guide To Surviving Ransomware Attacks

    ransomware case study presentation

  4. Lifecycle of a Ransomware Attack

    ransomware case study presentation

  5. Ransomware PowerPoint Presentation

    ransomware case study presentation

  6. Understanding CryptoLocker (Ransomware) with a Case Study

    ransomware case study presentation

VIDEO

  1. RansomWare Project

  2. CASE STUDY PRESENTATION GROUP 2 (CC103)

  3. Ransomware gangs blackmail a billion dollars in revenue

  4. December 14, 2023

  5. Episode 5

  6. STATE OF RANSOMWARE

COMMENTS

  1. 2021 Ransomware Case Study: Identifying High Priority Security Controls

    2021 Ransomware Case Study: Identifying High Priority Security Controls for Public Institutions Three quarters through 2021 and malicious cyber actors appear to be taking full advantage of the world's rapid shift towards an even more internet-dependent society.

  2. PDF 5 Threat Series: Threat 2 Ransomware Attack Presentation

    March 2019 In Partnership With The 405(d) Aligning Health Care Industry Security Practices initiative, along with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication and this engagement are in partnership with the Healthcare & Public Health Sector Coordinating Council (HSCC) 2 Agenda 3 Time

  3. Ransomware case study: Recovery can be painful

    Home Threats and vulnerabilities Tech Accelerator What is ransomware? How it works and how to remove it Next Feature Ransomware case study: Recovery can be painful In ransomware attacks, backups can save the day and the data. Even so, recovery can still be expensive and painful, depending on the approach. Learn more in this case study. By

  4. PDF REPORT The 2023 Global Ransomware Report

    against ransomware and what potential security gaps they need to address. The top three investments respondents planned to make were in IoT security (57%), NGFWs (53%), and EDR (51%). One of the most surprising findings from Fortinet's previous survey was that the top method of entry in 2021 was email phishing, yet only a

  5. Microsoft DART ransomware case study

    04/24/2023 5 contributors Feedback In this article The attack Initial access Reconnaissance Credential theft Show 5 more Human-operated ransomware continues to maintain its position as one of the most impactful cyberattack trends world-wide and is a significant threat that many organizations have faced in recent years.

  6. The five-day job: A BlackByte ransomware intrusion case study

    Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included: Exploitation of unpatched internet-exposed Microsoft Exchange Servers.

  7. PDF Case Study: Tevora Ransomware Incident Response

    Case Study: Tevora Ransomware Incident Response 3 domain level to put the three group policies in place. These policies placed "net.exe" and variants of "1.exe"—renamed using randomly-generated names—on targeted systems, then set up scheduled tasks that would run repeatedly on the endpoints. The randomly-generated names enabled the

  8. Surviving a Ransomware Attack: A Case Study

    Perspective Surviving a Ransomware Attack: A Case Study A project manager for ABC Inc., a manufacturer with $1 billion in annual revenue and operations in 30 countries steps off the elevator at company headquarters.

  9. Ransomware Case Studies

    The individual case studies were chosen based on their global impact on organisations and high-profile media reports surrounding the attacks. 1 The case study analysis process analysed the attack methodology and the outcome of each attack to determine similarities and evolutionary changes between each subsequent attack.

  10. Surviving a ransomware attack: a case study

    Surviving a ransomware attack: a case study A project manager for ABC Inc., a manufacturer with $1 billion in annual revenue and operations in 30 countries steps off the elevator at company headquarters. She's returning to her office after a lunch break and is eager to get back to work on a major order for a large client that is due next week.

  11. PDF NotPetya: A Columbia University Case Study

    This case study focuses on Maersk's response as its computer systems were rapidly compromised. It discusses how aspects of the company's cybersecurity program affected the propagation of the NotPetya malware, as well as its impact on Maersk's operations for days following the attack.

  12. An empirical study of ransomware attacks on organizations: an

    Abstract. This study looks at the experiences of organizations that have fallen victim to ransomware attacks. Using quantitative and qualitative data of 55 ransomware cases drawn from 50 organizations in the UK and North America, we assessed the severity of the crypto-ransomware attacks experienced and looked at various factors to test if they had an influence on the degree of severity.

  13. Cyber Case Study: UVM Health Network Ransomware Attack

    In October 2020, the University of Vermont (UVM) Health Network—a six-hospital health care organization that serves over 1 million patients throughout Vermont and upstate New York—discovered that its systems had been compromised by cybercriminals in a ransomware attack.

  14. Seamless Response to Ransomware

    A major logistics company was hit by a ransomware attack at a time when it was reviewing and upgrading its cybersecurity defense. Kroll provided seamless incident response to enable the company to act quickly to mitigate and minimize the damage caused by the attack. The company also deployed Kroll Responder, Kroll's award-winning Managed ...

  15. PDF EMERGING INSIGHTS Ransomware: A Perfect Storm

    This paper explores the lifecycle of a ransomware attack and presents recent case studies. It then outlines potential interventions that may be required to reduce the threat, highlighting the complexities associated with payments and recovery. It concludes by proposing policy options for governments, law enforcement and businesses to consider.

  16. Ransomware Simulations: Hands-on Case Studies

    Papers & Presentations. Ransomware Simulations: Hands-on Case Studies. Authors: Ali Hadi and Mariam Khader. DFRWS USA 2023. Abstract Bio Ali Hadi. Dr. Ali Hadi is a highly accomplished and experienced Senior Cybersecurity Specialist with 14+ years of professional experience in Information Technology. He is currently working as a full-time ...

  17. Ransomware: Recent advances, analysis, challenges and future research

    1. Introduction The COVID-19 pandemic has led to an increase in the rate of cyberattacks. As the workplace paradigm shifted to home-based scenarios—resulting in weaker security controls—attackers lured people through COVID-19 themed ransomware phishing emails.

  18. Case Study: WannaCry Ransomware

    WannaCry affected over 350,000 devices in the span of four days in 2017. It exploited a vulnerability in the Windows server messenger block. WannaCry used RSA and AES encryption to encrypt a ...

  19. (PDF) Ransomware Attacks: Critical Analysis, Threats ...

    A study by Kaspersky found that for 2014-2015, ransomware attacks increased by 17.7 percent, but crypto ransomware attacks increased by 448 percent (Townsend, 2016).

  20. Ransomware attacks

    Apr 26, 2018 • 0 likes • 1,819 views Healthcare The case studies in this presentation are real life examples of ransomware attacks on health care organizations, and are intended to help physicians respond appropriately for when this type of cyber crime occurs. 1 of 11 Download Now Recommended Ransomware Akshita Pillai Ransomware Chaitali Sharma

  21. Small Business Cybersecurity Case Study Series

    Case 1: A Business Trip to South America Goes South Topic: ATM Skimming and Bank Fraud Case 2: A Construction Company Gets Hammered by a Keylogger Topic: Keylogging, Malware and Bank Fraud Case 3: Stolen Hospital Laptop Causes Heartburn Topic: Encryption and Business Security Standards Case 4: Hotel CEO Finds Unwanted Guests in Email Account

  22. Ransomware

    RANSOMWARE DEFINED… Malware locks out the user's system and demands ransom. Creates "Zombie Computer" operated remotely. Individuals and business targeted. This form of extortion works on the assumption that the data is important enough to the user that they are willing to pay for recovery. There is however no guarantee of actual recov...

  23. 7 real and famous cases of ransomware attacks

    1. Ryuk, 2019 and 2020 Like most infections caused by ransomware, Ryuk is spread mainly via malicious emails, or phishing emails, containing dangerous links and attachments. The ransom amount to be paid to release an entire system can exceed USD 300,000, making Ryuk one of the most expensive ransomware in history, well above the average.

  24. Lockbit ransomware gang's origins, tactics and past targets

    The provider of the world's top ransomware threat may have finally been thwarted by Operation Cronos, an international policing effort to hack the hackers led by the UK. Here's everything you need ...