Crash Course on Ransomware

June 22, 2017 JAI CHANDARANA

Recently, a major cyber-attack named WannaCry ransomware took over the world like wildfire. It impacted major corporations like FedEx, Hitachi and Nissan, universities in China, and the National Health Services in UK, among many other organizations worldwide. So, what is ransomware?

Per Trend Micro, the definition of ransomware is

“a type of malware that prevents or limits users from accessing their systems, either by locking the system’s screen or by locking the users’ files unless a ransom is paid.”

Despite the grand scale of the WannaCry attack, ransomware is not actually a new concept—the first known extortion attack was discovered back in 1989 and was known as ‘AIDS Trojan.’ However, in more recent times, cyber criminals have repeatedly revisited a similar concept on a vast scale to extort money. In fact, in 2016 alone, there were nine major ransomware attacks that were stopped. These attacks came from a variety of source/vectors such as Dropbox, JavaScript and torrents.

There are two main types of ransomware. The first is crypto-ransomware, which can lock users out of their devices, and deny access to files, folders, or even hard drives. The aforementioned large-scale WannaCry attack was characterized as crypto-ransomware. This malware has the capability of scanning TCP port 445, which is commonly used by Windows computers networked together, and spreading like a worm—it can quickly compromise hosts, encrypting files stored on them and then demanding a ransom payment in the form of Bitcoin.

Amounts sought in a ransomware attack can vary-- the ransom demand might be less than $500, or it could exceed over $10,000, and why is that? In 2016, a research study, conducted by Osterman Research Inc. and sponsored by Malwarebytes, determined that a ransomware amount depends on the type of system or information that is compromised. [In addition, statistics show that location can play as a factor as well.] The survey consisted of a total of 540 organizations—of those, 165 organizations were in the United States and the rest were evenly spread among Germany, Canada and the United Kingdom (125 in each, respectively). Surprisingly enough, higher ransomware demand was made outside of the United States. For example, ransom demands of more than $10,000 were found to be most common in Germany at 48%, followed by the United Kingdom at 22%, the United States at 18% and finally, Canada at 14%.


Of course, not all companies agree to pay the ransom as demanded by cybercriminals. In fact, the same aforementioned research states that only 37% of the organizations actually agree to pay the ransom demand. Of those, a staggering 75% of the Canadian organizations paid, 58% did in the United Kingdom, while only 3% of United States organizations chose to do so. The study also concluded that the most common attack vectors in the United States (59%) and Germany (60%) have been through some form of email communication, i.e. an email link (31% in the US), or an email attachment (28% in the US). Surprisingly, social and USB sticks represented only small minorities of common attack vectors in the United States—the study found that they were used in only 4% and 3% of ransomware attacks, respectively.


It’s human nature to be curious  that urge has been around for ages and evolves as we progress as a society. In the cyber world, this curiosity can lead to the identification of loopholes to penetrate technology and software in order to exploit their vulnerability. Unfortunately, the motive behind this identification is not always pure — attacks could be financial, political or personal revenge — and ransomware continues to grow more refined. But, there are things we can do to combat it. Because this malware has the capability of scanning and spreading fast, it is essential for organizations to ensure that devices running Windows are patched with the latest available patch. Another suggestion for protection against these penetrative problems is for organizations to also block Server Message Block (SMB) ports 139 and 445 from all hosts that are accessible externally. This will reduce the likelihood of a ransomware attack spreading based on the vulnerabilities in any other externally facing hosts across the internet. More good business practice would include a comprehensive security awareness training for employees, along with an incident response plan—when in place, these can also help to minimize the impact of a cyber-attack. Though social media and USB sticks seem to only make up a small amount of the vulnerabilities exploited ransomware attacks (in the US), those numbers could be reduced even more with a proper user education.

With an estimated collection total of $209 million by cyber criminals in the first three months of 2016, extortion business over the internet is on the verge of becoming a billion-dollar industry. Paying the ransom as demanded would obviously depend upon a variety of factors, such as criticality of data, ransom amount and alternate solutions (backups); however, not paying ransom amount could have a an incredibly impact on the company’s operations should the compromised files contain vital information like PHI or PII. At this point in our history, we live in the era where IT security should no longer be considered a ‘nice-to-have’ feature, but at the highest level of importance with urgent priority. As the cyber-attacks continue, an investment in protection and an active involvement from the executive leadership is vital to minimize the losses to be potentially incurred.

Previous Article
Clearing Up The Confusion - Type 1 vs Type 2 and the Value Proposition
Clearing Up The Confusion - Type 1 vs Type 2 and the Value Proposition

It may come as a bit of a surprise—maybe not—but there are actually two types of SOC reports. Up...

Next Article
SOC, Meet Cybersecurity
SOC, Meet Cybersecurity

As global cyberattacks become more common, organizations are fine tuning, or even implementing, a cybersec...


First Name
Error - something went wrong!