What is Ransomware?

Ransomware is a devastating type of malware with global damage projected to cost organizations $265 billion by 2031. Get the information you need to prevent infections, and find what to do if you are hit.

Get the Manual

Defining Ransomware

Ransomware is defined as vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach.

September 2013 is when ransomware went pro. It typically gets installed on a user’s workstation (PC or Mac) using a social engineering attack where the user gets tricked in clicking on a phishing link or opening an attachment. Once the malware is on the machine, it starts to encrypt all data files it can find on the machine itself and on any network shares the PC has access to. Global-Cost-of-Ransomware-Infographic V2

Next, when a user wants to access one of these files they are blocked, and the system admin who gets alerted by the user finds two files in the directory that indicate the files are taken ransom, and how to pay the ransom to decrypt the files. New strains and variants come and go as new cyber mafias muscle into the "business".  Techniques the cybercriminals are using are constantly evolving to get past traditional defenses. Some major strains are WannaCry, GandCrab, Phobos and Cerber. This is a very successful criminal business model. Annual ransomware-induced costs are projected to exceed $265 billion by 2031, according to Cybersecurity Ventures. 

Once files are encrypted, the only way to get them back is to restore a backup or pay the ransom. However, cybercriminals are now often corrupting backups before the victims know what hit them.  Storage Magazine reports that over 34% of companies do not test their backups and of those tested 77% found that tape backups failed to restore. According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed. 

The Global Cost of Ransomware Infographic

Today, a Ransomware Infection is a Data Breach

The emergence of new strains has slowed down, but ransomware is getting much more sophisticated. In the early days, hackers mostly targeted consumers, and it would encrypt immediately upon executing. Later on, ransomware gangs realized they would make a lot more money targeting businesses. At first they would spread like a worm through organizations, collecting credentials and encrypting files along the way. Threat actors are now a lot more intelligent in their approach. Once they've gotten in, the malware 'dials home' so that the hacker can do a full analysis on which data is most valuable to their victim, how much they can realistically ask for, and what can they encrypt that will get them a payday sooner. 

Most of the ransomware gangs are now exfiltrating your most valuable data and threaten to expose it on publicly available websites as an additional extortion method. Some of these criminals make you pay twice, once for the decryption key, and again to delete the data they have stolen.  In the U.S. alone, a single cybersecurity insurance consortium said they are paying $1M per day in ransomware payouts to these criminal gangs.

That figure doesn't include recovery and downtime costs, which can far exceed the cost of the ransom. By now, there are tens of thousands of ransomware victims, including school districts, police departments, and entire cities. It is important to understand that it is not just large organizations that are targeted, small and medium organizations are also at risk.

Cyber criminals constantly use social engineering and update their ransomware themes to stay current. Some themes include the FBI variant, the Internal Revenue Service, and even sadly, now COVID-19 pandemic-themed ransomware. In addition to updating themes, cyber criminals are also developing creative new ways to spread the ransomware. These include offering Ransomware-as-a-Service (RaaS) strains such as “Dot” or “Philadelphia”, where they offer your files back for free if you infect two other organizations. There are even marketing videos on YouTube for some ransomware strains.

Ransomware History Timeline

Since 1989, ransomware has become the number one security risk to businesses and users. Here is a full history and how it has evolved:



The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp (now known as the 'father of ransomware'). It was called the AIDS Trojan, also known as the PC Cyborg. Popp sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference in Stockholm. The disks contained malicious code that hid file directories, locked file names and demanded victims send $189 to a PO Box in Panama if they wanted their data back. The AIDS Trojan was “generation one” ransomware malware and relatively easy to overcome. The Trojan used simple symmetric cryptography and tools were soon available to decrypt the file names. But the AIDS Trojan set the scene for what was to come. 


In November 1991, Judge Geoffrey Rivlin deemed Joseph L. Popp unfit to stand trial due to increasingly strange behavior, and the case was thrown out. The first form of ransomware used symmetric cryptography that could easily be decrypted, which meant it didn’t pose a serious threat and didn't cause trouble.


In 1996, two cryptographers, Adam L. Young and Moti M. Yung, warned that a new ransomware would eventually use asymmetric cryptography. This would mean its natural file-locking capabilities could be used for massive destruction. The only question was when?


The first contemporary ransomware programs began to show up, using asymmetric encryption (RSA). Symmetric keys did the encrypting, but those keys were protected with RSA so you would need private key to be able to get data back.


17 years later, another strain was released but this time it was much more invasive and difficult to remove than its predecessor. In 2006, the Archiveus Trojan was released, the first ever ransomware virus to use RSA encryption. The Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to purchase items from an online pharmacy to receive the 30-digit password.

GPcode, Krotten and Cryzip were just a few names of new strains which spread via an email attachment purporting to be a job application, used a 660-bit RSA public key that was very difficult to crack at the time.


At the same time GP Code and it’s many variants were infecting victims, other types of ransomware circulated that did not involve encryption, but simply locked out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive the unlocking code.


Two years after the initial GP Code virus was created, another variant of the same virus called GPcode.AK was unleashed on the public using a 1024-bit RSA key.

When Bitcoin emerged in 2008, it was a game changer for ransomware. The decentralized cryptocurrency provided a new, mostly anonymous system for transferring money – making it the perfect way for cybercriminals to extort their victims. The widespread adoption of Bitcoin enabled threat actors to carry out much larger ransomware attacks. 


Mid 2011 - The first large scale ransomware outbreak, and ransomware moves into the big time due to the use of anonymous payment services, which made it much easier for authors to collect money from their victims. There were about 30,000 new samples detected in each of the first two quarters of 2011.

July 2011 - During the third quarter of 2011, new ransomware detections doubled to 60,000.


In 2012, Fabian Wosar encountered ransomware for the first time while helping victims get their encrypted files back. He quickly became obsessed with creating free decryption tools that would help other ransomware victims to get their files back. A few years later, computer repair technician Michael Gillespie encountered ransomware while helping a customer who had been hit with TeslaCrypt. Gillespie then began creating decryptors, learning everything he could about ransomware.

Even with the ongoing efforts of Wosar, Gillespie, the No More Ransom project and many others fighting cybercrime, ransomware continued to terrorize victims across the globe. Schools, universities, hospitals, police departments, government agencies and everyday citizens – no one was safe.

January 2012 - The cybercrime ecosystem comes of age with Citadel, a toolkit for distributing malware and managing botnets that first surfaced in January 2012. Citadel makes it simple to produce ransomware and infect systems wholesale with pay-per-install programs allowing cybercriminals to pay a minimal fee to install their ransomware viruses on computers that are already infected by other malware. Due to the introduction of Citadel, total infections surpassed 100,000 in the first quarter of 2012.

Cyber criminals begin buying crime kits like Lyposit—malware that pretends to come from a local law enforcement agency based on the computer’s regional settings, and instructs victims to use payment services in a specific country—for just a share of the profit instead of for a fixed amount.

March 2012 - Citadel and Lyposit lead to the Reveton worm, an attempt to extort money in the form of a fraudulent criminal fine. Reveton first showed up in European countries in early 2012. The exact “crime” and “law enforcement agency” are tailored to the user’s location. The threats are "pirated software" or "child pornography". The user would be locked out of the infected computer and the screen be taken over by a notice informing the user of their "crime" and instructing them that to unlock their computer they must pay the appropriate fine using a service such as Ukash, Paysafe or MoneyPak.

April 2012 - Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are responsible for Police Ransomware scams that have spread throughout North and South America since April of 2012.

July 2012 - Ransomware detections increase to more than 200,000 samples, or more than 2,000 per day.

November 2012 - Another version of Reveton was released in the wild pretending to be from the FBI’s Internet Crime Complaint Center (IC3). Like most malware, Reveton continues to evolve.


July 2013 - A version is released targeting OSX users that runs in Safari and demands a $300 fine. This strain does not lock the computer or encrypt the files, but just opens a large number of iframes (browser windows) that the user would have to close. A version purporting to be from the Department of Homeland Security locked computers and demanded a $300 fine.

July 2013 - Svpeng:  This mobile Trojan targets Android devices. It was discovered by Kaspersky in July 2013 and originally designed to steal payment card information from Russian bank customers. In early 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for Lookout, a San Francisco-based mobile security firm, 900,000 phones were infected in the first 30 days. 

August 2013 - A version masquerading as fake security software known as Live Security Professional begins infecting systems.

September 2013 - CryptoLocker is released. CryptoLocker is the first cryptographic malware spread by downloads from a compromised website and/or sent to business professionals in the form of email attachments that were made to look like customer complaints controlled through the Gameover ZeuS botnet which had been capturing online banking information since 2011.

Cryptolocker uses a 2048-bit RSA key pair, uploaded to a command-and-control server, and used it to encrypt files with certain file extensions, and delete the originals. It would then threaten to delete the private key if payment was not received within three days. Payments initially could be received in the form of Bitcoins or pre-paid cash vouchers.

With some versions of CryptoLocker, if the payment wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to get their files back. Ransom prices varied over time and with the particular version being used. The earliest CryptoLocker Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices were initially set at $100, €100, £100, two Bitcoins or other figures for various currencies.

November 2013 - The ransom changes. The going ransom was 2 Bitcoins or about $460, if they missed the original ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and control servers. After paying for that service, the first 1024 bytes of an encrypted file would be uploaded to the server and the server would then search for the associated private key.

Early December 2013 - 250,000 machines infected. Four Bitcoin accounts associated with CryptoLocker found that 41,928 Bitcoins had been moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other payment methods.

Mid December 2013 - The first CryptoLocker copycat software emerges, Locker, charging users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number.

Late December 2013 - CryptoLocker 2.0 – Despite the similar name, CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a different programming team. Among other differences, 2.0 would only accept Bitcoins, and it would encrypt image, music and video files which the original skipped. And, while it claimed to use RSA-4096, it actually used RSA-1024. However, the infection methods were the same and the screen image very close to the original.

Also during this timeframe, CryptorBit surfaced. Unlike CryptoLocker and CryptoDefense which only targets specific file extensions, CryptorBit corrupts the first 212 or 1024 bytes of any data file it finds. It also seems to be able to bypass Group Policy settings put in place to defend against this type of infection. The cyber gang uses social engineering to get the end-user to install the ransomware using such devices as a rogue antivirus product. Then, once the files are encrypted, the user is asked to install the Tor Browser, enter their address and follow the instructions to make the ransom payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware developer’s digital wallet.


February 2014 - CryptoDefense is released. It used Tor and Bitcoin for anonymity and 2048-bit encryption. However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the infected computer. Despite this flaw, the hackers still managed to earn at least $34,000 in the first month, according to Symantec.

April 2014 - The cyber criminals behind CryptoDefense release an improved version called CryptoWall. While largely similar to the earlier edition, CryptoWall doesn’t store the encryption key where the user can get to it. In addition, while CryptoDefense required the user to open an infected attachment, CryptoWall uses a Java vulnerability. Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and many others led people to sites that were CryptoWall infected and encrypted their drives. According to an August 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, with 5.25 billion files being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 paid $500, but the amounts ranged from $200 to $10,000.

Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, 3⁄4 in the US, who were searching for porn and wound up downloading the software. Since Android requires permission to install any software, it is unknown how many people actually installed it after download. Users were required to pay $100 – $300 to remove it.

May 2014 - A multi-national team composed of government agencies managed to disable the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy Bogachev who operated the botnet from his base on the Black Sea. 

iDevice users in Australia and the U.S. started seeing a lock screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring payment of $50 to $100 to unlock. It is unknown how many people were affected, but in June the Russian police arrested two people responsible and reported how they operated. This didn’t involve installing any malware, but was simply a straight up con using people’s naiveté and features built into iOS. First people were scammed into signing up for a fake video service that required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a stolen phone, to lock the owners out of their own devices.

July 2014 - The original Gameover ZeuS/CryptoLocker network resurfaced no longer requiring payment using a MoneyPak key in the GUI, but instead users must install Tor or another layered encryption browser to pay them securely and directly. This allows malware authors to skip money mules and improve their bottom line.

Cryptoblocker – July 2014 Trend Micro reported this new strain that doesn’t encrypt files that are larger than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. It uses AES rather than RSA encryption.

On July 23, Kaspersky reported that Koler had been taken down, but didn’t say by whom.

August 2014 - Symantec reports crypto-style ransomware has seen a 700 percent-plus increase year-over-year.

SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was designed for Synology network attached storage devices. And unlike most encryption ransomware, SynoLocker encrypts the files one by one. Payment was 0.6 Bitcoins and the user has to go to an address on the Tor network to unlock the files.

This was discovered midsummer 2014 by Fedor Sinitisyn, a security researcher for Kaspersky. Early versions only had an English language GUI, but then Russian was added. The first infections were mainly in Russia, so the developers were likely from an eastern European country, not Russia, because the Russian security services quickly arrest and shut down any Russians hacking others in their own country.

Late 2014 - TorrentLocker – According to iSight Partners, TorrentLocker “uses components of CryptoLockerand CryptoWall but with completely different code from these other two ransomware families.” It spreads through spam and uses the Rijndael algorithm for file encryption rather than RSA-2048. Ransom is paid by purchasing Bitcoins from specific Australian Bitcoin websites.


Early 2015 - CrytoWall takes off, and replaces Cryptolocker as the leading ransomware infection. 

April 2015 - CrytoLocker is now being localized for Asian countries. There are attacks in Korea, Malaysia and Japan.  

May 2015 - It's heeere. Criminal ransomware-as-a-service has arrived. In short, you can now go to this TOR website "for criminals by criminals", roll your own ransomware for free, and the site takes a 20% kickback of every Bitcoin ransom payment.  Also in May 2015 a new strain shows up that is called Locker and has been infecting employee's workstations but sat there silently until midnight May 25, 2015 when it woke up. Locker then started to wreak havoc in a massive way.

May 2015 - New "Breaking Bad-themed ransomware" gets spotted in the wild. Apart from the Breaking Bad theme, CryptoLocker.S is pretty generic. It is surprising how fast ransom Trojans have developed. A year ago every new strain was headline news, now it's on page 3. This version grabs a wide range of data files, encrypts it using a random AES key which then is encrypted using a public key.

June 2015 - SANS InfoSec forum notes that a new version of CryptoWall 3.0 is in the wild, using resumes of young women as a social engineering lure: "resume ransomware".

June 2015 - The FBI, through their Internet Crime Complaint Center (IC3), released an alert on June 23, 2015 that between April 2014 and June 2015, the IC3 received  992 CryptoWall-related complaints, with victims reporting losses totaling over  $18 million. Ransomware gives cybercriminals almost 1,500% return on their money. 

July 2015 - An Eastern European cybercrime gang has started a new TorrentLocker campaign where whole websites of energy companies, government organizations and large enterprises are being scraped and rebuilt from scratch to spread ransomware using Google Drive and Yandex Disk.

July 2015 - Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types.

September 2015 - An aggressive Android ransomware strain is spreading in America. Security researchers at ESET discovered the first real example of malware that is capable to reset the PIN of your phone to permanently lock you out of your own device.  They called it LockerPinand it changes the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding a $500 ransom. 

September 2015 - The criminal gangs that live off ransomware infections are targeting Small Medium Business (SMB) instead of consumers, a new Trend Micro Analysis shows. The reason SMB is being targeted is that they generally do not have the same defenses in place of large enterprises, but are able to afford a 500 to 700 dollar payment to get access to their files back.  

The Miami County Communication Center’s administrative computer network system was compromised with a CryptoWall 3.0 infection which locked down their 911 emergency center. They paid a700 dollar Bitcoin ransom to unlock their files.

October 2015 - A new strain called LowLevel04 spreads using remote desktop and terminal services attacks. It encrypts data using RSA-2048 encryption and the ransom is double from what is the normal $500, demanding four Bitcoin.  Specifically nasty is how it gets installed: brute force attacks on machines that have Remote Desktop or Terminal Services installed and have weak passwords.

October 2015 - The nation’s top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker, Cryptowall and other malware without paying a ransom. “The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office.  “To be honest, we often advise people just to pay the ransom.”

October 2015 - Staggering CryptoWall Damage: 325 Million Dollars. A brand new report from Cyber Threat Alliance showed the damage caused by a single criminal Eastern European cyber mafia. The CTA is an industry group with big-name members like Intel, Palo Alto Networks, Fortinet and Symantec and was created last year to warn about emerging cyber threats. 

November 2015 - CryptoWall v4.0 released and displays a redesigned ransom note, new filenames, and now encrypts a file's name along with its data. In summary, the new v4.0 release now encrypts file names to make it more difficult to determine important files, and has a new HTML ransom note that is even more arrogant than the last one. It also gets delivered with the Nuclear Exploit Kit, which causes drive-by infections without the user having to click a link or open an attachment (sic). 

November 2015 - A new strain is spotted with a very short 24-hour deadline, researchers crack the Linix. Encover strain and British Parliament computers get infected with ransomware. 

December 2015 - Kaspersky reports that ransomware is doubling year over year, and Symantec reports that TeslaCrypt attacks moved from 200 to 1,800 a day.  


January 2016 - First Javascript-only Ransomware-as-a-Service Discovered, Cybercrime has piggybacked on the extremely successful SaaS model and several strains of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared in 2015. However, a new strain called Ransom32 has a twist: it was fully developed in JavaScript, HTML and CSS which potentially allows for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brings us one step closer to the "write-once-infect-all" threat, which is something to be aware of.

January 2016 - A stupid and damaging new strain called 7ev3n encrypts your data and demands 13 bitcoins to decrypt your files. A 13 bitcoin [almost $5,000] ransom demand is the largest we have seen to date for this type of infection, but that is only just one of the problems with 7ev3n. In addition to the large ransom demand, the 7ev3n crypto-ransom malware also does a great job trashing the Windows system that it was installed on. DarkReading reports on a Big Week In Ransomware.

February 2016 - Ransomware criminals infect thousands with a weird WordPress hack. An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering TeslaCrypt to unwitting end-users. Antivirus is not catching this yet.

February 2016 - It's Here. New Ransomware Hidden In Infected Word Files. It was only a matter of time, but some miscreant finally did it. There is a new strain somewhat amateurishly called "Locky", but this is professional grade malware. The major headache is that this flavor starts out with a Microsoft Word attachment which has malicious macros in it, making it hard to filter out. Over 400,000 workstations were infected in just a few hours, data from Palo Alto Networks showsBehind Locky is the deadly Dridex gang, the 800-pound gorilla in the banking Trojan racket.

March 2016 - MedStar receives a massive ransomware demand. A Baltimore Sun reporter has seen a copy of the cybercriminal's demands.  "The deal is this: Send 3 bitcoins — $1,250 at current exchange rates — for the digital key to unlock a single infected computer, or 45 bitcoins — about $18,500 — for keys to all of them."

April 2016 - News came out about a new strain that does not encrypt files but makes the whole hard disk inaccessible. As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads. It's called Petya and clearly Russian.

April 2016 - The Ransomware That Knows Where You LiveIt's happening in the UK today, and you can expect it in America tomorrow [correction- it's already happening today]. The bad guys in Eastern Europe are often using the U.K. as their beta test area, and when a scam has been debugged, they go wide in the U.S. So here is what's happening: victims get a phishing email that claims they owe a lot of money, and it has their correct street address in the email. The phishing emails tell recipients that they owe money to British businesses and charities when they do not.  

April 2016 - Hello mass spear phishing, meet ransomware! Ransomware is now one of the greatest threats on the internet.  Also, a new strain called CryptoHost was discovered, which claims that it encrypts your data and then demands a ransom of .33 bitcoins to get your files back (~140 USD at the current exchange rate) . These cybercrims took a shortcut though, your files are not encrypted but copied into a password protected RAR archive .

April 2016 - CryptoWorms: Cisco's Talos Labs researchers had a look into the future and described how ransomware would evolve. It's a nightmare. They created a sophisticated framework for next-gen ransomware that will scare the pants off you. Also, a new strain called Jigsaw starts deleting files if you do not pay the ransom. 

April 2016 - Ransomware On Pace To Be A 2016 $1 Billion Dollar BusinessCNN Money reports about new estimates from the FBI show that the costs from so-called ransomware have reached an all-time high. Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers. At that rate, ransomware is on pace to be a $1 billion a year crime this year.

Late April 2016 - Scary New CryptXXX Ransomware Also Steals Your Bitcoins. Now here's a new hybrid nasty that does a multitude of nefarious things. A few months ago the 800-pound Dridex cyber gang moved into ransomware with Locky, and now their competitor Reveton follows suit and tries to muscle into the ransomware racket with an even worse criminal malware multitool. At the moment CryptXXX spreads through the Angler Exploit Kit which infects the machine with the Bedep Trojan, which in its turn drops information stealers on the machine, and now ads professional grade encryption adding a .crypt extension to the filename. Here is a graph created by the folks of Proofpoint which illustrates the growth of new strains in Q1, 2016:


Here is a blog post that looks at the first 4 months of 2016 and describes an explosion of new strains

May 2016 - Petya comes loaded with a double-barrel ransomware attack. If the initial overwriting the master boot record does not work, they now have an installer that offers Petya and a backup "conventional" file-encrypting strain called Mischa. ProofPoint Q1-16 threat report confirms that Ransomware and CEO Fraud dominate in 2016.  A new Version 4 of DMA Locker comes out with weapons-grade encryption algorithms, and infects machines through drive-by downloads from compromised websites. In a surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. 

June 2016 -  CryptXXX becomes UltraCrypter and targets data stored on unmapped network shares along with local HDD volumes, removable drives, and mapped network repositories.  The Jigsaw strain morphs into new branding and now uses an Anonymous skin - asks for a very high $5,000 ransom. The RAA ransomware goes after Russian victims, which is rare considering that most cyber mafia are based there.  A new strain called BART (duh!)  locks files by archiving them, is a Locky spinoff, and gets spread by email attachments.  The hybrid Satana strain both encrypts files and replaces the Master Boot Record (MBR)  as Petya/Misha does.  EduCrypt demonstrates what happens when employees open infected attachments.  Tripwire has a more detailed write-up here. The upshot? Everyone and their cybercrime brother has jumped on the bandwagon.

July 2016 - A new strain dubbed Ranscam simply deletes files when it runs. A ransom note asking the victim for $125 in Bitcoin pops up, but the threat actors actually have no mechanism for restoring files. An update to Locky allows the malware to encrypt machines even when they’re offline. The RaaS (Ransomware-as-a-Service) trend continues with Stampado ($39 for a lifetime license) and Petya/Mischa (the higher the ransom collected, the higher the payout percentage) getting in on the action.

August 2016 - Hitler ransomware continues the recent trend of less skilled cybercriminals simply deleting files hoping to make a quick buck. The wildly popular PokemonGo app unsurprisingly has a ransomware that impersonates it. The developer added a backdoor Windows account, spreading the executable to other drives, and creating network shares. A new report by Check Point researchers showed that Cerber's Ransomware-as-a-Service (RaaS) affiliate program is a success with more than 160 participants at current count, and almost $200K profit with only 0.3% victims paying ransom. Voicemail notifications have become a popular phishing email in at least two campaigns. Hackers are able to target a wider array of people than billing notifications which don’t apply to all users, for example.

September 2016 - Cry is a sophisticated strain that steals and hosts personal information gathered from social networks, locates the victim on Google Maps using wireless SSID’s and deletes Shadow Volume Copies among other nasty features. Mamba, like Petya, continues the trend of full-disk encryption ransomware but unlike Petya encrypts all data on the machine’s hard drive. Fantom ransomware uses file and process names to set the size of the ransom demand, so if the campaign is targeting home users for example the ransom would be lower than if the target was a large enterprise. Ransomware officially became extortion under California law, however we see this as an ‘awareness’ thing than anything else.

October 2016 - Virlock is a two year old strain that spreads like a virus in the cloud. A massive Cerber campaign uses malicious Macros to infect its victims. Another version of Cerber stops SQL so it can encrypt the database. CryPy, a strain written in Python, also had Paypal phishing pages on the server the phishing emails were coming from so expect more to come from this one. As of now, ID Ransomware can detect over 200 different strains!

November 2016 - Locky is very much alive and well. One new campaign starts with a ‘credit card suspended’ phishing email with an attached malicious .JS file, another attacks victims via Facebook messenger. Crysis decryption keys have been made public. A browser locker variant called Ransoc infects victims via malvertising. Karma ransomware pretends to be a Windows optimization program and is distributed via a Pay-per-Install Network.

December 2016 - Osiris is a new Locky strain delivering surprise surprise, Excel docs containing macros that download and install Locky. Goldeneye encrypts the workstation twice: the files and the Master File Table (MFT). The phishing email contains both an Excel file that pulls the malware and a PDF used as a social engineering tool. If a user follows instructions on both documents, you potentially get to pay ransom TWICE. The Sandworm cybercrime gang has gotten their hands on KillDisk malware and added a ransomware feature. They run highly targeted campaigns, asking for 222 Bitcoin (around $200,000) from their victims.


January 2017 - Spora ransomware gives its victims options to just pay for file decryption, or they can pay more for immunity against future attacks. This is a sophisticated strain that collects victim data into a .KEY file, which then must be sent to the attackers who will set the ransom amount based on that data and provide decryption once paid. A new version of Spora uses an innovative way to spread itself via USB sticks.

February 2017 - A new app claims to have login data for leaked Netflix accounts, allowing users to get free access. What you actually get is fake account credentials, while your data is being encrypted in the background. DynA-Crypt ransomware not only encrypts data, it also attempts to steal information and even deletes files without backing them up. CRYSIS is back, mostly targeting US healthcare orgs. using brute force attacks via Remote Desktop Protocol (RDP). Weak passwords make these attacks successful.

March 2017 - Cryptolocker has been pretty quiet the past 6 months but it’s back, jumping from a handful of infections per day to over 400 per day. The original Petya has been hijacked by cybercriminals making it their own. Dubbed PetWrap, this new variant features a special module that patches the original Petya ransomware 'on the fly.’

April 2017 - The IT director for a private school reported that after getting hit with Samas ransomware, their entire Veeam backup repositories were wiped out as a result. The FBI said they had never seen ransomware delete backups. This is a prime example of why offline backups are so important! Cerber has taken over the ransomware market in 2017, its features (robust encryption, offline encryption, etc) and its RaaS (Ransomware-as-a-Service) business model make it very easy for newbie criminals to run their own custom campaigns. Most recently, Cerber gained the ability to evade detection by cybersecurity tools which use machine learning to identify threats. Locky has reappeared on the scene via phishing emails with a PDF that has a Word file hidden within, which executes a macro script when opened by the user.  This scenario allows the phishing email to bypass sandboxes.

May 2017 - Fatboy Raas (ransomware-as-a-service) uses the Big Mac index from The Economist in determining how much ransom to ask for. The WanaCry ransomware worm took the world by storm in mid-May, starting with an attack on vulnerable SMB services railways, telcos, universities, the UK's NHS, and so on. In all the strain infected over 300,000 computers in over 150 countries, making the criminals $90,000 which is really not that much compared to the amount of infections. WanaCry really caused the world to take notice of ransomware. Shadow Brokers, the hackers who leaked the NSA SMB zero-day exploit that powered WanaCry, published a manifesto announcing a subscription offer where they will release more zero-day bugs and exploits for various desktop and mobile platforms, stolen from the NSA. Coming in June 2017, it is set up like a 'wine of month' club with subscribers getting a members only data dump each month.

June 2017 - Microsoft proudly announced that no known ransomware could penetrate the newest Win 10 Creators Update. What’s that saying about things being too good to be true? ZDNet hired a pro hacker who proved that wrong in about 3 hours.

NotPetya was the new worldwide ‘ransomware’ attack following May’s WannaCry outbreak, hitting targets in Spain, France, Ukraine, Russia, and other countries. However NotPetya is not like normal ransomware, it’s more like cyber warfare and does not come from the authors of the original Petya. It does not delete any data but simply makes it unusable by locking the files and then throwing away the key.

South Korean web hosting provider Nayana was hit with Erebus ransomware which infected 153 Linux servers. Nayana paid the largest ransom to date of $1 million. Some of their data was permanently deleted in the process, prompting the hosting company to offer free hosting for life and refunds for affected customers. So aside from the massive million dollar payment, they had additional great financial loss and damage to their reputation.

July 2017 - F-Secure labs uncovered chat sessions in which a ransomware support agent claimed they were hired by a corporation for targeted operations. Later analysis/metadata research confirmed that this tactic was used with another variant, and the follow-up attack targeted IP lawyers that was seemingly aimed at disrupting their business operations.

August 2017 - An update to Cerber lets the Dridex gang steal from three different Bitcoin wallet apps as well as steals passwords from popular web browsers. Cerber is among the most rapidly evolving ransomware families, the criminals are constantly trying new ways to monetize ransomware.

A key ransomware money laundering operation BTC-e taken down and owner, Russian national Alexander Vinnik was arrested in Greece in a multi-national law enforcement effort. FinCEN, the US department of the Treasury Financial Crimes Enforcement Network assessed BTC-e with a $110 million civil money penalty for willfully violating U.S. anti-money laundering laws. Vinnik was assessed $12 million for his role in the violations.

Locky is back with a new Diablo6 variant spread through phishing emails with infected attachments. It’s too soon to tell just how widespread this new variant will be. A new version of an old IRS/FBI phishing scheme asks its recipients to download a questionnaire. SyncCrypt is a new phishing threat that hides ransomware inside an infected JPG. Newly discovered Defray ransomware targets healthcare, education, manufacturing and tech sectors in the US and UK, using customized spear phishing emails and demanding a hefty $5k ransom.

September 2017 New nRansomware demands nudes instead of Bitcoin in an attempt to blackmail victims multiple times. A similar attack spotted in Australia and the US claims that a virus was installed on a porn website which recorded the victim through their webcam. However, scammers are likely bluffing about having compromising information. This led us to believe that these are simply fake extortion emails. We ended up calling it ‘faketortion’.”

Two new massive Locky campaigns were reported this month; one pushing a new variant that encrypts files with the .ykcol extension and demanding 0.5 Bitcoin (~$1800) , the other sneaks malicious code into an attachment that looks like a printer output to its victims.

October 2017 - Bitdefender released its new Ransomware Recognition Tool. This tool analyzes both the ransom note and the encrypted file samples to identify the strain of ransomware and suggest a decryption tool for the identified family, if one is available.

Bad Rabbit ransomware hit organizations in Russia, Ukraine and the U.S. This is basically a new, improved NotPetya version 2 that starts with social engineering. In this release, encrypted data is recoverable after buying the key, meaning BadRabbit attack is not as destructive as NotPetya. They fixed a lot of bugs in the file encryption process.

November 2017 - The Bad Rabbit attack from last month was found to be a cover for an insidious spear phishing campaign, targeting Ukranian officials in an attempt to get their financial and confidential information. Ransomware attacks are becoming more and more sophisticated and are not always what they look like on the surface.

A new strain called Ordinypt ransomware targeted victims in Germany only. Instead of encrypting users' documents, the ransomware rewrites files with random data.

The Scarab strain was updated and spread via the Necurs botnet. In a massive 12.5 million campaign targeting .com domains, The current campaign prevents users from using third-party recovery tools, deletes Shadow Volume Copies and other default Windows recovery features.

December 2017 - Scarab ransomware first seen in November, comes with the option for infected victims to negotiate a price for retrieving their encrypted files.

According to Carbon Black's 2017 Threat Report, ransomware attacks have grown in volume and amount per attack and is now a $5 billion industry.


January 2018 - Interesting research by Enterprise Strategy Group: 63% of organizations experienced an attempted ransomware attack in 2017, with 22% reporting these incidents occurred on a weekly basis.

A white hat hacker developed a working 'ransomcloud' strain, which encrypts cloud email accounts like Office 365 in real-time. If a white hat can do this, so can a black hat. Watch out for this attack in the near future.

We’re seeing cybercriminals shift away from Bitcoin due to its current high profile and high value, which mean small fluctuations dramatically alter the cost, and worries that the anonymity it offers isn't all it's cracked up to be. While not yet a widespread payment method for distributors of ransomware, there are a number of examples of ransomware demanding their fee for unlocking be paid in Monero, such as Kirk ransomware.

February 2018 - Recently, cryptomining related attacks have become more popular than ransomware for many attackers. They don't need to actually engage the victim to make a lot of money, but we don’t think ransomware will be going away any time soon.

A new variant called Annabelle has been discovered, which seems to have been designed to ‘show off the skills’ of the developer who created it, by being as difficult to deal with as possible. It terminates numerous security programs, disables Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can’t run a variety of programs, and overwriting the master boot record of the infected computer with a boot loader. The good news is Bleeping Computer has encryption instructions.

March 2018A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections and chose to pay in 2017 were able to recover their files. This is why backups are so important, there is never a guarantee your files will be recovered even if you pay the ransom. When asked what’s inhibiting them from defending their respective organizations against cyberthreats,  “low security awareness among employees” remains one of the top 3 reasons. In other words, get your users trained yesterday!

A new ransomware-as-a-service dubbed GandCrab showed up mid-month. This is the most prominent ransomware of 2018, infecting approximately 50,000 computers, most of them in Europe, in less than a month asking each victim for ransoms between $400 and $700,000 in DASH cryptocurrency. Yaniv Balmas, a security researcher at Check Point compares GandCrab to the notorious Cerber family, and the expert also added that GandCrab authors are adopting a full fledged agile software development approach, the first time in ransomware history. More technical details at the Security Affairs blog.

Zenis ransomware discovered by the MalwareHunterTeam not only not encrypts your files, but also purposely deletes your backups. The latest version utilizes AES encryption to encrypt the files, unfortunately at this time there is no way to decrypt them. If you are infected with Zenis, DO NOT PAY THE RANSOM. Instead you can receive help or discuss this ransomware in Bleeping Computer's  dedicated Zenis Ransomware help & support topic

The City of Atlanta was infected with SamSam ransomware, and had a bitcoin demand of $51,000 to unlock the entire system. The infection affected several internal and customer-facing applications, such as the online systems that residents used to pay city bills or access court documents. A total of $2.6 million has been set aside for emergency recovery efforts, and that doesn't include the ransom. This strain is believed to have the ability to get access to systems and wait weeks before an attack, making it easier to strike twice. That's exactly what happened when the Colorado DOT was infected with SamSam at the beginning of the month. 

AVCrypt ransomware, discovered by BleepingComputer, tries to uninstall your existing security software (such as AV) before it encrypts files. However, it looks like no encryption key is sent to a remote server so it's unclear whether this is true ransomware or a wiper. 

A new report from SentinelOne found that ransomware is now something that more than half (56%) of companies have faced in the past two months. That's up from 48% who said the same thing in the firm's 2017 report.

April 2018 - Hackers are working hard at making ransomware less predictable in order to avoid detection. Changes to the encryption process, the code itself, and even delivery methods are just a few of the 11 ways ransomware is evolving.

Verizon's 2018 Data Breach Incident Report lists ransomware as the most common type of malware carried by phishing attacks. It's used in 56% of such incidents. Here is the full report: https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf

Healthcare has always been targeted as an industry by hackers trying to get their hands on valuable PII. The HHS' Healthcare Cybersecurity and Communications Integration Center released a report on SamSam, a strain that has targeted the healthcare and government sectors since 2016. A few weeks later, the Center for Orthopaedic Specialists (COS) in California was hit and had to notify 85,000 patients. This is just another indicator that a ransomware infection is seen as a HIPAA data breach and needs to be reported.

May 2018 - A new strain called Blackheart drops its payload alongside the perfectly legitimate AnyDesk remote desktop tool, highly likely as a way to evade detection. If that sounds familiar, similar tool TeamViewer was infected with malware in a similar way in 2016.

BitKangoroo is another new strain using AES-256 encryption that deletes your files if you do not pay. Once it deletes a file, it will reset the timer back to 60 minutes. Fortunately, it can be decrypted for free using Michael Gillespie's BitKangarooDecrypter.

The European Union's General Data Protection Regulation will affect how U.S. companies deal with the rising threat of ransomware attacks, according to a leading privacy lawyer, by requiring the reporting of incidents even if the impact on data or systems is minimal.

 June 2018 - Satan Ransomware was seen using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign. 

SamSam, the ransomware strain that crippled several cities and school districts in the U.S. earlier this year came back. This strain has three new ways to avoid detection: It decrypts the payload only at run-time, making it nearly impossible to identify and analyze. It’s loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools. It requires a password to be entered by the threat actor to run in the first place. This new strain of SamSam is designed for targeted attacks.

SonicWall's latest report on cyberattack volumes shows that in 2018 year to date, there have been 2 million Ransomware attacks - a 299% increase – that’s TRIPLE over last year!

July 2018 - GandCrab v4 – a more dangerous and invasive newly released strain of the notorious ransomware is back with more power in its pincers: it no longer needs a C2 server, it functions without Internet access, can spread via the SMB exploit EternalBlue and it appears to hunt for unpatched machines. Still, there are easy ways to avoid an attack. 

SonicWall released a mid-year update to their 2018 Cyber Threat Report with some sobering statistics about the state of ransomware this year:

  • A 229% increase in ransomware attacks year-to-date over 2017
  • 12 new variants of ransomware 
  • 181.5 MILLION attacks this year alone (that’s nearly 100K attacks daily!)

Bottom line? Ransomware is alive and well!

SamSam is in the news again, earlier this year EHR vendor Allscripts was a victim of the strain which caused over 1,500 doctor’s offices to be unable to access patient records. Now one of those offices has filed a class-action suit against the firm, claiming they failed “to secure its systems and data from cyberattacks, including ransomware attacks".

Also this month LabCorp, one of the largest clinical labs in the U.S., was hit with SamSam. The attack was contained quickly and didn't result in a data breach. However, before the attack was fully contained, 7,000 systems and 1,900 servers were impacted. Of those 1,900 servers, 350 were production servers. If you're in health care SamSam is definitely something to watch out for and it can have devastating consequences. A new literature review from Marshall University describes the problem as well as prevention methods in great detail.  

September 2018 - KnowBe4 released a new version of our popular Ransomware Simulator tool that now tests against 13 ransomware scenarios and 1 cryptomining scenario. Cryptomining is just another means to a financial end for cybercriminals. Just like ransomware, remote access trojans (RATs), and other types of malware, the cybercriminal needs to somehow infect a machine. This kind of attack isn't going anywhere. If you have any kind of security strategy around malware and ransomware, you need to be adding cryptojacking/cryptomining to the list and act accordingly; you’ll be seeing a lot more of this attack vector.

October 2018 - An announcement from the National Cyber Security Centre (NCSC) identified a number of cyber actors and attacks likely carried out by the GRU, the Russian military intelligence service. Here is a full list of attributions that the British National Cyber Security Centre has compiled about the GRU.

Proofpoint’s Wombat Security division published their 2018 User Risk Report, which surveyed 6,000 working adults. The results show 64 percent of respondents do not know what ransomware is. In times like this you really need to step your users through new-school security awareness training to prevent such attacks.

November 2018 - New variant CommonRansom asks for RDP access to the victim’s computer in order to decrypt files. This is the latest attempt to extend the ransomware attack beyond the simple act of extortion. It is likely that the group is more interested in the credentials than ransom payments. 

Four new strains of Dharma ransomware were discovered that evade detection by all but one antivirus solutions on the market. Researchers observed a malicious executable dropped through a .NET file and another associated HTML Application (HTA) file. There is no decryption available, even if ransom is paid an encryption key is generated locally so it's a fake key. 

There should be no question by now that Mac and iOS devices are targets for attacks. New data from Datto, a backup provider, shows that MSPs have seen a 500% increase in ransomware on both MacOS and iOS devices over last year. Most organizations have a group of users that use Macs, usually the creative types. So, it’s official – all users, regardless of operating system, are potential targets of ransomware.

December 2018 - New sextortion attacks take a dark turn and infect people with GandCrab ransomware. The email claims cybercriminals have a video of you watching an inappropriate website, and that you can download that video and see it for yourself. 

A server outage at a major newspaper publishing company prevented the distribution of many leading U.S. newspapers, including the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun. It looks like this was a targeted ransomware attack using the specialized Ryuk ransomware familyThis strain is the latest incarnation of the earlier HERMES ransomware which is attributed to the capable and active Lazarus Group that operates out of a Chinese city just north from North Korea and reportedly controlled by the N.K. Unit 180 spy agency.


January 2019 - A new malware attack was detected in the wild that combines two known pieces of malware: the Vidar data harvesting malware followed by GandCrab ransomware. Running an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not pay the ransom. See how the attack works here.

CryptoMix ransomware has resurfaced, according to a recent blog at Ransomware Incident Response vendor CoveWare. With each infection, the message goes beyond just asking for bitcoin, but instead attempts to compel victims to pay the ransom with the claim that the money will go to a fictitious charity.

Ransomware is using a variety of methods to reduce or nullify the effectiveness of data backups such as attacking shared network drives, Windows shadow copies, and any files that have backup file extensions. Some ransomware variants can even sync with the victim’s cloud service and encrypt files stored there. some new variants are also making it harder for organizations to know which backup to restore from

North Carolina Attorney General Josh Stein released a report on Thursday that highlights the impact of data breaches on the state in 2018, and paired the report with a bipartisan bill to strengthen breach notifications to include ransomware attacks.

A new strain dubbed Anatova was discovered in a private peer-to-peer (p2p) network and targets consumers by using the icon of a game or application to trick the user into downloading it. Anatova is packed with functionality that is also difficult to analyze, a telling sign this was created by experienced bad actors. It has the ability to morph quickly, adding new evasion tactics and spreading mechanisms, has some similarities to GandCrab and once downloaded, encrypts all or many files on an infected system and demands ransom in cryptocurrency in order to unlock it - 10 DASH – currently valued at around $700 USD.

February 2019 - According to Coveware’s Q4 2018 Global Ransomware Marketplace Report, cybercriminals are just getting started with this impactful form of malicious attack. Average numbers of paid ransom and downtime resulting from an attack backups compromised are all up over the previous quarter.

A new report produced by the Cyber Risk Management (CyRiM) project led by Nanyang Technological University  - ‘Bashe attack: Global infection by contagious malware’ – models a ransomware attack scenario on a global scale where hundreds of thousands of companies worldwide are infected and offers a look into what the aftermath would look like. The estimated damages worldwide range from $85-193 billion, with global cyber insurance losses ranging from $10-27 billion.

Torrent sites are banning CracksNow, a popular source of torrent uploads, after discovering that the uploader of cracks and keygens was distributing GandCrab ransomware.  CracksNow was labeled as “trusted” before a number of users started noticing bad things happening to their computers. 

March 2019 - A new strain called LockerGoga infects aluminum producer Norsk Hydro, and Hexion and Momentive chemical plants,  effectively shutting them down for days and go on manual operation, causing them to buy hundreds of new computers. 

In an interview at the 2019 RSA Conference, Josh Zelonis, senior analyst at Forrester Research, discusses the next great security threats to enterprises. According to Zelonis, a new trend of victims paying off the ransoms could reverse the wane in ransomware attacks that has been seen in the last year or so.

Matrix ransomware has been around since 2016, but according to a new report from Sophos, the malware has undergone major recent improvements that allow it to perform a wide range of attack tasks. It uses RDP-based brute force attacks to gain an initial foothold. The malware contains several payload executables including some legitimate admin tools – each used to either infect the initial endpoint, or connect to remote machines via RDP and spread within the network. Their code even includes efforts to disable AV software on endpoints. Once infected, the victim is required to contact the attacker, submit some encrypted files (presumably to prove they are, indeed, the victim) and then are provided with the bitcoin ransom amount equivalent to $2500.

According to Coveware’s recently released 2018 Q4 Ransomware Marketplace Report, we’re seeing some very disturbing – and yet revealing – trends in ransomware attacks:

  • Ransoms have increased by an average of 13% over Q3 in 2018 to $6733
  • Attacks on backups as part of the ransomware attack have increased by 39% over Q3 2018
  • The average victim company size has risen from 38 to 71 employees

The attack on backups to decrease an organization's ability to recover instead of paying the ransom mixed with the ransom increase shows that cybercriminals know they have victims painted into a corner.

Jackson County in Georgia paid $400,000 after a Ryuk ransomware attack forced most of their systems offline. The infection forced most of the local government's IT systems offline, with the exception of its website and 911 emergency system.

April 2019 - vxCrypter ransomware is possibly the first strain to delete duplicate files. Discovered by Lawrence Abrams at Bleeping Computer, this strain was keeping tracking of the SHA256 hashes of each file it encrypted. As the ransomware encrypted other files, if it encountered the same SHA256 hash, it would delete the file instead of decrypting it. 

An email extortion scam threatening victims with DDoS attacks and WannaCry ransomware according to researchers at Avast. The scammers claim to have hacked the victim’s network and found evidence of tax evasion. They demand two bitcoins, or around $10,000, in exchange for keeping quiet about the illegal activity. If the victim doesn’t pay up, the scammer will deploy ransomware and launch DDoS attacks against their systems, in addition to notifying law enforcement about the alleged tax evasion.

The latest data from Coveware shows increases across the board in ransoms, downtime, and average cost of an attack. According to the report, three strains (Ryuk, Bitpaymer, and Iencrypt) have caused the rise in the cost from Q4 2018 to Q1 2019 - Ransoms increased by 89%, average number of days to address an attack have risen from 6.2 to 7.3 days and downtime has risen 47%, resulting in an average downtime cost of $64,645.

PayPal received a patent for ransomware detection technology. According to US patent number 10262138, issued on April 16, PayPal believes it can detect the early stages of a ransomware infection, and take one of two actions --to stop the encryption process, or to save a copy of the untainted original file to a remote server, before it gets encrypted, as a backup, so it can be restored later on.

The City of Stratford in Ontario, Canada was hit with a ransomware attack that encrypted six physical and two virtual servers, prompting the city to pay the ransom of $71,000.They did attempt to recover their data, however the security company they worked with was only involved in forensics and couldn't recover the data.

May 2019 - Sophos discovered a scary new strain of very sophisticated ransomware called MegaCortex. It was purpose-built to target corporate networks, and once penetrated, the attackers infect your entire network by rolling out the ransomware to all servers and workstations, using your own Windows domain controllers. Sophos have detected infections in the United States, Italy, Canada, France, the Netherlands, and Ireland.

The latest data from AppRiver shows SMBs simply aren’t prepared to respond to ransomware attacks, and will instead pay up. According to their 2019 Cyberthreat Index for Business Survey Report, three-quarters of SMBs believe a successful attack would be harmful to their business with only 36% believing they can actually survive a successful attack without sustaining short- and long-term business losses. Rather than prepare with a strong defense and response plan, the data shows the cybercriminals have the upper hand - 55% of all SMBs said they would pay ransom to recover encrypted data or to prevent it from being shared. Of larger SMB’s with 150-250 employees, 74% are willing to pay ransom with 39% of larger SMBs saying they “definitely would pay ransom at almost any price.”

Ransomware attacks skyrocketed in the first quarter of 2019, according to the Beazley Breach Response (BBR) Services team, which reports a 105% increase in the number of ransomware attack notifications against clients compared to Q1 2018.  Not only has the frequency of attacks increased, but attackers are shifting focus, targeting larger organizations and demanding higher ransom payments.

Riviera Beach City in Florida was hit with an attack after an employee clicked on a phishing email, and council members ended up paying $600,000 to recover their data. The attack locked up all of the city's data, and the ransom was paid just weeks after they agreed to spend around $1 million to replace the compromised computer equipment.

June 2019 - According to security vendor Recorded Future’s latest Review of State and Local Government Ransomware Attacks report, attacks against state and local governments rose 39% in 2018, and are finding surprising similar trends in 2019. The latest estimate of this attack tops off at just about $18 million – dwarfing the 13-bitcoin ransom demand equaling about $103,000.

Security researchers have been finding that attackers use ransomware as an exit strategy to cover up more serious incidents like data breaches. Although the attacks mostly look like regular ransomware delivered via phishing emails containing either malicious links or files, their goal is to delete potential forensic breadcrumbs and hope organizations don’t investigate further after recovering from the ransomware infection.

A month after Baltimore's devastating ransomware attack, Maryland Governor Larry Hogan (R) signed an executive order aimed at strengthening the state’s cybersecurity capabilities. The executive order formally establishes the “Maryland Cyber Defense Initiative” and creates the position of state chief information security officer (SCISO), who will be charged with giving cybersecurity recommendations to the governor.

Park DuValle Community Health Center paid a $70,000 ransom when the medical records of almost 20,000 patients encrypted by ransomware. The attack locked providers out of their system for almost two months, impacting their medical records system and appointment scheduling tool. It wasn't the first time the health center had been hit, back in April another attack left their computer systems locked for about three weeks. After the first attack, they rebuilt their systems by using offsite backups and didn't pay the ransom, the second time they weren't so lucky. Four clinics resorted to writing down all patient information and storing it in boxes, operating as walk-in clinics, and asking patients for medical history from memory for seven weeks. Officials say this attack has cost the provider upwards of $1 million.

Another victim of a Ryuk ransomware attack, Lake City, Florida, paid $500,000 to decrypt over 100 years' worth of city records. IT staff disconnected their systems within 10 minutes of infection, however the malware affected almost their entire network. The county's IT Director was blamed for failing to secure the network and taking too long to recover the data, he lost his job.

July 2019 - New eCh0raix ransomware uses a brute-force credential attack to gain access to data stored in QNAP NAS devices. According to Anomali, the threat detection vendor that discovered it, eCh0raix targets QNAP network-attached storage devices. It scans the internet for publicly accessible QNAP devices and tries to break in via a brute-force credential attack, bypassing weak login credentials. This strain encrypts specifically targeted file extensions on the NAS using AES encryption and appends an “.encrypt” extension to the encrypted files. The ransom note directs victims to pay a ransom in bitcoin via a website accessible with a Tor browser.

The latest data from ransomware recovery vendor, Coveware, outlines the current state of the cost, duration, and recovery rate of ransomware attacks today. According to their Q2 Ransomware Marketplace Report, the average ransom payment nearly tripled this year from $12.8k to $36.3k, the average downtime from an attack is 9.6 days and on average, 8% of decrypted data is lost. These details paint a pretty exact picture of what to expect should your organization be hit by ransomware.

A new ransomware strain referred to as Android/Filecoder.C was discovered by ESET researchers. It uses the victim's contact list to spread further using SMS messages that have malicious links. The new strain was distributed on adult content-related topics on Reddit and for a short time via the “XDA developers” forum. The hacker behind the malicious code has been posting links to a "sex simulator" app, telling users to try it out. But in reality, the links will download the ransomware to the victim's phone.

When La Porte County, Indiana was hit with Ryuk they paid the $130,000 ransom to recover their impacted data. They did have backup servers, but the malware infected them as well. IT staff were able to confine the attack to only 7% of machines, however two domain controllers were impacted so network services became unavailable.

August 2019 - New GermanWiper ransomware doesn't encrypt files but instead it rewrites their content with zeroes, permanently destroying users' data.

In light of the recent string of attacks that seem to be targeting government agencies and municipalities, a new multi-agency press release led by the U.S. Government’s Cybersecurity and Infrastructure Security Agency provides guidance on how to be resilient and proactively take steps to reduce the likelihood of successful ransomware attack.

The long-standing argument over whether or not victims should pay ransom to cybercriminals may have come to an end, with a resolution from the U.S. Conference of Mayors calling on cities to not pay up. 

DarkReading reported: "Ransomware masquerading as game "cheats" is hitting Fortnite players. Fortunately, there are ways to recover without paying a ransom." Similar to phishing attacks on STEAM, gamers are being targeted. 

The MegaCortex strain, first reported in May of 2019, has a new version upgrading it from a manual, targeted form of ransomware, to one that can be spread and do damage enterprise-wide. Completely automated, the latest version has proven to be ready for wide-scale attacks, according to new research from Accenture’s iDefense team. A need for manual password entry has been removed, and it’s been beefed up with an ability to kill a number of security products, and now loads and runs its’ main payload directly from memory.

According to Malwarebyte’s latest Cybercrime Tactics and Techniques: Ransomware Retrospective report, businesses are at risk of ransomware attack now more than ever with detections growing by 365% from Q2 2018 to Q2 2019. Material declines in consumer ransomware detections occurred around the same time as very material increases in detected business ransomware attacks.

McAfee Labs saw an average of 504 new threats per minute in Q1 2019, and a resurgence of ransomware along with changes in campaign execution and code. New ransomware increased by 118%, while the most prevalent strains were Dharma (aka Crysis), GandCrab and Ryuk. HelpNet Security has a good summary of the whole report.

September 2019 - A new strain called Lilocked (or Lilu) ransomware has infected thousands of webservers and appears to target Linux-based systems only. The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

Nemty ransomware is now being delivered via a PayPal phishing site that offers users a 3-5% return on PayPal transactions if they download an official PayPal browser extension. The attackers use Unicode characters from different alphabets to make their URL look like PayPal’s legitimate domain. Users who click the download button will receive a file named “cashback.exe.” Running this executable will infect the user’s system with the ransomware.

The coordinated ransomware attacks on 23 Texas municipalities last month demonstrate the lengths cybercriminals are willing to go to in order to attain their demanded ransom (in the case of the Texas cities, $2.5 USD). This has prompted the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to release a new document, entitled Strategic Intent , which highlights how CISA will work to address the ever-growing threat of cyberattack by defining its mission and a high-level framework that will be used – a framework that includes the sharing of information between state and local agencies.

A new proposed law, the “DHS Cyber Hunt and Incident Response Teams Act,” authorizes the Department of Homeland Security (DHS) to invest in and develop “incident response teams” to help organizations battle ransomware attacks, was approved by the U.S. Senate. A similar bill has already passed in the House of Representatives in 2018, called the “DHS Cyber Incident Response Teams Act of 2018.” Senators said that the two pieces of legislation will now begin a reconciliation process. 

October 2019 - The FBI issued a warning that healthcare organizations, industrial companies, and the transportation sector are being targeted with ransomware. The attack methodologies continue to evolve, with cyber-criminals doing all they can to avoid detection. The FBI highlights three current attack techniques: phishing campaigns, Remote Desktop Protocol (RDP) vulnerabilities and exploits of software vulnerabilities.

Ransomware is living its best life in 2019. A rash of successful attacks against municipalities, state and local government, and school districts is bad for organizations and great for cybercriminals. With ransomware estimated to have a global damage cost to organizations $11.5 billion in 2019, according to analyst firm Cybersecurity Ventures, this is a problem that will continue to plague any organization that does not have ample security in place.

A recent article at AlienVault covered the results of a survey they took at this year’s Black Hat conference around ransomware and other security concerns. While there’s no ability to cross-check the raw data, it’s concerning that over two-thirds of organizations saying they’re “ready” and yet nearly one-fifth have been the victim of an attack. Respondents cited security solutions and backups as the two methods of ransomware preparation, with one-third of organizations having over twenty security solutions in place! At a high level, this sounds like organizations are taking the right steps to stop an attack, but it appears that ransomware attacks – which primarily start with phishing attacks – are still happening.

Datto, a leading global provider of IT solutions delivered through managed service providers (MSPs), announced its fourth annual Global State of the Channel Ransomware Report. Highlights include: 85% of MSPs reported attacks against SMBs over the last two years, only 28% of MSPs report SMBs are very concerned about ransomware, and average cost of downtime is $141,000.

November 2019 - PureLocker, a previously undetected server-encrypting malware, gives hackers an advantage as it is written in the PureBasic programming language. Security vendors often struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms.

After a deadline was missed for receiving a ransom payment, the group behind Maze Ransomware has published almost 700 MB worth of data and files stolen from a security staffing firm. With this escalated attack, ransomware victims now need to not only be concerned about recovering their encrypted files, but what would happen if their stolen unencrypted files were leaked to the public, and the fact that ransomware infections by now probably should be disclosed as a data breach with all related consequences. 

According to cyber insurer Chubb's Cyber 2019 Adapting to the New Realities of Cyber Risks InFocus Report, ransomware attacks are up 50% in 2019 with attacks outpacing the previous five years. Despite Chubb seeing increases in attacks, , they are still experiencing an increase in the percentage of cyber claims resulting from ransomware attacks. It’s indicative that organizations simply aren’t prepared.

December 2019 - The latest version of Snatch ransomware installs a Windows service SuperBackupMan that is configured to run in Safe Mode. Once a forced restart is complete, and the system is in Safe Mode, those AV solutions not configured to run leave the system exposed and able to be encrypted. Researchers at Sophos also found it uses RDP as the initial attack vector, can exfiltrate, system information, monitor network traffic, install surveillance software and install remote access trojans (RATs). The payload for Snatch uses the open-source packer UPX to help obfuscate detection of its malicious code. This is very powerful and dangerous stuff here that has attack ramifications both immediately  and in the future, depending on how patient the attacker is.

Threat actors behind REvil Ransomware are now threatening to release data if victims don't pay the ransom isn't paid. According to Bleeping Computer: “ In a new post to a Russian malware and hacker forum shared with us by security researcher Damian, the public-facing representative of the REvil ransomware known as UNKN states that a new "division" has been created for large operations. REvil goes on to say that if a company does not pay the ransom, the ransomware actors will publicly release the stolen data or sell it to competitors. It is in their opinion that this would be more costly to the victim than paying the ransom."  

The Maze ransomware gang just outed 8 victims and a limited amount of selected data on a public website. According to Brian Krebs, the information released publicly so far is “ initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze. “ Criminals behind MAZE are likely hoping that by increasing psychological extortion pressure they will squeeze current victims who are still undecided to pay the ransom.

A report released by Armor, a global security solutions provider, noted a substantial rise in ransomware attacks against schools (and school districts) since October 2019. 11 new U.S. school districts (comprised of 226 schools) have been hit by ransomware since late October. According to the report, 269 publicly announced ransomware victim organizations in the U.S. since January 1, 2019. Municipalities continue to lead the victim list at 82, followed closely by school districts and/or educational institutions at 72, followed by 44 healthcare organizations and 18 Managed Service Providers (MSPs) and/or Cloud-Based Service Providers.

As of December 2019, ransomware is 30 years old, but few will be celebrating the occasion. Instead, many are wondering what will come next. Experts predict that ransomware will continue to grow and evolve, armed with tools like keyloggers, backdoors and droppers to cause further destruction. At the same time, it’s expected that ransomware will become increasingly more targeted in choosing victims, eschewing small-time marks in favor of targets with a bigger potential payoff. And as daily life becomes increasingly connected through the IoT, organizations will have to work even harder to keep ransomware out of their systems.

Here are some shocking ransomware statistics just from the year 2019, from Heimdal Security.

  • Two-thirds of ransomware attacks targeted state and local governments.
  • 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
  • Over 500 US schools were affected by ransomware attacks in 2019.
  • Almost 70 US government organizations were infected with ransomware since January 2019.
  • A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
  • In the third quarter of 2019, the average ransomware payout increased to $41,000.


January 2020 - Maze ransomware has gotten the attention of the FBI. A warning to U.S. companies about this attack in which the perpetrator steals data and then encrypts it to extort victims was issued. “From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors,” states the advisory obtained by CyberScoop. The warning provides technical indicators to detect Maze ransomware and asks victims to give them information that could help find the hackers. The bureau requests things like bitcoin wallets used by the hackers and the complete phishing email they sent to the victim. 

New "leakware" attacks differ from traditional ransomware attacks by threatening to steal and publish data online unless a ransom is paid. The problem is if you don't pay, you're risking continued attacks on those whose personal data was included in the breach. If you do pay, of course there's no guarantee the attackers won't sell the data to a third party and launch their own attacks. The City of Johannesburg and the State of Virginia are two victims of these types of attacks.

In the beginning, ransomware used to only look for office files. Then backups became a secondary victim. Now, according to researchers at Kaspersky, attackers are looking for ways to directly target the NAS devices that host an organization's backups. It makes sense to cybercriminals, their goal is to make an organization feel their only option is to pay the ransom.

Encryption isn't the only problem when it comes to ransomware, there are many other nasty issues. Ransomware threat actors are doing more analysis, taking the time to maximize the potential damage and payoff. First, they discover which resources are organization’s crown jewels. What if suddenly encrypted would cause the most panic, pain, and operational disruption? Second, they find out how that data is backed up and what they can do to interfere with that process. They also know how many days of backup corruption they need, meaning they are getting better at encrypting backup data while it's online before it gets moved offline. Hackers are now stealing the crown jewel data and threatening to leak it unless  the ransom is paid, so even if you do get it back it's still in their hands. Data-stealing ransomware has become so common that it has its own subclass known as data-theft ransomware. See more about how ransomware has become much worse!

Travelex, a foreign-currency exchange company, was hit by the REvil/Sodinokibi actors on New Year's Eve. Its network data was encrypted and their customers were unable to take orders. REVil is said to exfiltrate data before encrypting the network as an added extortion incentive for victims to either pay or have the possibility of their data going public. A resulting cascade of nasty consequences for the victims include disclosure of PII, thus triggering data breach reporting requirements and the resulting governmental and third party legal headaches, potential crashing stock prices, fines, and the consequences of disclosure of confidential or proprietary information. REVil knows that large data breaches have sometimes resulted in crashing stock prices of up to 6%. Travelex later had to warn its customers to be on the lookout for phishing scams in an update on its corporate holdings website.

Phobos ransomware has been around since late 2017 and has morphed into a few strains, always targeting large organizations in hopes of getting a bigger payoff. It works to kill processes that may pose a threat, deletes Volume Shadow copies, disables Windows firewall, and prevents systems from booting into recovery mode. The real threat is on hw it's distributed as a Ransomware-as-a-Service business model. Threat actors using Phobos today are less experienced and therefore there are delays when negotiating ransom, and there is potential for issues around decryption since they themselves have no control over the malware used in attacks.

Nemty ransomware creators are now extorting victims by threatening to publish data to a blog if they don't pay. While the idea of publicizing sensitive information is nothing new, the use of a blog could add credibility to their claim of being willing to post the data (prospective victims can simply navigate to it to see previous victim’s data).

More new features have been added to the Ryuk strain, it now uses the Wake-on-Lan feature to turn on powered-off devices on a large compromised network to have greater success in encrypting them. In conversations with BleepingComputer, Vitali Kremez, Head of SentinelLabs, stated that this evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator's skill traversing a corporate network. It's also now able to hack Active Directory and infect a larger number of machines. Ryuk Stealer, another version of this malware, uses new keywords and filetypes to automatically find an organization's most valuable data that they can extort and get their ransom.

Microsoft end-of-support for Windows 7 means systems will remain unpatched, creating an opportunity for future ransomware attacks to wreak havoc. If you remember 2017's WannaCry, it was successful because of unpatched systems. So three things you can do to protect against this possibility are: update your OS, ensure continual updates, and educate your employees to avoid becoming victims by clicking on phishing emails.

The FDIC issued a warning about heightened cybersecurity risks, urging banks to immediately shore up cybersecurity controls and technology safeguards against ransomware due to increased geopolitical tension. potential attacks that can only be assumed to be the result of relations between the U.S. and Iran. According to the FDIC, two specific attack vectors were mentioned: the use of malware-infected storage devices like USB drives and phishing/spear phishing attacks against users.

New EFS ransomware uses the Windows Encrypting File System (EFS) built-in encryption abilities against itself, not needing to download a payload executable that performs the encryption. SafeLabs researchers tested out three major AV solutions against EFS ransomware and found all three to failed to stop an attack. The news of this evolved tactic has antivirus vendors scrambling to provide updates to stop this ransomware in its tracks.

In Coveware's recently released  Q4 Ransomware Marketplace Report, they found average cost of a ransom jumped from around $41K in Q3 of 2019 to just above $84K in Q4! Ransomware threat actors are targeting larger enterprise organizations in hopes of getting bigger payouts using sophisticated strains like Ryuk and Sodinokibi, while Ransomware-as-a-Service strains like Dharma, Snatch, and Netwalker are going after the small business sector.

Two senators of New York state recently proposed bills that would ban government agencies and local municipalities from using public money to pay cybercriminals ransom to get their files back. The first bill, proposed by Republican NY Senator Phil Boyle, and the second bill, proposed by Democrat NY Senator David Carlucci, are currently in committee. Several industry experts stated that this is the first time state authorities have proposed a law that outright bans paying the ransom all together.

Updates to FTCode ransomware targets the IDs and passwords on individual endpoints. Zscaler threat researchers have discovered new PowerShell code has been added to decrypt stored credentials from the following web browsers and email clients on Windows machines: Internet Explorer,  Mozilla Firefox, Mozilla Thunderbird, Google Chrome and Microsoft Outlook. The repercussions are significant: In addition to holding data for ransom, attackers could lock users out of cloud-based applications, could use the newfound credentials to island hop, could provide access to Office 3656 via OAuth API access, commit CEO fraud scams, identity theft, and much, much more.

Anti-malware vendor Emisoft recently warned both private and public sector businesses that ransomware poses a real threat to the upcoming 2020 election - from campaign fundraising to promoting stories about candidates, the possibilities are endless. And, given the heightened political tensions that exist in the U.S., potential victims are already emotionally charged enough to respond to phishing and web-based attacks.

February 2020 - Having good backups in place may no longer completely save you from an attack. A new trend, exemplified by Maze ransomware, is for threat actors to exfiltrate an organization's data and use it to extort them. What this could mean for you is that your current cyber insurance may not cover you as well as you may think.

Threat actors behind Sodinokibi are promising black hat hackers an opportunity to "work with" the creators of REvil ransomware under "mutually beneficial conditions” in a hacking contest with a $15,000 prize. While competitions like this aren’t entirely new, this latest one boasting a five-figure prize is big news. The danger lies in the ability to foster ingenuity, spawn creativity, and encourage the sharing of ideas to make ransomware and other forms of malware more powerful amongst cybercriminals.

DoppelPaymer ransomware makes money from its victims, whether they choose to pay the ransom or not. While it's not the first strain to publicize a victim's stolen data if they don't pay, it goes a step further to work to sell the data stolen. This has turned ransomware attacks from a nuisance and an attack on operational productivity into a full-blown data breach, complete with remediation, legal, PR, etc. This extra step turns up the heat on organizations to simply pay the ransom.

EKANS ransomware is a relatively new variant that focuses on wreaking havoc on industrial control systems (ICS) and businesses that rely on it. EKANS attempts to disrupt operations by killing processes, then encrypting data, effectively holding both the organization’s production and data for ransom.

March 2020 - Talman Software, which is used by the majority of wool industry across Australia and New Zealand, was the victim of a ransomware attack that prevented brokers from being able to buy and sell wool. 

Researchers at Quick Heal Security Labs have discovered a new strain of the “Mailto” ransomware nicknamed “Netwalker" that uses the art of deception to evade detection. It uses the debug API and Explorer.exe starts the execution, then proceeds to eliminate all of its traces when completed. According to Quick Heal Security Labs “the Mailto or Netwalker performs process hollowing in explorer.exe. This helps in evading the Anti-Virus software (AVs) to  easily perform the encryption.

According to data protection vendor Datto’s director of channel development, Eric Torres, who spoke recently at the Xchange 2020 conference, MSPs are under greater attack today due to their direct and unlimited access to customer networks. Their recent Global State of the Channel
Ransomware Report shows that 85% of MSPs report their SMB customers experiencing ransomware attacks within the last 12 months.

Information Security Media Group (ISMG) reported that a growing number of ransomware groups are now exfiltrating data from their victims before deploying the ransomware. Brett Callow, a security researcher at Emsisoft, told ISMG that ransomware operators are also using this stolen data to craft targeted attacks against the compromised organization’s customers and partners. “We've now got pretty clear evidence that Maze et al. are using exfiltrated [data] to spear phish other companies,” Callow said. “The problem is, many companies do not disclose these incidents, so their business partners and customers do not know that they should be on high alert. Bottom line: more companies need to disclose, and to disclose quickly.”

Joel DeCapua, a special agent in the FBI’s global operations and targeting unit recently spoke at the 2020 RSA Conference in a session entitled Feds Fighting Ransomware: How the FBI Investigates and How You Can Help. In this session, attendees were able to get a sense of the severity of the problem of ransomware. According to DeCapua, a total of $144.35 million in ransoms were paid between January of 2013 and July 2019. The biggest “winners” in ransomware are: Ryuk – taking in $61 million, Crysis/Dharma – $24 million, Bitpaymer - $8 million, SamSam - $6.9 million.

Researchers at Lastline have come across a phishing campaign that uses Internet Query (IQY) files to bypass security filters and deliver a new version of the Paradise ransomware. Since it's a legitimate Excel file type, many organizations will not block or filter it but the file type can be leveraged to download an Excel formula (command) that could abuse a system process, such as PowerShell, cmd, mshta, or any other LoLBins (Living-off-the-Land Binaries). The researchers conclude that these files are difficult to flag since there’s nothing inherently malicious in them, so organizations need to focus on the URL.

According to security vendor Blackberry Cylance, Healthcare is the number 4 industry targeted for ransomware attacks. This data is corroborated by the latest numbers from insurer Corvus, who have released their latest Security Report on the state of Healthcare cybersecurity. According to the report, ransomware has risen consistently in 2019 over 2018, with a projection for Q1 of 2020 to be literally 12 times higher than the same quarter last year.

the Department of Homeland Security issued a warning that many organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19),  and consider alternate workplace options for their employees. The Infrastructure Security Agency (CISA) encouraged organizations to adopt a heightened state of cybersecurity. They also specifically noted that "Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords."

U.K. cyberinsurer Beazley’s 2020 Breach Briefing covered some of the trends experienced by their customers between 2018 and 2019. According to the briefing: Business Email Compromise (BEC) was down slightly (12%) in 2019, Ransomware saw a massive increase of 131%, The top cause of loss (54%) was “hacking or malware”, Healthcare was the most targeted industry (35% of attacks), Small and Medium Businesses were the largest target (62%).

April 2020 - A new ransomware strain called 'Save the Queen’, distributes itself from its victim’s Active Directory Servers (known as Domain Controllers). Cybercriminals can do more with this access than simply encrypt data, and they may go even further than holding stolen data for ransom.

Three new ransomware families: Sodinokibi/REvil, Nemty, and DoppelPaymer are adopting the same style of “pay or we publish” tactic used by threat actors behind Maze ransomware. There are two big concerns here. The first is that organizations need to recognize that this will grow as a trend and, should they be attacked with ransomware, there are very few outs in that situation. Second, ransomware as an attack now must be considered a data breach; some subset of the organization’s data is stolen as part of the attack in order to both prove to the organization they have it, and will publish should the ransom not be paid.

Ransomware gangs have stepped up their attacks amid the pandemic to maximize their ill-gotten profits. Microsoft's Threat Protection Intelligence Team reported that almost every ransomware infection had evidence of attackers viewing and exfiltrating data. They also said there is a relatively long lag between compromise and ransomware deployment, and further, attackers often maintain control over endpoints after deploying ransomware. 

May 2020 - New York Grubman Shire Meiselas & Sacks, media and entertainment law firm used by A-list stars, was hit by REvil ransomware. The firms website went down and threat actors behind REvil claim to have 756 gigabytes of data including contracts and personal emails. Cyber-security company Emsisoft says the hackers have posted images online of a contract for Madonna's World Tour 2019-20 complete with signatures from an employee and concert company Live Nation.

The total cost of the average ransomware attack more than doubles if the victim decides to pay the ransom, according to Sophos’s State of Ransomware 2020 report. According to the report, the average total cost of a successful ransomware attack—including downtime, technical recovery, extra hours, lost business, as well as the ransom payment—was $732,000 for victims that refused to pay the ransom. Interestingly, that number rises to $1,448,000 for organizations that do pay the ransom.

A new strain Ako ransomware is demanding one ransom payment to decrypt their data, and a second payment to not publish stolen files. This tactic appears to only apply to larger victim companies and is also dependent upon the kind of data stolen. While we’ve seen the average ransom doubling this year, this second demand for a ransom tends to run in the $100K to $2M range (remember, the organizations seeing these types of attacks are the ones the the Ako folks believe have deep pockets). This second ransom almost assures the cybercriminal some form of payment, one way or another.

Data from Coveware, a company that handles ransomware incidents, shows that the average ransom price increased from $84,000 in 2019 to $111,605 in the first quarter of 2020. Ryuk and REvil continue to be responsible for this increase in average ransom.

The ransomware formerly known as Mailto has rebranded as Netwalker and are conducting interviews to identify appropriate affiliates to work with. According to the details uncovered, affiliates receive up to 70% of the ransom, giving cybercriminal organizations ample incentive to partner up with Netwalker.

June 2020 - Recent changes in ransomware attacks that now include data theft for the purposes of extorting the ransom or face public posting of the stolen data recategorize ransomware as a data breach instead of simply a malware infection-turned-decryptor. And it’s this change in attack tactics that brings us to the issue of data breach notification. Most ransomware attacks now involve data exfiltration so now you need to determine whether data was stolen, what was taken, and whether you need to begin the notification process. 

Brian Krebs had the news first. "The criminal group behind the REvil ransomware enterprise has begun auctioning off sensitive data stolen from companies hit by its malicious software. The move marks an escalation in tactics aimed at coercing victims to pay up — and publicly shaming those don’t. But it may also signal that ransomware purveyors are searching for new ways to profit from their crimes as victim businesses struggle just to keep the lights on during the unprecedented economic slowdown caused by the COVID-19 pandemic." You can count on other cyber organized crime gangs to follow this "innovation".

In Kivu's What Doxxing Victims Reveal About “Targeted Attacks” report, they analyzed the geographic and industry-based metrics of over 140 ransomware victims who were doxxed between February 1, 2020 and May 1, 2020. Among their key findings were: 55% of all doxxed victims were located or headquartered in the US, followed by 7% in the UK and 4% in France. The remaining 34% of victims were spread out across the globe. Companies that fall under the consumer sector were the most represented in the data at 30%. This was followed by 22% in industrials and 15% in financial services. Kivu’s investigation showed that ransomware variants generally do not favor one industry over another – rather, they are likely to deploy more successfully within certain environments, which are industry agnostic.

According to Microsoft’s Advanced Threat Analytics, the median number of days an attacker sits within your network undetected is 146 days. The new PonyFinal ransomware demonstrates this behavior. According to Microsoft, attackers in this case put a human touch on the attack, not leveraging automation, but are patient and are looking for victims of opportunity rather than trying to hit everyone and anyone. By first compromising internet-facing web systems, attackers compromise privileged credentials and use PowerShell tools and service accounts to obtain the needed access the victim network. In most cases, the attackers focus on endpoints where the Java Runtime Environment (JRE) is installed Then, according to Microsoft, attackers “stay dormant and wait for the most opportune time to deploy the [PonyFinal] payload.”

Researchers at Symantec have spotted a new element in recent Sodinokibi (aka REvil) ransomware campaigns, with the attackers scanning compromised networks for PoS software. It's possible that the attackers could be looking to scrape this information as means of making additional money from campaigns, either by directly using the payment information themselves to raid accounts, or to sell it on to others on underground forums.

Symantec issued an urgent warning that Russian hackers had exploited the sudden change in American work habits to inject code into corporate networks with a speed and breadth not previously witnessed using WastedLocker. The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom. At least 31 customer organizations have been attacked, meaning the total number of attacks may be much higher. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks.

July 2020 - Recent updates to the well-known Thanos Ransomware-as-a-Service make it a formidable challenge for even well-secured organizations. Some of the improvements include: RIPlace technique for avoiding detection, Encryption speed enhancements, Disabling of 3rd party backup solutions, Ability to impersonate Windows SYSTEM via process hollowing and FTP-based reporting. 

TripWire recently revealed that more than 10% of ransomware infections now involve some element of data theft. These attacks involved numerous ransomware gangs. In March 2020, for instance, the Nefilim crypto-malware strain began telling its victims that it would publish their stolen data within a week unless they paid their ransom. That was about a month before the security firm learned of Ragnar Locker’s demand of 1580 bitcoin (approximately $11 million) as ransom from Energias de Portuga (EDP), a Portuguese electric utilities company from which the attackers claimed to have stolen 10TB of data. Approximately a month after that, DoppelPaymer published a new entry on its data leaks site for the City of Torrance, CA.

The Securities and Exchange Commission, through its Office of Compliance Inspections and Examinations (OCIE), issued a warning to advisors and broker-dealers to “immediately” review their cybersecurity controls to prevent and respond to an increase in phishing campaigns and ransomware attacks. The alert provides “observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks. We have observed registrants utilizing the following measures: Incident response and resiliency policies, procedures and plans, Operational resiliency, Awareness and training programs, Vulnerability scanning and patch management, Access management and Perimeter security.

According to security researchers at CheckPoint, the Phorpiex botnet – which first reared its ugly head back in 2018 appears to be experiencing a resurgence in interest last month. Estimated to have generated a half million dollars in revenue in 2019, Phorpiex has traditionally distributed ransomware, cryptominers, and malware to accomplish this. Phorpiex ranked second in global reach last month, affecting 2% of organizations globally, and even made their Top 10 malware families list for June.

The CONTI family of ransomware has taken steps to improve the performance of encryption while using new and old methods to ensure success. CONTI uses up to 32 independent threads to simultaneously encrypt data, thereby speeding up the process. According to new research from VMware, CONTI uses the Windows Restart Manager to cleanly close applications with locked files, allowing those files to be included in the encryption process. They avoid detection by using 277 unique string encoding algorithms to obfuscate the original code and bloat the simple program into a larger application that is more difficult to identify as the ransomware.

August 2020 - Coveware’s Q2 2020 Ransomware Marketplace Report shows that ransomware attacks are growing in sophistication, scope, effectiveness, and cost. According to the report: The average ransom payment has jumped form $111K in Q1 to $178K in Q2, The median company size has steadily increased from 25 in 2018 to 100 in Q2 and continues to increase “Big Game” variants like Maze targeted much larger companies, averaging over 16K employees, The top 3 ransomware players were only responsible for 30% of attacks in Q2, highlighting that many new variants are gaining steam, 30% of ransomware attacks involved a threat to release data (with no confirmation that data was actually stolen), 22% of attacks actually involved confirmed exfiltrated data – this is up from 8.7% in Q1, a rise of 152%, Both Maze and DoppelPaymer variants had multiple months in both Q1 and Q2 of this year where 100% of their attacks involved data exfiltration, Payment “defaults” (where data cannot be decrypted) remains low, at 2%.

A group of cybercriminals that helped a Ukranian ransomware gang launder more that $42 million over two years was arrested. This was accomplished with assistance from the Binance cryptocurrency exchange whose “Bulletproof Exchanger” project helped authorities identify large transactions and trace them back to individuals in the real world.

A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts. But here is the clincher: When performing attacks, DarkSide will create a customized ransomware executable for the specific company they are attacking. DarkSide states that they only target companies that can pay the specified ransom as they do not "want to kill your business."The threat actors have also stated that they do not target the following types of organizations: Medicine (hospitals, hospices), Education (schools, universities), Non-profit organizations and the Government sector.

The FBI has arrested a Russian citizen (27-year-old Egor Igorevich Kriuchkov) for trying to recruit an employee of Tesla’s Gigafactory Nevada to plant malware inside the firm. According to the US Justice Department, Kriuchkov promised to pay as much as $1 million to the employee. The goal: to steal data from the company and then threaten to make the information public, unless a large (~$4million) ransom was paid. However, the Justice Department’s complaint suggests the employee ended up secretly working with the FBI to gather evidence against Kriuchkov, who was arrested on Saturday in Los Angeles.

The Australian Securities and Investments Commission (ASIC) is suing RI Advice Group for being hacked multiple times over a year’s time that includes 155 hours of undetected hacker activity. According to a notice filed earlier this month in Australian federal court, RI Advice Group was the victim of two remote access-turned-ransomware attacks in December 2016 and May 2017, and a third successful attack on a server containing sensitive financial information and client identification documents in December of 2017. Because RI Advice Group is a financial services firm, they are subject to the ASIC, who are suing them for failing to establish and maintain compliance measures that include security controls.

September 2020According to security researchers at Kaspersky in a guest blog post, the attack chain used by threat group DeathStalker seems to be intent on gathering sensitive business information rather than deploy malware, ransomware, or any other malicious action normally seen for financial gain. What makes this attack so interesting is the resourcefulness found in the details. According to the article, the Powersing attack includes some of these capabilities: A modified .LNK file is used as the malicious attachment that launched CMD.EXE, then PowerShell, An embedded decoy document is presented to the user while it continues its malicious actions to keep them from becoming suspicious, It uses drop dead resolvers – URLs that point to posts or content in legitimate sites that contain Base64 encoded strings, such as the following.

According to AD-focused cybersecurity vendor Semperis, in their Recovering Active Directory from Cyber Disasters report, it appears the IT organizations simply aren’t prepared: 84% of orgs feel an AD outage would be “significant, severe, or catastrophic”, Only 3% of orgs are “extremely confident” about their ability to recover AD to new servers should it be necessary, Only 15% of organizations have actually tested their AD recovery plan in the last six months.

According to new research from Checkpoint, the new version of the Qbot trojan contains a number of collector modules. One is used to harvest browsing data, email records, and banking credentials. Another uses mimikatz to scrape RAM for credentials. And still another new module seen by Checkpoint, extracts specific email threads related to tax payments, job recruitment, and COVID-19 from the endpoint’s Outlook client, uploading them to the attacker's command-and-control (C2) server.

New data from cyber insurer Coalition shows massive increases in both the frequency of ransomware attacks and the ransom demand with Maze and Ryuk leading the way. Their H1 2020 Cyber Insurance Claims Report points out the increases are more than just anecdotal. According to the report in the first half of 2020: Ransomware attack frequency increased 260%, Ransom demands increased 47%, Maze and Ryuk ransomware variants represented 53% of all attacks and Ransoms ranged from $1000 to over $2,000,000. Further, the report found that funds transfer fraud has increased 35% since the onset of COVID-19. Most funds transfer fraud claims involve the following social engineering techniques: Invoice Manipulation – This usually involves either using a compromised third-party email or having specific pending transaction details enough to fool the victim. Look-alike Domains – Impersonation is often used where the cybercriminal uses a domain with an added/subtracted/swapped character in the name to trick the victim into believing the email requesting funds is legitimate. Email Spoofing – This is the simplest form, as in the CEO credit card scam (where the email purports to be from the CEO’s personal email address). Sometimes just looking like it *could* be from someone legitimate is enough to fool the victim.

October 2020 - BitDefender’s recent Mid-Year Threat Landscape Report 2020 shows that the first half of 2020 saw a 7x jump in the frequency of ransomware attacks when compared to the same time in 2019. We’ve also seen ransoms jump by an average of 60 percent this year, signaling that cybercriminals are keenly aware of what the havoc they’ve wreaked is worth to an infected organization.

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned multiple ransomware criminals over the last few years, most notably the Russian cybercrime syndicate aptly named Evil Corp. However, not only Eastern European hackers were sanctioned, various North Korean and Iranian actors are also on the list. In an advisory published on Oct 1st, 2020 OFAC made it clear to U.S. companies that paying millions of dollars of ransoms to those groups will invite hefty fines from the federal government. Those that run afoul of OFAC sanctions without a special dispensation or “license” from Treasury can face several legal repercussions, including fines of up to $20 million.

The Wall Street Journal reported that U.S. prosecutors charged six Russian intelligence officers who are accused of engaging in the most destructive cyber attacks of recent years. Notable attacks include operations that knocked out Ukraine’s energy grid, exposed emails from the French president’s party and damaged systems all over the world in the extremely costly 2017 NotPetya ransomware attack. The defendants are charged with several counts including conspiracy, computer hacking, wire fraud and aggravated identity theft.

Security vendor Digital Shadows’ Quarterly Update: Ransomware Trends In Q3 highlights their findings of more and more ransomware attacks turning into data breaches: Maze, DoppelPaymer, and Sodinokibi made up 80% of alerts of the leak sites, Conti and NetWalker ransomware groups joined the ranks of those hosting a leak site and The number of leak sites by well-known ransomware groups rose to 7 by the end of Q3.

November 2020 - In a new report from Security Researcher Vitali Kremez puts the spotlight on exactly how the group behind Ryuk ransomware is successful in infecting and obtaining payment from its victims. The most shocking finding was that the largest ransom paid was 2200 BTC (just under $34 Million USD)!

In Datto’s Global State of the Channel Ransomware Report, they found that the SMB is just as much a target of opportunity as the enterprise. And in many cases, despite it being impactful to the business, SMB’s simply aren’t aware of the danger. According to the report: 70% of MSPs report ransomware as the most common malware threat to SMBs, Only 30% report that their clients feel ‘very concerned’ about ransomware, 62% of MSPs said clients’ productivity was impacted due to attacks and 39% said their clients experienced business-threatening downtime.

Unlike the traditional methods of notifying victim organizations by simply taking over a computer or providing a “readme” text file, this new method has some devilish benefits. Egregor ransomware victims have experienced print jobs being sent to every available printer that notify the reader that all computers and servers are locked, data has been stolen, and “next steps” to take to rectify the situation.

December 2020 - According to researchers at Atlas VPN the average ransomware payout has increased by 178% over the past year. In Q4 2019, the payments averaged $84,000. By Q3 2020, the average payment had risen to $234,000. These numbers have steadily increased each quarter. Atlas VPN offers the following advice for organizations to defend themselves against these attacks: “Firstly, employees should follow well-known cybersecurity practices, such as using 2-Factor Authentication (2-FA) whenever possible, not clicking on suspicious links, and updating their software and OS. These steps might seem like basic practices, but surprisingly, many people do not follow them. “Employers should set up employee training workshops where a security specialist shares security practices together with scenarios that could happen if these tips are not followed. Showcasing incidents that already happened in other companies could be of value to show employees how a single malicious link can cripple a company.”

Some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company tried to restore from their backups to avoid paying ransom demands. Ransomware groups that have been seen calling victims in the past include Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk, a spokesperson for cyber-security firm Emsisoft told ZDNet on Thursday. These phone calls are another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they've encrypted corporate networks.

UK cyber insurer Beazley, both the extortion demand amounts and total cost of ransomware payments have increased an average of 100% from 2019 to 2020. According to Beazley, a number of best practice steps exist to better protect against ransomware that include proper backups of key systems and data, email filtering and user education.


January 2021 - In an article for the Saudi Gazette,  Peter Mackenzie from Sophos outlines five technical indicators that typically precede a ransomware attack. Here is what you should be looking for: a network scanner, tools for disabling antivirus software, the password extraction tool MimiKatz, patterns of suspicious behavior, and anything that looks like it could be a test attack.

New data from Checkpoint reveals that the growth of attacks on healthcare make it stand out against any other industry sector. According to the report: Healthcare has experienced an increase of 45% in the number of attacks since November 1 last year. The average across all sectors is half that – 22%, The growth is based on the number of weekly attacks – up from 430 in October to 626 since November, Ransomware shows the greatest growth in number of attacks, with botnets, remote code execution and DDoS attacks all seeing increases as well.

The U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN) warns financial organizations to be aware of campaigns actively targeting vaccine companies. FinCEN warned of two expected types of attacks: Ransomware attacks targeting “vaccine delivery operations as well as the supply chains required to manufacture the vaccines” and phishing schemes luring victims from financial institutions and their customers with fraudulent information about COVID-19 vaccines.

A data activist group known as Distributed Denial of Secrets, or DDoSecrets, works to make data stolen as part of ransomware attacks available to journalists. The group has taken over a terabyte of data from organizations covering industries that include pharmaceuticals, manufacturing, finance, software, retail, real estate, and oil and gas, and posted the data to a publicly-accessible website. It’s now imperative to put as much defense in place to stop ransomware attacks from being successful in your organization!

February 2021 - New data from security vendor Coveware in their Q4 2020 Quarterly Ransomware Report shows that phishing is now the prominent ransomware attack vector since RDP compromise is being prevented by potential victims. Shifts in payment amounts surprisingly favor the victim organizations. According to the report: The average ransom payment decreased 34% in Q4 of 2020 to $154,108 from $233,817 in Q3, The median payment also decreased by 55% in the same timeframe from $110,532 to $49,450 and Threats to disclose exfiltrated data stepped up in Q4, with a whopping 70% of ransomware attacks using this tactic (up from 50% in Q3).

Two alleged members of North Korea's military intelligence services were accused of hacking banks and companies in the U.S. and several other countries. The grand total for this scheme is $1.3 billion dollars over the past half-decade for Pyongyang. There is now an indictment for the two alleged criminals that was unsealed by the Justice Department.

Recently, VMware Carbon Black released data on healthcare cyberattacks in 2020. According to the data, 58% of attacks used the thought long-retired Cerber ransomware-as-a-service. Normally known for smaller attacks only taking in ransoms in the amount of hundreds of dollars, this strain of ransomware seems to have been given new life in 2020 by attackers seeing opportunity in hitting healthcare organizations during the pandemic.

March 2021 - Ryuk Ransomware can now worm itself to all your Windows LAN Devices. "Through the use of scheduled tasks, the malware propagates itself - machine to machine - within the Windows domain," ANSSI (short for Agence Nationale de la Sécurité des Systèmes d'Information) said in a report (PDF). "Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible."

On March 5th, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups.ecurity experts now are desperately trying to reach tens of thousands of victim organizations with a single message: Whether you have patched yet or have been hacked, backup any data stored on those servers immediately.

The FBI  warned of a wave of ransomware attacks against schools and other entities across the United States and the UK. PYSA ransomware, also known as Mespinoza, is capable of exfiltrating and encrypting files and data stored on users' systems. The PYSA actors are targeting higher education, K-12 schools, and seminaries, they are also among the ransomware groups that steal data and threaten to publish it if the victim refuses to pay up.

As part of its Ransomware-as-a-Service, REvil is now expanding its services to aid in the extortion phase. They've launched a calling service where REvil will call the victim organizations' business partners, local media, and more to bring the attack to light and force the organization to pay up to regain its operations.

Palo Alto Network’s security division, Unit42, released their most recent Ransomware Threat Report 2021, with new data showing the biggest problem with ransomware is all the costs incurred in trying to clean up the mess post-attack. According to the report, the ransom demands in 2020 reached nearly $850,000 with the average ransom paid nearly tripling in 2020 to $312,000 from 2019’s average of only $115,000. In addition, Unit42 highlighted the additional forensics costs post-attack to help victim organizations come up with a response strategy and execution plan. The average forensics costs were $40,719 for small and mid-sized businesses and $207,875 for larger enterprises. This on top of whatever ransoms were paid.

The FBI's Internet Crime Complaint Center (IC3) released their annual report, and the number of complaints have skyrocketed in 2020. There had been almost a 70% increase in reported attacks from 2019 to 2020. The most notable theme of attack was COVID-19, and the center had almost 30,000 complaints related to pandemic scams. 

April 2021 -  Federal Reserve Chairman Jerome Powell in a recent interview with 60 minutes cites cyberthreats as the current biggest concern to financial institutions. “I would say that the risk that we keep our eyes on the most now is cyber risk", highlighting that "there are cyberattacks every day on all major institutions now.” If the person at the very top of our economy says cyber risk should be a top priority, I suggest you heed his warning – whether you’re working in a financial institution or not.

The cybercriminal group Evil Corp has pivoted their execution strategy to bypass sanctions that prevent U.S. companies from paying them ransom. Evil Corp used WastedLocker at the time the sanctions were released, making that variant of ransomware an identifiable marker that the victim organization was doing “business” with someone on the OFAC list. 

The Darkside ransomware operators are now offering to tip off unscrupulous stock traders before they post the names of publicly traded victim companies, the Record reports. The criminals believe this will put more pressure on the victims to pay up. Recorded Future’s Dmitry Smilyanets told the Record that this is the first time a ransomware crew has explicitly made this part of their strategy.

Analysis by threat intelligence group Analyst1 recently uncovered that the bad guys are responsible for forming a ransomware cartelOne of the key findings that is worth mentioning based on the analysis is the use of Ransomware-as-a-Service, which hires cybercriminals to execute the attack for you at a discounted price. Cartels are also continuing to increase their ransom demands, automating their attacks, and reinvesting profits made from successful attacks to enhance their tactics. Unfortunately, it is only getting more and more easier for these ransomware gangs to infiltrate your organization. 

According to a recent report by Coveware, the amount of ransom demanded has increased to $220,298 average payment (43% increase). The median payment has also increased to $78,398 (58% increase). Some other notable insights on the report include: Less companies are paying the ransom. However, with extortion attempts slowly increasing, organizations will feel more pressured to pay the ransom, Gangs are switching their tactics from spear phishing attempts to exploiting vulnerabilities to breach the victim's networks and Law firms have been the central target, as well as companies focused in the professional services industry.

The Ransomware Task Force, a public-party coalition of more than 50 experts, has shared a framework of actions to disrupt the ransomware business model. “The strategic framework is organized around four primary goals: to deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; to disrupt the business model and reduce criminal profits; to help organizations prepare for ransomware attacks; and to respond to ransomware attacks more effectively” - Ransomware Task Force

New data from Sophos’ The State of Ransomware 2021 report points out the bottom line piece of information you need to focus on – it’s going to cost you a ton of money if you get hit with ransomware. A few details from the report provide some insight into what you should expect if attacked: Only 39% of organizations were able to stop the attack before it encrypted data, Local government, Utilities, and Healthcare industries had the least ability to stop attacks resulting in the encryption of their data, The average ransom payment was US$170,404, Nearly one-third (32%) of organizations paid the ransom – this is a 23% increase over 2020, Only 65% of data was restored after paying the ransom.

May 2021Only 8% of ransomware victims get all of their data back after paying the ransom, according to researchers at Sophos. The researchers found that, on average, victims who pay the ransom recover about 65% of their data, while 29% of respondents said they recovered less than 50% of their data. Better not to rely on a social contract with criminals. Help your people learn how to spit the phish hook before it’s set.

It's all over the news that the US’s largest gasoline pipeline was shut down and restarted because of a ransomware attack. As reported by the New York Times, “One of the nation’s largest pipelines, which carries refined gasoline and jet fuel from Texas up the East Coast to New York, was forced to shut down after being hit by ransomware in a vivid demonstration of the vulnerability of energy infrastructure to cyberattacks.”

Insurers of cybersecurity policies are a good indicator of whether the security posture of most organizations is sound or not. And from the look of things, some of you could use some help. Tamara Ashjian, Director of Claims at Tokio Marine HCC – Cyber & Professional Lines Group recently spoke with Insurance Business about the current state of cyber insurance claims. According to Ashjian, a few years ago, there were very few claims and most were in the $10,000 range. In 2019, claims climbed to just above the $500,000 range, and in 2020 claim payouts jumped significantly between $3 million and $5 million. This amount will likely only go up, putting additional pressure on insurers to make sure their insureds have proper security in place.

Cryptocurrency and blockchain data provider Chainalysis in their Ransomware 2021: Critical Mid-year Update Report, shed some light on why ransomware-as-a-service is only growing. In 2020, the total amount paid by ransomware victims rose 311% from the previous year. The amount of ransomware funds going to these third-party “providers” has also skyrocketed in the last 4 quarters.

Last week, Microsoft spotted a new attack using the year-old Java RAT, STRAAT, in the wild. Starting as a phishing attack sent under the premise of containing a list of outbound payments made by your company, this attack uses a PDF that connects to an attacker-controlled domain to download and install the STRAAT malware. This malware can collect passwords from browsers and applications, and can also capture keystrokes and run remote commands and launch PowerShell scripts on the infected endpoint.

June 2021 - Sophos researchers report finding new “Epsilon Red” ransomware. The malware is written in GO, and it was delivered as the final executable payload in a hand-controlled attack against a target in the US hospitality sector. The whole Red Epsilon package performs these actions against its targets: kills processes and services for security tools, databases, backup programs, Office apps, and email clients, deletes Volume Shadow Copies, steals password hashes contained in the Security Account Manager file, deletes Windows Event Logs, disables Windows Defender, suspends selected processes, uninstalls security tools (including tools by Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, and Webroot), and finally, it expands permissions on the system. Vulnerable Microsoft Exchange Server instances have been Epsilon Red's point of entry into victim networks.

With 81% of organizations believing ransomware attacks will become more prevalent in the second half of 2021, nearly everyone is preparing for the worst to come. According to ISACA’s latest survey of 1,200 IT professionals, it appears that organizations are waking up to the fact that ransomware is a much larger problem. 46% of organizations consider ransomware to be the cyberthreat most likely to impact their organization in the next 12 months. 85% think their organization is at least “somewhat prepared” for a ransomware attack. And only 32% believe their organization is “highly prepared.” 38% of organizations have not conducted any ransomware-related training for their staff, and yet, even ISACA attributes the “human factor” as one of the reasons ransomware is growing.

The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism. Internal guidance sent to U.S. attorney's offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.

In IBM Security’s latest report, the X-Force Threat Intelligence Index 2021, we get a glimpse into what the ransomware gangs have achieved, who’s most successful, and what tactics they’re using. This critical detail can provide needed insight into how to best fortify your organization’s network. According to the report: Ransomware attacks were #1, involved in 23% of all cyber attacks (with data theft, server access, and BEC following at a distance), REvil’s Sodinokibi ransomware dominated with 22% of all ransomware attacks, 58% of attacks occurred in the U.S., 59% of ransomware attacks used a double extortion strategy (where data is exfiltrated and the threat to release is added to the ransom), An estimated 21.6TB of data was exfiltrated, An estimated $123 million was profited by ransomware gangs in the last 12 months from these attacks.

In Cyberreason’s Ransomware: The True Cost To Business report, there are a number of shocking stats that provide insight into what the operational and business aftermath of an attack looks like. According to the report: 53% reported that their brand suffered, 66% reported a significant revenue loss, 42% reported that cyber insurance did not cover losses, 46% had some or all of their data corrupted even after paying the ransom, 25% had to close their doors for a period of time before reopening. And the kicker is that 80% of those who paid the ransom experienced another attack. Phishing remains one of the primary initial attack vectors, demanding that organizations prevent phishing attacks by engaging users with Security Awareness Training to keep them up-to-date on current phishing attacks, scams, social engineering methods, and campaign themes.

The recent Ragnar Locker ransomware attack on Taiwanese Chip manufacturer, ADATA saw 700GB of stolen data published by the ransomware gang on legitimate storage vendor, MEGA. While access to the links was short-lived (the Ragnar-owned account was quickly disabled), there was an opportunity to see what kinds of data was exfiltrated and published.

According to a recent report by OODA Loop, "Mandiant claims to have detected a 422% increase in victim organizations announced by ransomware groups via their leak sites year-on-year between the first quarter of 2020 and Q1 2021." Mandiant also discovered that victims across 600 European organizations were widespread across several different types of industries. 

July 2021 - Security firm LIFARS confirms that cybercriminals are acting like venture capital investors, funding startup cybercriminal organizations, such as Darkside Ransomware. The only way to thwart this next generation of cybercriminals is to look at the parts of the attack they can never modify – the need for a human to get involved via phishing.

Security researchers at Palo Alto Networks found a variety of initial attack vectors for REvil ransomware-as-a-service, including phishing, RDP and vulnerabilities (SonicWall and Exchange vulnerabilities have been seen in the wild). Then, a combination of Cobalt Strike BEACON, use of remote connection software ScreenConnect and AnyDesk, and the creation of local and domain accounts provide REvil threat actors with persistent access to the victim network. Everything from legitimate tools like NETSTAT and IPCONFIG, to tools like BloodHound and AdFind are used in reconnaissance to map out systems. Many cases of infection are accomplished using the legitimate tool PsExec and a text file-based list of internal IP addresses. Encryption usually happens within 7 days of initial compromise but, in some cases, took as long as 23 days.

According to a new article by blockchain tech vendor, Chainanalysis, the answer to stopping ransomware could be found by using similar strategies as those utilized in counterterrorism. In the article, they maintain collaboration is key – between military, law enforcement, intelligence agencies, public-private partnerships, using shared frameworks and watchlists.

New York's Department of Financial Services has issued new guidance to specifically counter the ransomware epidemic. These include: Email Filtering and Security Awareness Training, Vulnerability/Patch Management, Multi-Factor Authentication, Disabling RDP Access, Password Management, Privileged Access Management and Monitoring and Response.

Security researchers at Analyst1 have identified four Russian ransomware gangs that actively work together to coordinate attacks, data leaks, and more. The specific ransomware gangs are: Twisted Spider (who use Maze and Egregor), Viking Spider (Ragnar Locker), Wizard Spider (Ryuk and Conti) and The Lockbit Gang (Lockbit). Notable ties between them include sharing of victim data & leak sites, sharing of infrastructure, adopting each other’s tactics; not to mention the fact that they all have claimed affiliation to the cartel.

New data from Keeper Security’s 2021 Ransomware Impact Report highlights some of the forgotten impacts to an organization’s productivity post-attack: over three-quarters (77%) were unable to access needed systems or networks, 28% of outages lasted over a week, 26% of organizations were unable to fully perform job duties for at least a week, 33% faced difficult learning curves around new protocols, 21% were unable to access online tools and applications normally used and 36% of user had limited access to IT support for non-security related issues.

Researchers at Coveware recently analyzed ransomware attacks during Q2 of this year and noticed a similar trend in ransomware attack methods by cybercriminals. The two methods that are gaining popularity by ransomware gangs are email phishing attacks and brute force attacks. To help protect your organization's network you can take additional security measures such as multi-factor authentication, frequent software updates and patches, and most importantly, implement new-school security awareness training. 

According to the 2021 Cyber Threat Report by SonicWall, 304.7 million ransomware attacks occured in the first half of 2021, already surpassing the total number of ransomware attacks for all of 2020 with 304.6 million (a 151% increase YTD). The spikes in volume of ransomware have occurred in the US at a rate of 185% and 144% in the UK. The top industries being targeted are government (917%), education (615%), healthcare (594%), and retail (264%) companies. June 2021 was the worst month with SonicWall reporting 78.4 million registered ransomware attacks. 

August 2021 - DarkSide Ransomware, possibly the world’s most notorious ransomware gang, disappeared completely and resurfaced with new branding as BlackMatter. DarkSide previously targeted critical infrastructure companies in the U.S., they have now made it clear thet are not attacking those types of businesses.

In security vendor Palo Alto Network’s recent Unit 42 Ransomware Threat Report, 1H 2021 Update, we learn 2020’s average ransom demand was $847k, that jumped up to $5.3 Million in 2021. The highest demand seen by Unit 42 consultants was $50 Million, and the largest disclosed ransom payment was $11 Million. Not only is the ransom demand up, but the average ransomware payments have climbed 82% since 2020 to a record $570,000 in the first half of 2021.

September 2021 - New analysis from global cyber and software resilience vendor NCC Group sdwc showed that ransomware was most definitely globally on the rise, the top strains being Conti and Avaddon. Attacks increased 288% when comparing January-March 2021 with April-June 2021 with the U.S. representing the largest share of victims at 49%.

Fortinet’s FortiGuard Labs 1H 2021 Global Threat Landscape Report and revolves around the currently-observed state of ransomware. According to the report, the weekly average number of ransomware attacks detected in June of 2021 was over 149,000. A year prior, it was only 14,000 – making an increase of 966%.

October 2021 - According to GetApp’s 2021 Data Security Report, ransomware attacks increased 25% over the last year. And yet, the report found that 33% of organizations have no incident response plan, as well as 23% have no processes in place to report a cyberattack.

Ransomware 3.0 is here, and it's about to get much worse. Ransomware gangs are beginning to evolve into multi-faceted, do anything attack gangs. Not limited by encryption-only or even quintuple extortion, they are branching out into all sorts of other related or unrelated activities, including selling exfiltrated data, credentials, initial access, stealing money from bank and stock accounts, personal extortion against individuals, and much much more.

November 2021 - Cyberreason released their Ransomware Attackers Don’t Take Holidays report, highlighting concerns around attacks taking place during weekends and holidays. They found that 86% of security professionals had missed celebrating a holiday or weekend activity because of a ransomware attack, 60% of holiday weekend attacks have resulted in attackers taking longer periods to assess the scope of the attack and 89% of organizations continue to be concerned about weekend and holiday-timed ransomware attacks.

December 2021New “Karakurt" threat group gained attention through multiple and frequent extortion attacks. With a supposed 40 victim organizations in only 90 days, this cybercriminal group appears to be a formidable adversary.


January 2022 - A recent look into Hive ransomware-as-a-service by security researchers at GroupIB shows just how easy the group makes ransomware attacks. Affiliates can generate a unique version of the ransomware in less than 15 minutes, victim companies can be registered into the Hive’s backend (much like a software partner registering a customer in a partner portal to ensure the deal is attributed to the partner), and transparency is key; with the Hive making sure all communications with victims also visible to affiliates.

Using mailed out BadUSB drives as the initial attack vector, cybercriminals are attempting to infiltrate sensitive networks and infect them with BlackMatter or REvil ransomware strains. US defense industry organizations are the targets.

65% of organizations report that their employees have been contacted by ransomware attackers in an attempt to recruit insider threats, according to researchers at Pulse and Hitachi ID.

February 2022 - New data from Mandiant Intelligence shows that 1 in 7 ransomware attacks that include the theft of sensitive data leak operational technology details.

The average ransom asked for in attacks has increased by 130%, now averaging $322k. Furthermore, data exfiltration is now a part of 84% of all ransomware attacks according to Coveware’s recent Q4 2021 Quarterly Ransomware Report.

Chainalysis just released a preview of their 2022 Crypto Crime Report, revealing that Conti was the top ransomware strain of 2021, raking in $180 million. Other data points from the report show the number of ransomware strains grew 17%, ransomware payments grew 34%, and the share of ransomware funds going to third-party sellers grew from 6% to 16% in 2021.

A new QBot attack was spotted in the last few weeks, and it’s able to act more quickly than before. SnapMC, a cybercriminal group that focuses on data theft and extorting payment, is able to gain access and steal data within 30 minutes. In this case QBot was collecting data including browser data and Outlook emails. 

March 2022 - According to the US Federal Bureau of Investigation (FBI), the Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors. "As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors," the federal law enforcement agency said.

Data-destroying malware was discovered this week in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. "This new malware erases user data and partition information from attached drives," ESET Research Labs explained.

Security vendor Venafi recently published survey data that shows 83% of all successful ransomware attacks include double and triple extortion. Many attacks either threaten to use stolen data to extort customers or to expose the data on the dark web. They also found that victims that paid the ransom in some cases still had their data exposed on the dark web or were unable to retrieve their data.

A new analysis of the most recent version of QakBot details how the banking trojan has evolved. QakBot accesses the inbox of the infected victim and impersonates the compromised account, sending out phishing emails via a Reply to All of all existing email threads. To make the email look more authentic (and as with all Reply to All emails) the original message being replied to is quoted.

A new ransomware-as-a-service (RaaS) strain called LokiLocker uses rare code obfuscation and includes a file wiper component that attackers can deploy if their victims don't pay.

Security vendor CrowdStrike’s 2022 Global Threat Report points to the growth of ransomware across the board: the number of tracked cybercriminal groups has increased by 170%, data leaks have become ubiquitous with ransomware attacks, the time it takes to break out from an initially-compromised endpoint to the rest of a victim’s network is 1 hour and 32 minutes, interactive intrusions (those with a live threat actor involved) have increased by 45%.

According to Veeam’s just-released 2022 Data Protection Trends Report, most organizations aren’t equipped to fully recover from ransomware attacks. What they found: 76% of organizations experienced a ransomware attack in the last 12 months, 60% of orgs experienced two or more attacks in the same timeframe, at best, only 80% of the data was recoverable – and only 19% of orgs were able to accomplish this, the average organization is only able to recover about 64% of their data.

April 2022 - New data from cybersecurity vendor CyberCatch in their Small and Medium-Sized Businesses Ransomware report makes it clear that SMBs are not ready for attacks: 30% of SMBs have no written incident response plan, of those that do, 35% of them tested the plan over six months ago, 21% of SMBs have no offline immutable backups, 34% of SMBs don’t utilize phishing testing of employees to thwart phishing attacks.

New data shows that the ransom amount paid is only a small portion of the total real cost of surviving a ransomware attack. Other costs like extortion, lost income, remediation and response add up to be 7.083 times larger than the paid ransom, according to Check Point. This means the average ransomware attack costs organizations an average of 9.7% of their annual revenues!!!

By breaking into an attack server, security researchers have uncovered new details that show the connection between the Karakurt group and Conti ransomware. Interesting findings connecting the two organizations show payments between cryptocurrency wallets managed by the two organizations as well as several accounts of Conti victims also paying Karakurt at a later time.

According to ITRC’s latest Q1 2022 Data Breach Analysis report, 92% of data compromises from January 2021 through March 2022 were the result of some form of cyber attack – which can include zero day attacks, software flaws, credential stuffing, malware, ransomware, and phishing.

In a joint multi-country cybersecurity advisory (CSA), governments are warning their respective critical infrastructure organizations to be vigilant against increased malicious cyber threat activity. In it, the advisory warns of “evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks” and that cybercriminal groups – who have recently publicly pledged support for the Russian government – “have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people.”

May 2022 - Osterman Research’s latest Phishing, BEC, and Ransomware Threats for Microsoft 365 Users report shows the use of email as a malicious vehicle is not only clear and present, but is successful for cybercriminals. 89% of organizations experienced one or more successful email breaches during the last 12 months, with less than half of organizations rating their email security as effective, 64% believing their security solutions to be ineffective against attacks impersonating executives, and 54% believing their security solutions to be ineffective in preventing impersonated emails of any kind from reaching a user’s inbox.

A March 2022 report from the Senate Committee on Homeland Security and Governmental Affairs zeros in on the growing problem of ransomware, highlighting that there were 3 million attempted ransomware attacks worldwide in 2021, 5 million of those attacks occurred in the United States, and the U.S. experienced a 98% increase in attacks in 2021.

A threat group referred to as FIN12, a financially motivated threat group behind prolific RYUK ransomware attacks dating to at least October 2018, has their dwell time from initial access to encryption down to two days. That’s down from 5 days in the first half of 2020. Phishing remains the number one initial attack vector, making training your users to spot phishing attacks a primary concern for your cybersecurity strategy.

Three wind energy companies based in Germany have been targeted within a short period of time with what is suspected to be Conti ransomware.
June 2022 - The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners have issued a joint alert on Karakurt, a data theft extortion group that is now harassing victims’ employees, customers, and business partners with emails and phone calls in order to pressure the victim to pay up. 
A new report from CyberReason provides new insight into what happens during and after a ransomware attack. According to the report, 73% of all organizations have experienced a ransomware attack in the last 12 months. Of those that paid the ransom, 80% then experienced a second attack and 68% were asked for a higher ransom!
In a recent post from Microsoft explaining the cybercrime economy, they devised their own ransomware funnel of sorts based on what they’ve observed with customers. For every 2,500 organizations that are potential ransomware targets, 60 are prioritized by ransomware groups, 20 are successfully compromised, and 1 experiences an attack.
July 2022 - July is ransomware awareness month! According to a new Cybersecurity Ventures report, the global cost of ransomware reached $20 billion in 2021, up from $325 million in 2015. They are predicting global ransomware damage costs to reach $265 billion by 2031, with a new attack (on a consumer or business) every 2 seconds. We've put together a free ransomware awareness month resource kit to help you defend against these attacks in your organization.
MedusaLocker has been observed predominantly exploiting vulnerable Remote Desktop Protocol (RDP) configurations to access victims' networks. This strain appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments.
Conti ransomware has quickly become the most recognizable name in ransomware today. Making up 16% of all ransomware attacks today, Conti has disrupted the operations of over 850 companies, government agencies, and an entire country. Their most impressive feat yet is compromising more than 40 organizations in just one month.
The new AlphV/BlackCat ransomware gang has created a user-friendly website that allows employees to search and see if their own private information has been made public.
August 2022 - Cisco recently confirmed that they were hacked by a ransomware group as the group of cybercriminals published a partial list of files that were claimed to be exfiltrated.
Comparitech’s analysis of ransomware attacks in 2021 gives some insight into the current state of ransomware. According to the report,  total estimated cost of downtime in the U.S. in 2021 was $159.4 Billion – a 12% rise from 2020, the average downtime duration is 22 days – a 23% increase from 2020 and ransom amounts ranged from $5,500 to $40 million (in two cases!).
Researchers at AdvIntel warn that three more ransomware groups have begun using the BazarCall spear phishing technique invented by the Ryuk gang. There are four stages of the technique that start with a phishing email and end with a malware session that allows the adversary access an initial point of entry.
The LockBit ransomware gang has lead the way as one of the most prominent ransomware variants seen in attacks in the first quarter of this year. They’ve continued to follow the similar “encryption + data leak” strategy for many months, but it appears that LockBit is planning on utilizing DDoS as part of an ongoing triple extortion effort moving forward.
BlackByte ransomware is using the publish extortion game utilizing a dark web data leak site to ensure payment, but are offering some creative options for victim organizations. In sort of a backward customer service-like model, BlackByte are giving their victims a few extra options besides the “pay us or we’ll publish” ransom, like extending the leak by 24 hours for an additional $5,000, an opportunity to download the stolen data for $200,000, or a promise to destroy the data for $300,000.
September 2022 - A new tactic called Intermittent Encryption only encrypts a portion of a file, but just enough to render it useless. A number of ransomware families have recently adopted this method, including Qyick, Agenda, BlackCat, PLAY, and Black Basta.
According to Sophos' State of Ransomware in Retail 2022 report report, the percentage of Retail organizations hit by ransomware (77%) is nearly 17% higher than the average across all industries, demonstrating a particular focus being placed on it by cybercriminals. 
The previously-thought defunct REvil cybercriminal gang appears to not only reopened for business but has re-established themselves as a major threat by touting 400GBs of stolen data. REvil is also claiming responsibility for an attack of Midea Group, a $50 billion electrical manufacturer.
October 2022 - Security firm Cyble explained "fake ransomware" in a research report: “Fake ransomware acts as a usual ransomware but does not encrypt the files. The Fake ransomware shows false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable. We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere during the infection.”
According to a recent Coveware report, remote desktop compromise (RDP) and phishing have been going back and forth as the primary initial attack vector for ransomware. But the latest data shows that software vulnerabilities are on the rise as the initial attack vector – representing approximately 25% of all ransomware attacks – with RDP dropping significantly from approximately 30% in Q2 of this year to around 20%.
Ivanti’s Ransomware Index Report Q2‑Q3 2022 shows how vulnerabilities have grown in use and are currently being used as part of ransomware attacks today. The number of vulnerabilities affecting vendor products rose 500% from 19 in 2019 to 114 in 2022. This comes at a time when the number of ransomware families in Q3 of this year has reached a total of 170.
November 2022 - Microsoft has observed a threat actor that’s been running a phishing campaign since August 2022. The threat actor, which Microsoft tracks as “DEV-0569,” is using phishing emails to distribute malicious installers for legitimate applications, including TeamViewer, Microsoft Teams, Adobe Flash Player, Zoom, and AnyDesk. The phishing campaign leads to the installation of ransomware and information-stealing malware. In the most recent campaign, the threat actor is using website contact forms, legitimate software depositories, and Google Ads to distribute their links.
Azov Ransomware is a sleeper ransomware that's really a data wiper in disguise. When run on a victim's device, it overwrites file data with junk, rendering the files useless. The overwrites are cyclical - the malware would overwrite 666 bytes of data, then leave the next 666 intact, then repeat the process. 
Australian insurer Medibank was hit with ransomware, refused to pay, and as a result had 10 million health records leaked. Some of the data they discovered threat actors had included: all personal data and health claims data from subsidiary AHM Health Insurance, all international student customers’ personal data and health claims data, all Medibank customers’ personal data and health claims data.
New data from security vendor Talos’ Quarterly Report: Incident Response Trends in Q3 2022 shows repeatedly that credentials are a material focus for threat actors from a few perspectives including initial attack vector, tools used, and top observed ATT&CK techniques.
In a recent article focusing on the ransomware gang Black Basta, the security analysts at the Check Point Incident Response Team showcase some details about this newest addition to the long list of ransomware families we’ve encountered. Black Basta has successfully attacked, exfiltrated data from, and leaked data belonging to 89 high-profile organizations since May of this year. 
December 2022 - The Ohio Supreme Court ruled in favor of an insurance company, determining that its contract to cover any direct physical loss or damage to property did not encompass ransom payments made when a hacker illegally gained access to medical billing software company EMOIs systems and data.
The Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3 ) released an analyst note last week discussing recent attacks by Royal ransomware against the Healthcare and Public Healthcare (HPH) sector. According to the note, Royal is not operating in an “as a Service” model, meaning they are keen to take 100% of all ransoms collected – which currently range from $250K to over $2 million. They are focused primarily at hospitals and other healthcare organizations within the United States, using data exfiltration, double extortion tactics to ensure payment, and publishing 100% of all data stolen.

According to Cybereason’s Organizations at Risk report subtitled Ransomware Attackers Don’t Take Holidays, 88% of organizations worldwide have experienced a ransomware attack on a weekend or holiday. And during those “after hours” timeframes, 67% of organizations are understandably staffed with half of their IT staff or less. And when comparing the impact of a weekend/holiday ransomware attack with that of one that occurs during the work week, the difference is noticeable: 34% of organizations took longer to assemble their response team, 37% took longer to assess the scope of the attack, 37% took longer to stop the attack, 36% took longer to recover from the attack and 31% lost more money.


January 2023 - Phishing attacks are now the top vector for ransomware delivery, according to researchers at Digital Defense. Phishing emails can be highly tailored to specific employees in order to trick them into downloading malicious files. They stated: "In a recent survey, it was revealed that a staggering 78% of organizations experienced one or more ransomware attacks in 2021, 68% of which stated that the attack originated from a direct email payload, second-stage malware delivery, or similar cause.

According to blockchain analytics company Chainalysis, despite the number of ransomware campaigns launched throughout 2022, organizations refused to submit and paid criminals an estimated $456.8 million - 40% less than the astounding total of $765 million in ransom payments from 2020 and 2021.

In a recent attack by the ALPHV ransomware gang (also known as BlackCat), the threat actors used a typo squatted domain name to increase the chances that stolen data will be seen by the general public after not being paid the ransom. The lookalike domain name that could be reached by simply mistyping the victim’s domain name to make the data accessible to anyone attempting to do business with the victim organization.

According to the latest Quarterly Ransomware Report from ransomware response company Coveware, ransomware gangs are having a harder time collecting ransom. In response, they are both increasing the average ransom and going after larger organizations that (in theory) have the ability to pay. The average ransom payment is now $404K, a 58% increase from the previous quarter and the highest ever reported by Coveware.

An analysis of the publicly-accessible data on ransomware attacks shows that local governments, higher education, and healthcare industries that were a primary target of ransomware in 2021 continued to be targets in 2022. Security vendor Emisoft's The State of Ransomware in the US: Report and Statistics 2022, analyzes all of this data. They expect this focus to continue, if nothing is done to shore up the security in these sectors.

February 2023 - A new report from insurance provider Hiscox revealed that over the last five years, the percentage of companies that have been attacked has bounced around from 43% to a high of 61%, making ransomware the most common threat for UK businesses. An interesting part of the report is what organisations invested in after a cyber attack. Around two out of five experts said they had put additional cybersecurity and audit requirements in place (41%), stepped-up employee training (39%) and improved preparations for cyber attacks (39%). 

Cyber insurer Beazley’s Cyber Services Snapshot provides a look back at 2022, along with some predictions for 2023. According to the report, ransomware’s use of exfiltration and extortion since it’s mainstream adoption by ransomware gangs in late 2020, has steadily been increasing from 69% of attacks in Q3 of 2020 to a massive 96% of attacks in Q4 2022.

March 2023 -  The Cybersecurity and Infrastructure Security Agency CISA's latest ransomware warning promotes fighting social engineering at the top of the document.  Security awareness training is now in the top 3 of every CISA and FBI ransomware warning.

Since the goal of ransomware is to disrupt operations, targeting industrial control systems has been an increasing focus for specific ransomware groups. According to a newly released report from cybersecurity firm Dragos, there are 35% more ransomware groups actively targeting ICS and OT environments with 72% of attacks focused on manufacturing companies.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI last week issued a joint advisory on Royal ransomware. Royal is known for disabling anti-virus tools as it exfiltrates data in double-extortion attacks. the actors behind the ransomware are known to target manufacturing, communications, healthcare and public healthcare (HPH), and education.

A new report from Securin, CybersecurityWorks, Ivanti, and Cyware highlights the fact that  81 vulnerabilities exist that provide attackers with end-to-end access – from initial access to exfiltration – have been identified within popular operating systems, databases, storage, virtualization and firewall solutions, and  76% of vulnerabilities exploited by ransomware are old really old. Many of them were discovered between 2010 and 2019!

The education sector remains very vulnerable as ransomware shame sites continue to feature teaching institutions from around the world. The 2023 SonicWall Cyber Threat Report shows a 275% increase in ransomware attacks for the educational sector. The sector urgently needs to work on addressing all three elements of holistic cyber defense: people, process, and technology. Data breaches provide the perfect narrative to justify investments in all three elements, and it is past time to act.

The 2022 Internet Crime Report by the FBI reported at least $10.3 billion in losses due to internet scams last year. Ransomware has been a successful attack vector with $34 million in losses, and IC3 has included this warning, "The IC3 has seen an increase in an additional extortion tactic used to facilitate ransomware. The threat actors pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom."

April 2023 - A cybercriminal gang that calls itself "Midnight" is sending phony ransomware threats to prior victims of ransomware attacks. It is unclear how victims are selected but one possibility is from publicly available sources, such as the initial attacker’s data leak site, social media, news reports, or company disclosures. The group may also be working with the original attackers to gain access to non-public data.

The FBI’s newly-released report shows just how ransomware continues to plague critical infrastructure sectors, despite the U.S. government’s recent efforts to stop these attacks. The latest Internet Crimes Report that covers 2022, the number of CI businesses attacked increased by 34%, rising to 870.

In an interesting twist, data from Barracuda hints that organizations with cyber insurance may be relying on it too much, instead of shoring up security to ensure attacks never succeed. This strange data point may indicate that there is too much reliance on a cyber insurance policy; that is, organizations think, “eh, the insurance policy will cover an attack” and proper cybersecurity precautions aren’t put in place.

May 2023 - Following a similar trend to 2022, March saw a huge jump compared to January and February, signifying that organizations should expect to see a lot more of these attacks this year. According to the NCC Group’s Cyber Threat Report, March of 2023 incurred 459 documented ransomware attacks. That’s a 91% rise over February 2022 and a 62% increase over March 2023. January and February both saw significant growth over their 2022 counterparts.

The City of Dallas recently confirmed a ransomware attack on their police department. This attack shutdown essential services along with some 911 dispatch systems. This attack could be a serious risk to the people of Dallas - with crucial services such as police, ambulance service and court proceedings possibly affected. Details of where the attack vector originated from are still unclear. 

In third-party risk vendor Black Kite’s 2023 Ransomware Threat Landscape Report, we see some interesting trends around successful ransomware attacks today: March saw 410 ransomware victim organizations – nearly double that of April 2022, US victim organizations represented 43% of the total victims reported, while the UK, Germany, France, Italy, and Spain combined making up around 20% of victim orgs, the largest group of victim organizations by revenue resided in the $50-60m range, with the next two groupings in the $40-50 million and $60-70 million ranges, respectively, manufacturing topped the list of industries, with “Professional, Scientific, and Technical Services” coming in second, representing nearly 35% of all victim organizations.

A new report shows the average and median amount of a ransom payment and the median size of ransomware victim organizations are on the rise. According to the report from Coveaware, the median company size of victim organizations shot up 42% from last quarter to 391. At the same time, the trending for both average and median ransom payment sizes are also increasing. One of the concerns raised by Coveware is the motivation behind this “big game hunting” by ransomware gangs and affiliates is a “lack of economic alternatives” (read: other ways to make money).

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has identified and designated Mikhail Matveev for his role in ransomware attacks back 2021. He’s responsible for ransomware attacks against U.S. law enforcement, businesses, and critical infrastructure using a number of ransomware variants including Hive, LockBit, and Babuk.

June 2023 - Verizon’s 2023 Data Breach Investigations Report (DBIR) begins with ransomware findings that point back to users as a big problem. 24% of data breaches include ransomware, and within system intrusion attacks, ransomware was involved in over 80% of attacks.

According to the 2023 Ransomware Trends Report from backup vendor Veeam, the vast majority of organizations (85%) have experienced at least one ransomware attack in the past year. That’s not even the worst part, the impact felt in the aftermath is damaging and costly. According to the report, 45% of production data was affected by a cyber attack, 15% of the organization's production data was unrecoverable on average, and 46% of organizations took an average of three weeks to completely recover from the event.

New data from blockchain analysis firm Chainalysis shows that over the past 5 years, the amount of crypto from known ransomware addresses sent to crypto mining pools has skyrocketed. The amount of money in crypto placed into these mining pools was as little as $10,000 back in Q1 of 2018 and has grown to over $10 million in Q1 of this year (the yellow line in the graph below). That’s literally 1,000 times larger, or 100,000% growth over 5 years!

July 2023 - The largest port in Japan, Nagoya, is now the most recent victim of a ransomware attack. Until further notice, all container and unloading operations have been cancelled. This incident will cause massive financial losses to the port, as well as delay transfer of goods to and from Japan. 

According to Sophos’ The State of Ransomware in Manufacturing and Production 2023 report, they found that over half (56%) of manufacturing organizations have experienced a ransomware attack. If you look at four of the six root causes – phishing, malicious email, compromised credentials and download – you can conclude that email-based social engineering attacks remain a serious problem for manufacturing.

Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.


Run RanSim and test your network now, get your results in minutes!

Find out how vulnerable your network is against ransomware and cryptomining attacks.

A Master Class on IT Security:
Roger Grimes Teaches Ransomware Mitigation

Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever. Join Roger for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware.

Watch Now!

Ransomware Strains and Families Knowledge Base

We've put together the background, history and inner-workings of all widespread ransomware strains and families that have appeared over the last few years. Criminal malware continues to grow at an explosive rate, and employees need to be given effective security awareness training so that they know before they click.

Click here to access our complete and expansive up-to-date ransomware strains knowledge base

Free Ransomware Simulator Tool

Is your network effective in blocking ransomware attacks?

Cybercriminals are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s RanSim gives you a quick look at the effectiveness of your existing network protection. RanSim simulates 22 ransomware infection scenarios and 1 cryptomining scenario and will show you if your workstation is vulnerable.

Test Your Network

Frequently Asked Questions

Email Vector By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true type of file you are receiving. If a user receives a phishing email with an attachment or even a link to a software download, and they install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection. This is the most common way ransomware is installed on a user’s machine.

Drive-by-Download Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in or an unpatched third party application can infect a machine. The compromised website runs an exploit kit (EK) which checks for known vulnerabilities. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable.

Free Software Vector Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. After all, the user downloaded the file directly themselves! An example is a ransomware attack which exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When they installed it, the software also installed a sleeper version of ransomware that activated weeks later.

One method cybercriminals will use to install malicious software on a machine is to exploit one of these unpatched vulnerabilities. Examples of exploits can range from vulnerabilities in an unpatched version of Adobe Flash, a bug in Java or an old web browser all the way to an unpatched, outdated operating system.

The main event that created the fifth and current generation of cybercrime was the formation of an active underground economy, where stolen goods and illegal services are bought and sold in a ‘professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly.

Some examples of this specialization are:
• Cybercrime has its own social networks with escrow services
• Malware can be licensed and receive tech support
• You can rent botnets by the hour, for your own crime spree
• Pay-for-play malware infection services have appeared that quickly create botnets
• A lively market for zero-day exploits (unknown software vulnerabilities) has been established

The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five increases malware quality, speeds up the criminal ‘supply chain’ and effectively spreads risk among these thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems.

Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like the miscreants have done over the last 10 years.

There is a website called ID Ransomware that allows you to upload your ransom note and a sample encrypted file. The tool will identify the particular strain you are dealing with and if available, download decryption tools to recover your files and/or whole network shares if your backups have failed. It's a good idea to know which type you have as there is no 'one-size-fits-all' method to get rid of ransomware.

Bitcoin is an untraceable crypto-currency network that uses peer-to-peer technology to handle transactions with no central authority - that means no banks or government agencies either. All transactions are public, however the people holding these digital wallets remains completely anonymous. This makes Bitcoin very attractive to cybercriminals and is therefore the payment method most often requested to get files decrypted.

We have seen certain actors demand ransom in things like Amazon and iTunes gift cards, but the vast majority ask for Bitcoin.

It is important to note that just because a person pays to unlock the computer; it doesn’t mean that the malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of malware, which includes password stealers and which can also disable security software.

If you are infected you should always report it to the FBI’s Internet Crime Complaint Center (IC3). You will need to provide all relevant information including the e-mail with header information and Bitcoin address if available.

Since most ransomware is delivered via malware found in phishing emails, users need to be trained to not click on those emails. We have seen the percentage of 'phish-prone users' decrease from an average 31.4% to 4.8% over the course of a year of using our training platform.

How To Check For Ransomware


It’s fairly straightforward to find out if you are affected by a ransomware virus. The symptoms are as follows:

  • You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
  • An alarming message has been set to your desktop background with instructions on how to pay to unlock your files.
  • The ransomware program or a related website warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files.
  • A window has opened to a ransomware program and you cannot close it.
  • You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.

Here is an example of a ransomware screen, the infamous Sodinokibi:

Example of a Ransomware attack, Sodinokibi

Here is an example of a ransomware webpage, threatening data exposure:

Example of a Ransomware webpage, threatening data exposure

Infection Vectors

Email Vector

By far the most common scenario involves an email attachment disguised as an innocuous file. Many times hackers will send a file with multiple extensions to try to hide the true type of file you are receiving. If a user receives a phishing email with an attachment or even a link to a software download, and they install or open that attachment without verifying its authenticity and the sender’s intention, this can lead directly to a ransomware infection. This is the most common way ransomware is installed on a user’s machine.

Drive-by Download

Increasingly, infections happen through drive-by downloads, where visiting a compromised website with an old browser or software plug-in or an unpatched third-party application can infect a machine. The compromised website runs an exploit kit (EK) which checks for known vulnerabilities. Often, a hacker will discover a bug in a piece of software that can be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is always a period of time where the software user is vulnerable.

Free Software Vector

Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. After all, the user downloaded the file directly themselves! An example is a ransomware attack which exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When they installed it, the software also installed a sleeper version of ransomware that activated weeks later.

One method cyber criminals will use to install malicious software on a machine is to exploit one of these unpatched vulnerabilities. Examples of exploits can range from vulnerabilities in an unpatched version of Adobe Flash, a bug in Java or an old web browser all the way to an unpatched, outdated operating system.

Remote Desktop Protocol (RDP)

Internet-exposed Remote Desktop Protocol (RDP) sessions are another very common means of infecting networks. RDP sessions are used to remotely log in to Windows computers and allow the user to control that computer as if they were sitting in front of it. The technology typically uses port 3389 to communicate, and many organizations allow traffic from the internet through their firewall, so people can remotely access the computer. Hackers have become increasingly skilled at attacking these exposed computers and using them to spread malware within a network. RDP is exploited either due to an unpatched vulnerability or due to password guessing because the victims chose very weak passwords and/or did not enable account lockout protections.

Ransomware Prevention Tips

The best way to prevent an infection is to not rely on just one solution, but to use multiple, layered solutions for the best possible protection.

1. Security Awareness Training
It’s easier to prevent malware infections if you know what to look for. If you understand the latest techniques cybercriminals are using, the easier it will be to avoid. Know your enemy! Take an active approach to educating yourself by taking a security awareness training course.

2. Internet Security Products
There are many commercial products that will help you avoid all malware infections, but understand that none of them are 100% effective. The cyber criminals are always looking for weaknesses in security products and promptly take advantage of them.

3. Antivirus Software
While antivirus is highly recommended, you should have multiple layers of protection in place. It is not wise to solely rely on antivirus software to keep your PC secure, as it cannot prevent infections from zero-day or newly emerging threats.

The list of antivirus products below was proven the most effective at preventing malware from AV-Test.org 

Avira Antivirus Pro
Kaspersky Internet Security
Bitdefender Internet Security
Norton Security
Trend Micro Internet Security

4. AntiMalware Software
Most anti-malware software like MalwareBytes is designed to run alongside Antivirus products, and it’s recommended you have both in place.

5. Whitelisting Software
Whitelisting offers the best protection against malware and virus attacks. Whitelisting software allows only known good software that you approve to run or execute on your system. All other applications are prevented from running or executing.

6. Backup Solutions
In the event of a catastrophic attack or complete system failure, it’s essential to have your data backed up. Many have been able to quickly and fully recover from an attack because their data was backed up and safe. We recommend using one of the following online storage services and an external hard drive (that you disconnect after the backup) at the same time as the best possible backup solutions like:



Hostage Rescue Manual

This free manual is packed with actionable info that you need to prevent infections, and what to do when you get hit.

You will also receive an Attack Response Checklist and a Prevention Checklist. You will learn more about:

  • What is Ransomware?
  • Am I Infected?
  • I’m Infected, Now What?
  • Protecting Yourself in the Future
  • Resources

Don’t be taken hostage. Download your 26-page rescue manual now.

Get Your Manual

How to Remove Ransomware

Because all strains are different, there isn’t one set of removal instructions that works across the board. Below are steps to take to begin the removal process from a Windows PC, which may work completely for some but not all if you have a really nasty infection. However, if you don't remove it, you will be unable to decrypt your encrypted files so they will be gone forever!

1. Malware Scan. It’s recommended to use MalwareBytes to detect and remove the malware. First download the free version of MalwareBytes. If you are unable to run a MalwareBytes scan, restart your PC in safe mode and try to run the MalwareBytes scan this way.

To enter safe mode: as your computer restarts but before Windows launches, press F8. Use the arrow keys to highlight the appropriate safe mode option, then press ENTER.

2. System Restore. Some strains will prevent you from entering Windows or running programs, if this is the case you can try to use System Restore to roll Windows back in time before the infection. Restore your system using the System Restore settings by restarting your PC and hitting the F8 key when the PC begins to boot up.

3. Recovery Disk. Use your Windows disc to access recovery tools by selecting “Repair your Computer” on the main menu. If you don’t have your Windows disc, you can create one from another PC running the same version of Windows.

4. Antivirus Rescue Disc. If a system restore doesn’t help and you still can’t access Windows, try running a virus scan from a bootable disc or USB drive. You could try using creating a Bitdefender Rescue CD.

5. Factory Restore. If the above steps have not worked, the last resort is a Factory Restore. PC World has comprehensive instructions for performing a factory restore.
If you manage to remove the infection from your PC using any of the steps above (except the factory restore) your next task will be to recover your files.

Unhiding Files
If you are lucky, hopefully your data didn't get encrypted but instead hid your icons, shortcuts, and files, you can easily show hidden files: Open Computer, navigate to C:\Users\, and open the folder of your Windows account name. Then right-click each folder that’s hidden, open Properties, uncheck the Hidden attribute, and click OK. You should be good to go from here.

Encrypted Files
If you followed the steps above to unhide your files and this didn’t work and you still can’t find any of your data, this means that your files have been malware-encrypted. This is not good. Unfortunately it isn’t possible to decrypt or unlock your hostage files, because the decryption key is typically stored on the cybercriminal’s server. From here you have 2 options:

Option 1: Restore your files from a backup. If you have a backup system in place, and they haven’t been encrypted as well, you should be able to restore all your files this way. If you don’t have a backup system in place, you might be able to recover some of your files from Shadow Volume Copies, but most definitely not all your personal files. To use shadow volume copies, right-click Select files/folders and open Properties to view the Previous Versions list, or use a program called Shadow Explorer.

Option 2: Pay the Ransom. Most authors will deliver the decryption key and return your files once you pay, but keep in mind, there is no guarantee. You may pay the ransom and get nothing in return, after all you are dealing with thieves.

Free Decryptors List

Ransomware decryption is an uphill battle for security professionals. As new strains are discovered, decryptors are created, then cybercriminals update their malware to get past decryption methods. It's a never-ending cycle!

Click here to see our list of known free ransomware decryptors.

Ransomware In The News

New York Unit of Worlds Largest Bank Becomes Ransomware Victim

The ransomware attack on ICBC Financial Services caused disruption of trading of U.S. Treasuries and marked a new level of breach that could have massive repercussions.

The Alarming Threat of Ransomware: Insights from the Secureworks State of the Threat Report 2023

In the ever-evolving landscape of cybersecurity, the battle against ransomware has taken a concerning turn. According to the latest findings from Secureworks annual State of the Threat Report, the deployment of ransomware is now occurring within just one ...

New SEC Rules Will Do More Than Result in Quick Breach Reporting

On July 26, the U.S. Security & Exchange Commission (SEC) announced several new cybersecurity rules, taking affect mid-December 2023, that will significantly impact all U.S. organizations (and foreign entities doing business in the U.S.) that must fol...

Get the latest about social engineering

Subscribe to CyberheistNews