Endpoint Protection

 View Only

Ransomware Everywhere 

Nov 20, 2019 12:34 PM


Little known before 2014, Ransomware is now one of the most popular methods used by hackers to attack corporations. 

2018 was the year Ransomware, 2019 is even worse. 

For those who don’t know, Ransomware is a form of malware that locks up access to users' data. Then ransomware distributors demand (untraceable bitcoin) payment in exchange for a key to unlock the encrypted files, Malware developers take in over a billion dollars annually from these attacks.

As per Wikipedia, Ransomware is a type of malware from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.

There were 181.5 million ransomware attacks in the first six months of 2018. This marks a 229% increase over this same time frame in 2017.

Notable Ransomwares:

1) Reveton (Year : 2012) 
2) CryptoLocker (Year : 2013) 
3) TorrentLocker and CryptoWall (Year : 2014) 
4) SimpleLocker and Fusob (Year : 2015) 
5) TeslaCrypt (Year : 2016)
6) SamSam and Petya (Year : 2016)
7) NotPetya (Year : 2016)
8) WannaCry (Year : 2017)
9) BadRabbit (Year : 2017)
10) GandCrab (Year : 2018)
11) Ryuk (Year : 2019)

Recent ransomware attacks have taken organizations resources hostage and have demanded ransom to decrypt files and other important data.

The recent attacks on government entities are more publicized but private corporations have been struggling with ransomware for a few years now. 


Soon after Symantec released its July 2019 white paper (attached) documenting a 400% increase in targeted ransomware attacks over the past two-and-a-half years, a colleague came to me with a tough question about prevention. Apart from following basic security protocols like updating software and installing the file-based ransomware barriers listed in the report, asked, "Can companies avoid being targeted in the first place?”

Today, Ransomware continues to threaten anyone using a Windows, macOS, or Android device, and individuals and business owners alike are paying ransoms because they don’t adequately protect their systems. 

While anti-ransomware solutions are available for devices like laptops, PCs and mobile phones, other Internet of Things (IoT) devices remain at risk



Let’s take a look at each category to understand how these IoT devices are under threat.

1) Connected Cars
2) Smart Homes
3) Medical Equipment
4) Wearable Devices



Clients should pay close attention to any anti-virus alerts from their endpoints, with particular sensitivity to alerts for Emotet/Trickbot since Ryuk or similar ransomware is typically a fast follow to these. 

In order to minimize the business impact of a ransomware infection, we recommend the following preventative measures:

  • Notify employees to be aware of suspicious emails and attachments.
  • Secure email platform account access – MFA, continual log review, etc.
  • Activate malware detection capabilities within mail gateways.
  • Remove the users’ ability to enable document macros.
  • Ensure AV is deployed to every machine and all alerts are being collected.
  • Follow-up on AV alerts.
  • Verify that network logs are being aggregated and reviewed for suspicious connections; Trickbot downloads its payload as a “.png” file.
  • Limit access and closely monitor admin and domain admin account usage.
  • Do not use shared local admin accounts and passwords across machines — this is an easy way for Trickbot to spread.
  • Have a robust backup process for business-critical servers and files such that back-ups occur regularly, are tested for efficacy, and are stored offline.


  • Do not power down or reimage infected systems.
  • Do disconnect them from the network.
  • Preserve machines/logs and contact an IR provider.
  • Ensure the AV solution does not delete the accompanying “ransom notes” (usually .txt or .hta files) as these are typically used to store a unique code that is necessary to decrypt the files if payment is made.
  • Be on the lookout for other malicious software and persistence mechanisms as the Ryuk group may install their own malicious backdoors into the environment as their approach evolves.
  • Make a copy of online backups and store offline. Alternatively, segregate online backups to prevent them from becoming encrypted or
  • deleted by the attacker.
  • Do not discuss the ability or appetite to pay the ransom via email.

In the coming days, Targeted ransomware, mobile malware, and other attacks will surge, while companies will adopt AI, better cloud security and cyber insurance to help defend and protect against them. Cyber threats like targeted ransomware, mobile malware, and sophisticated phishing attacks will escalate in 2020, researchers warn. However, defenses like artificial intelligence (AI), cyber insurance and faster security response will also increase, helping defend companies against imminent threats


Today, Open source Ransomware and Ransomware as a Service (RaaS) are making malware so accessible that even your friend OR grandfather can be a Ransomware Cybercriminal. 

Ransomware-as-a-Service (RaaS) borrows from the Software-as-a-Service (SaaS) model. This subscription-based malicious model enables even novice cybercriminals to launch ransomware attacks without much difficulty. You can find various RaaS packages in the market that reduce the need to code malware. As such, it is commonly used by cybercriminals who don’t have much technical knowledge of how to create ransomware. This malicious model allows anyone to become an “affiliate” of an established RaaS package or service.



Under this malicious franchise-like deployment model, cybercriminals write ransomware code and sell/rent it under an affiliate program to other cybercriminals who have the intent to launch an attack. They provide technical know-how and step-by-step information on how to launch a ransomware attack using the service, a platform that may even display the status of the attack using a real-time dashboard. Once the attack is successful, the ransom money is divided between the service provider, coder, and an attacker.

This vicious model is so enticing to some cybercriminals that you can even see the RaaS provider’s advertisements on the dark web. There are numerous reasons why cybercriminals are attracted to this franchise-like deployment. First and foremost, it enables the ransomware authors to earn some quick money. As for the affiliates, it decreases the need for them to write malicious code. They can simply rent out easy-to-use packages at low prices from the dark web.

You can find a number of RaaS operations in different forms and names on the dark web, including Cerber, Satan, Atom, Hostman and Philadelphia. Here, most of these malicious RaaS types attack users through phishing emails and exploit kits.


Few Cases of Ransomware:

In 2016, Ottawa Hospital in Canada and Hollywood Presbyterian Medical Center in California. The Hollywood hospital paid extortionists a $17,000 bitcoin ransom in February to unlock its data, which was maliciously encrypted by extortionists.

Arizona Beverages got hit by ransomware. The attack shut down sales operations for days, scuttled their networks, and servers. The network was hacked and encrypted, targeted by hackers with a ransom note posted to their website.  Arizona struggled with trying to rebuild their operations for five days. Most of their servers hadn't been given security patches in years and their backups didn't work. After five days, they brought in the pros from Cisco to rebuild it from scratch, wiping out everything and starting over. It cost them hundreds of thousands of dollars in recovery costs.  All because an employee opened an email attachment.

The ransomware attacks against more than 20 Texas towns in Aug 2019 was significant. Though little is known about the origins of the attacks, the spread of ransomware across small-town America has exposed a deep problem in how the country approaches cybersecurity.

In Oct'2019, 3 Hospitals in Alabama Forced to Turn Patients Away After Ransomware Attack

In 2018, US hospital Hancock Health pays $55,000 to hackers after ransomware attack, despite having backups available.

ASUS computers also got hit, but were targeted by their mac address. One was a targeted attack by a Nation State trying to breach into the network of specific executives and employees that they can take full advantage of.

In Oct'2019, The Kudankulam Nuclear Power Plant, the most powerful such station in India was attacked. The malware used in the KKNPP attack, Dtrack (which was also used to propagate the WannaCry ransomware attacks in 2017), is a monitoring and intelligence gathering tool that scans networks and systems for potential vulnerabilities that can be exploited. In this way, Lazarus was able to open a doorway into the KKNPP network. This could make an attack easier going forward by establishing a “persistent presence on the nuclear power plant’s networks”.



Symantec has created multiple articles which discusses more on Ransomware are as below:

Ransomware Viruses


Ransomware a Growing Menace: PDF WhitePaper (Attached)

Ransomware: Prevention is Possible, A Cure—Not So Much


Symantec Ransomware Protection: PDF (Attached)

Targeted Ransomware: Proliferating Menace Threatens Organizations 


Ransomware removal and protection with Symantec Endpoint Protection


Best Practices in Targeted Ransomware Attacks


0 Favorited
3 Files
pdf file
ransomware-a-growing-menace.pdf   5.01 MB   1 version
Uploaded - Feb 25, 2020
pdf file
Targeted_Ransomware_2019July.pdf   1.67 MB   1 version
Uploaded - Feb 25, 2020
pdf file
wannacry-symantec-ransomware-protection-en.pdf   524 KB   1 version
Uploaded - Feb 25, 2020

Tags and Keywords


Mar 17, 2020 05:13 PM

Protection Against Ransomware – Best Practices


Dec 09, 2019 03:12 AM

Great article, Mithun! A lot of excellent information.

One extra measure for prevention: ensure that RDP and other methods of remote access are locked down!  Targeted ransomware (where an attacker enters the network with compromised valid credentials, then lowers defenses and plants the ransomware) is very common.  There are many guides available online from trusted security gurus which describe how to secure RDP.  Do take the time to read and implement those suggestions!  

Related Entries and Links

No Related Resource entered.