Many different cybersecurity threats and types of malware exist.

However, few, if any, have managed to inspire the same level of fear or gain the name recognition of ransomware. A ransomware infection is unique among malware because it is obvious and has a very personal impact. While many types of malware try to remain hidden, ransomware does its damage and then throws up a notification on the victim’s screen announcing the fact. The impact is amplified by the fact that the victim then needs to make the difficult decision between paying the ransom and writing off any lost files, potentially for good.

Since the early big ransomware attacks like WannaCry, the tools and tactics used by ransomware authors have evolved. In the modern threat landscape, large organizations are much more likely to be the target of a ransomware campaign, and they can expect to be extorted for a much higher price.

WannaCry is Over

When many people are asked to think of the name of a ransomware variant, their first answer is probably WannaCry. WannaCry made ransomware a household name due to its global impact and the panic that it spread to businesses and consumers alike. WannaCry was a ransomware worm that was based upon the EternalBlue exploit. This exploit targeted vulnerabilities in the SMB protocol, which is commonly used on Windows machines, and was developed by the NSA and kept secret for their own use until being leaked by the ShadowBrokers.

The widespread use of SMB and the failure of most individuals and businesses to apply available patches for EternalBlue provided the WannaCry attacker with a wide base of potential targets. This allowed them to ask for a relatively low ransom amount, choosing the quantity of potential targets over the quality of the ransom received.

However, the WannaCry outbreak happened over two years ago. While some ransomware variants are still following WannaCry’s example, many organizations are much better prepared for this attack. The EternalBlue vulnerability, which was the key to WannaCry’s success, is well-known and patched in many organizations. In order to be effective, many ransomware variants have turned to a new model.

Hunting Bigger Game

Over the last couple years, ransomware authors have moved away from wide-scale attacks to more targeted ones. Now, 81% of ransomware attacks are targeted at enterprises rather than consumers. This shift has occurred for a variety of different reasons.

One reason is that targeting enterprises and other large organizations is much more likely to result in a payoff for the attacker. In general, most ransomware variants are designed to attack desktop operating systems like Windows. While these operating systems are still in use, most consumers have primarily transitioned to mobile devices as their main way of accessing the Internet. A ransomware attack against a home PC may take days or weeks to even be noticed, and then the attacker needs to talk the victim through what Bitcoin is, how to get and send it, etc. just to get their ransom payment. For the amount of money that the average consumer is likely to pay in ransom, it’s just not worth the attacker’s effort. An enterprise target, on the other hand, likely values their data much more highly and may be willing to pay thousands or even millions of dollars in ransom.

Another reason is that the attacker actually needs to get the ransomware on the target machine and run it there. Exploits like EternalBlue, which was developed by the NSA and gives access to a wide range of target systems, don’t come around every day, and modern antivirus and anti-ransomware systems are designed to detect and block against common ransomware variants. Planting ransomware on an organization’s systems often requires a targeted spear phishing campaign, so attackers need to ensure that the payoff is worth the effort.

For these reasons, and potentially many others, ransomware authors have turned to more targeted attacks, focusing on cities, governments, hospitals, and other organizations that have extremely valuable information and the ability to pay but may not have the necessary cyber defenses in place to protect themselves. In the first nine months of 2019, 621 different entities were attacked by ransomware in the US alone. In some cases, the victims of the attack determined that the cost of the ransom was worth paying compared to the price of restoring systems from scratch. As a result, cybercriminals have seen that ransomware is a profitable attack vector and attacks against these big targets continue.

The New Face of Ransomware

As ransomware attacks are increasingly targeted rather than widespread attacks, the ransomware variants and the pretexts used to trick targets into running them can become more sophisticated. When a ransomware author plans to demand $5.3 million from their target (as happened to New Bedford, Massachusetts), they can take the time and effort necessary to build a phishing email or webpage that has a high probability of success.

Protecting against the new threat of targeted ransomware attacks requires more than simple cybersecurity awareness training. While having an automated corporate backup system is a good idea, restoring from backups can be time-consuming and expensive.

Modern anti-ransomware protection solutions can detect ransomware attacks based upon their behavior on an infected system and act to block the attack before too much damage is done. As ransomware attacks become more targeted and sophisticated, these solutions are increasingly important for protecting a company’s ability to remain in business.