Ransomware has demonstrated its resiliency since first garnering notoriety in 2016 with several campaigns directed against targets in the healthcare sector
Since that time, ransomware has attacked large and small organizations, as well as individuals, across every sector. The malware’s versatility continues to make it a useful tool that requires nominal investment of time and resources. Ransomware is delivered via several different vectors to include spam, e-mail attachments, malicious links, and exploit kits, among others. Now with so many organizations turning to cloud technology to support their operations, the potential spread of ransomware via the cloud is a real threat. According to a 2019 report on data breach investigations, attacks involving ransomware were still prevalent, “accounting for 24 percent of incidents where malware was used.” It is evident that ransomware is not a fad but a viable option in the hostile actor toolbox.
Many ransomware campaigns are launched with the primary purpose of making quick money for the attackers. According to one report, the average ransom payment increased by approximately 180 percent between first and second quarter of 2019, tripling in cost to USD 36,000 per attack. Clearly, financially motivated attackers find value in conducting these extortion activities and have received payment often enough to solidify its cost-benefit calculus. By successfully infecting high value targets such as hospitals and city municipal departments, attackers have determined that these victims would rather pay ransoms rather than risk losing sensitive information. They have also likely calculated that these targets did not implement backups or possess proper contingency plans to mitigate the threat and speed remediation efforts.
However, no tool is the sole purview of any particular actor category, and such holds true for ransomware. Again, the versatility of the malware makes it an attractive option as it can be used to support different intentions and operational objectives. As evidenced by two of the more prominent ransomware campaigns – 2017’s WannaCry and NotPetya – suspected state actors are believed to be the orchestrators of the attacks.
The U.S. government attributed the former’s attacks to North Korea, while determining that Russia was responsible for the latter. In the case of North Korea, a state thought out of the box to make money via circumventing the stranglehold of economic sanctions placed on it by the United States. For perhaps the first time, a state turned to cyber crime (stealing money from banks, crypto currency exchanges, ransomware) to fund activities (e.g., its nuclear program) it deemed of national importance.
Before going global, the NotPetya campaign started by first targeting Ukrainian financial and energy organizations, among others, pointing to Russian involvement. Further implicating Russia was the fact that collecting ransom did not appear to be the primary motive of the attackers, suggesting that denial of system access and operational disruption was the primary objective.
The targeting of cities – most notably U.S. cities – in 2019 further demonstrates the confidence that actors have in 1) going after high-value targets and 2) not getting caught by authorities for doing so. It also further shows the innovative nature of these actors in finding new targets to exploit. Certainly, successful infection of essential emergency services that impede their ability to operate could potentially command large ransom payments for financially minded actors.
But such activities also raise the potential of using ransomware as a form of punishment, a move that could gain more traction in 2020. Considering hacktivists’ penchant for using attacks to punish or disrupt a target’s operations, their leveraging of ransomware is a logical evolution in their offensive operations. However, it the increased adoption of ransomware by state actors that bears closer inspection, particularly as more states acquire the capability to conduct offensive operations.
When looking how governments use cyberspace to register their displeasure with other states (e.g., via distributed denial-of-service attacks or wiper malware, for example), increased use of ransomware by states may become more prevalent. As such, it shouldn’t come as a surprise if in 2020, actors seek to more aggressively leverage ransomware as a tool of disruption rather than a tool for making money. This warrants consideration given the current concern of hostile states targeting critical infrastructures and industrial control systems (ICS). If half of ICS have already faced some kind of hostile cyber activity, as has been stated, failing to prepare for inevitable ransomware attacks against these systems seems careless if not negligent.
Organizations need to develop ransomware contingency planning to prepare for ransomware’s inevitable evolution in 2020. As the tool becomes more accessible across threat actor categories, motivations for using the tool will become as varied as the attackers themselves. What won’t change is the need for victims to implement and test strategies to remediate the threat and maintain critical business operations. Those able to do so quickly will exhibit the resiliency required to deter repeat efforts, whether they be extortive or punitive in nature.
About the Author

Emilio Iasiello, Cyber Intelligence Consultant. Cyber intelligence analytic and managerial professional supporting both private and public sectors. I’ve published strategic cyber pieces in peer reviewed intelligence journals; led and developed analysts; implemented analytic production plans; and increased customer satisfaction via customised intelligence products.
Featured image: ©Alexander