Chapter 3. Ransomware Operators and Targets

While ransomware rightfully gets a lot of attention because of the damage it can cause to an individual or organization, ransomware families actually make up a small, but rapidly growing, percentage of attacks. Kasperspy Lab, in the first quarter of 2016, reported blocking 228 million attacks. Of those blocked attacks, 372,602 involved ransomware, which means that ransomware accounted for only 0.0016% of the attacks.¹ Even if the current meteoric growth of ransomware continues, it will be a while before ransomware makes up a significant percentage of all security threats.

In other words, ransomware families are still in their infancy, but they are rapidly evolving, and even more sophisticated hacker groups are using ransomware in their attacks. Ransomware has come on the scene at an interesting time in security. While there are a number of advanced tools available to organizations that have been developed to detect and stop ransomware attacks, there is also a sophisticated underground infrastructure in place to foster the rapid development and deployment of new ransomware families. There is also a significant body of knowledge available online about what works and what doesn’t when trying to deploy new malware. That body of knowledge includes a lot of code sharing on underground forums and learning from the mistakes of older ransomware families. So, unlike developers of previous types of malware, ransomware developers are not starting ...