top of page

Ransomware – The Good, the Bad and the Ugly

Updated: Aug 9, 2022

Armour Cybersecurity Small & Medium Enterprises Cybersecurity Series

What is Ransomware?

Ransomware is a form of software designed to encrypt files on a device or computer, and it is often called malware. Systems relying on these files become unusable. Malicious actors then demand payment, usually in bitcoins, to decrypt the files. In some cases, the files are stolen and removed from the device, and then additional payment is demanded to retrieve the files back.

Ransomware is the most common cyber-attack, usually initiated by using phishing tactics or leveraging unprotected or unpatched networks. Small to Medium Enterprises and Businesses (SMEs/SMBs) are the most convenient targets because they lack big organizations' protection and have the means to pay the ransom.

"The bad…" – There are many different types of ransomware. Unfortunately, they are evolving rapidly in the general cybersecurity industry, playing a "catchup" game with the "innovation" of attackers around what can be exploited and how it can be exploited to deliver successful ransomware attacks. Below are a few samples of the dominant types of ransomware, each with its uniqueness. The list below shows ransomware that targets especially SME and SMB segments:

  1. Ryuk

Ryuk is very targeted ransomware. It is usually delivered through Spear Phishing emails or using compromised credentials to log into the enterprise's systems using Remote Desktop Protocol. Ryuk encrypts files and then demands ransom for their release. This kind of ransomware is the most expensive; the ransom demand will usually exceed $1 million. Criminals behind Ryuk will target enterprises that can pay this kind of money.

2. Maze

Maze ransomware combines file encryption as well as file theft. When the target refuses to pay the ransom, Maze collects sensitive data from the victim's computer before it encrypts it; once the ransom demand is not paid, this sensitive data will be publicly exposed or sold to the highest bidder. This threat and the potential of an expensive data breach usually pressure the victim to pay the ransom.

3. REvil

The REvil group targets large organizations as well. They compete with Ryuk for the most expensive ransom demanded. They demanded $800,000 as a ransom payment.

Like Maze, they use double extortion. They encrypt the files and steal the files. They demand ransom to decrypt the files and also demand a second payment not to expose the stolen files.

4. Lockbit

This ransomware was developed to encrypt organizations rapidly to prevent ransomware detection by their security appliances and IT teams.

5. DearCry

DearCry takes advantage of disclosed Microsoft vulnerabilities within their exchange servers. They encrypt specific files and then ask the victim to send an email requesting instructions to decrypt their files back.

6. Lapsus$

Lapsus$ is a South American gang targeting targets across different industries.

They are known for extortion, releasing sensitive data threats when demands do not meet. They use stolen source code to disguise their malware as a trustworthy one.

Typical Ransomware Attack Stages

Each ransomware tactic might be a bit different, but they all have the same 3 stages of execution.

Stage 1 - Infection & distribution vectors

There are many ways you can get infected with ransomware. But there are some specific vectors that hackers prefer; here are the most popular ones:

· Phishing Emails

A malicious email that contains a link to a fraudulent website, where you might click on a link containing the malicious software, or an email with the malicious software attached. If you or one of the employees in your organization fall for this trick, the software will be downloaded automatically without confirmation.

· Remote Desktop Protocol

Another popular infection vector is the Remote Desktop Protocol (RDP) takeover. In this scenario, the attacker has the employee's credentials, which he can use to access their computer remotely, access the organization's network, and have this computer under their complete control.

Stage 2 - Data Encryption

After the ransomware is installed and access to the personal computer or one of the organizational systems, they try to perform "lateral movement" – Propagate the malware to other machines in the network. Also, they target your backups; they are usually deleted. Once the spread of malware is complete and you don't have backup anymore, the file encryption begins. The files are encrypted with the attacker's code, and the original files are removed and replaced by the encrypted version. The hackers are very cautious of which files to encrypt so they won't damage the operating system.

Stage 3 – Ransom Demand

Once the encryption is complete, the attacker will prepare the ransom demand. If the ransom is fully paid, the hacker will provide the key to decrypt the files and restore the device's access, with about a 61% success rate here. Only 4% of those who paid the ransom in 2021 got all their data back. Ransom demands are usually time-bound. If you don't pay within the ransom demand timeframe, the demand usually doubles. And after some time, you will not be able to obtain any description key at all. More than that, you can get pressured by the fact that the data will go public if payment is not made.

These ransomware tactics are the most popular, but there are many ways to ransom an organization and individuals, so we must always be vigilant and know how to recognize the threat. Knowledge is power.

"The ugly…" – The situation out there is really "ugly"; since the COVID-19 pandemic started, ransomware attacks intensified, and damage caused by those more than doubled.

Here are some statistics from the field:

· 66% Of companies were hit by ransomware in 2021

· 58% of companies recovered in longer than one month

· One month is the average time to recover from a ransom attack

· 90% of ransomware attacks impaired the ability to operate

· $812,360 Is the average ransom paid

· 46% of companies paid the ransom

· $1.4M is the average cost of remediation after a ransomware attack

· 61% of encrypted data restored

· 4% of those who paid ransom got ALL the data back

Source: Sophos

Ransomware attacks' last stage (the encryption) is the most visible one, usually occurring at the least convenient time. Many organizations report that attacks struck on Friday at 7 pm when people had already started to unwind for the weekend; this is intentional attackers don't want to make it easy for you. They don't care if you are heading on vacation or having your daughter's birthday party. They want you to be stressed and pressured. Most humans naturally avoid confrontation and want to resolve such situations as fast as possible and do whatever it takes. Cybercriminals build their tactics with you in mind being one of those humans.

What to do if your organization impacted by ransomware

Once an attack happens, you are on the clock and have to deal with the dilemma of "Pay or not to pay." Each organization chooses its route, yet the consideration factors most of the time boiled down to the set of the following considerations:

If You Pay

  • You will be able to get back your business back up and running faster

  • Attackers will have an incentive to attack again. After all, you are a "paying customer" now

  • You might be subject to double extortion; after you pay, they might demand pay again, or data will be published.

  • You might not get your files even if you pay; decryption keys do not always work

If You Don't Pay

  • It might be illegal to pay ransom in your country

  • It might be a while until you can operate your company again.

  • You might lose your data forever if not backed up or backup is compromised.

  • Your sensitive data might be exposed as an act of retaliation.

  • The ransomware money could be spent on rebuilding and improving your cybersecurity.

Ransomware is an "ugly" situation that many organizations are not equipped to deal with; the Armour Cybersecurity team saw multiple times unprepared organizations scramble to handle the attack in-house. They make it worse, which means unnecessary prolonged downtime, inability to operate, and significantly higher recovery costs eventually incurred.

"The good…" – You can prepare for the next cyber attack. The proactive preparation for ransomware attacks can make a difference between a major disaster to your business and an event that happens but is handled without major impact. The good news it is within reach for SMEs/SMBs.

How can your organization prepare and deal with ransomware?

No one can have 100% proof against a cyber-attack. However, organizations that proactively prepare continuously and gradually statistically show that the impact of cyber-attacks is significantly lower. We are often asked what one thing that should be done to prevent ransomware from happening is; unfortunately, there is no "silver bullet" out there. Typically, it is a multi-layered, multi-step, organization-wide approach that connects all processes, controls, and technology into one well-orchestrated program. Another misconception that we see across many organizations is that cyber is an IT task. It was true 10-15 years ago. However, cyber defence has evolved significantly since then (Just as cybercrime evolved) and should be looked at as an organizational function beyond IT. It is like a doctor's office, you go to your General Physician, but when you need expert advice, you are referred to a specialist. Find your Cyber specialist.

Demystifying Cybersecurity Affordability for SMEs/SMBs?

While it is true that, to date, cybersecurity was mainly the privilege of large enterprises, with the evolution of cybercrime, many companies cater top-notch cybersecurity services for SMEs/SMBs and can do so cost-effectively. These days, 10 employees or fewer organizations can enjoy Enterprise-grade protection without breaking the bank.

And to make it more practical, here is a typical list of activities for organizations to start preparing to reduce the risk of ransomware and its impact.

1. Hire a cyber security expert company to help assess the risk and identify gaps in your current defences. They, typically, will help you to build a plan on how to improve your cybersecurity posture.

2. Strengthen your weakest link, your employees. Conduct organization-wide cyber awareness training.

3. Establish a robust patching process for all your assets, emphasizing critical assets.

4. Perform continuous data backups for all your assets, and practice regular data restoration to validate the backups. Not every backup guarantees that it is secure; there are specific ways to do safe backups. Consult with experts on that.

5. Implement modern defence technology on your desktops, servers, mobile devices, browsers, and secure communication channels at all times. The world has changed, and people work from anywhere on multiple devices, so your old and good Firewall in the office is not enough anymore.

6. Implement Strong User Authentication; use Multi-Factor Authentication where possible. It is a little inconvenient but will save you much money in the long run.

7. Get cyber insurance.

To conclude,

Cybercrime has been on the rise for a while, but in the last couple of years, you don't wonder whether you'll ever be breached anymore, but you ask yourself, when will it be my turn? The situation now is ugly. But not everything is lost. You can prepare your business/organization to cope with it and actually strive. It requires a proactive approach. After all, it is the smart thing to do, learn from the mistakes of others, and it will cost you less. The cost of protection is a fraction of the cost of cyber attack remediation. If you feel at a loss and are unsure where to start, contact us now for a free consultation. Click here for contact info.


If you are under attack or were under a ransomware attack, contact us today to ensure effective recovery.


bottom of page