Security Market Segment LS
Monday, 02 November 2020 06:06

Ransomware booms, but how many attacks achieve their ends? Featured

Ransomware booms, but how many attacks achieve their ends? Image by Mediamodifier from Pixabay

Ransomware attacks have grown massively in number over the last 12 months and these days most attacks on Windows systems are invariably through the use of this genre of malware.

But how many are successful, in that they net the people behind the attack the money that they are seeking? It is not easy to compute this as different attack groups have different approaches.

In general, actors behind an attack first gain entry to a system, exfiltrate the data — to be used as an extra bargaining chip later — and encrypt the files on the system. A ransom note is then generated and the attackers wait for the victim to respond.

At times, the victim responds speedily and then there is no way any security firm that looks for these kinds of attacks will ever know, not unless the victim makes it public. It is more common for a victim who pays a ransom to stay mum.

Often, victims do not respond as speedily as their attackers want. In such cases, screenshots of some of the stolen data may be posted to the dark web - or in some cases the clear web - as a means of squeezing the victim.

If the victim responds at this stage, then the attackers remove those screenshots and nobody would be any the wiser. Security researchers would notice only if they happen to be monitoring the sites in question very often.

Brett Callow, ransomware researcher at New Zealand-based security outfit Emsisoft, said it depended on how one defined success as some groups may have a lower conversion rate but would extract more per victim and vice versa.

"Also, keep in mind that the groups which publish the most may not be the most active nor the most successful," he told iTWire. "There’s no set formula for calculating a ransom demand, and some groups likely aim higher than others.

"That means they may get paid more when they’re successful, but that they’re successful less frequently than groups which make lower demands. In other words, the groups which publish most could be the least successful. Maybe. Or maybe not. Who knows?"

Chester Wisniewski, principal research scientist at Sophos, said in recent months, the ransomware ecosystem had split into two distinct types of threat actor.

"The first are focused on ransomware-as-a-service tools to provide to unskilled attackers and are either charging for the toolset or taking a commission on every ransom payment," he said in response to a query. "They primarily target individuals and small businesses where the barrier to entry is very, very low.

"The second are the ones going after the multi-million-dollar ransoms of enterprise-size victims. These attackers usually work in small groups of uniquely skilled individuals and often at least one of them has similar talents as a very advanced penetration tester.

"This set of attackers have been seen demanding upwards of US$10 million (A$14.25 million)."

Callow said the strategies varied from group to group. "NetWalker posts a couple of screenshots fairly quickly, but delists if/when the company comes to the negotiating table," he said. "Mespinoza, on the other hand, seems not to publish until they deem the case a lost cause. So NetWalker's victims are perhaps a little more visible."

He said Emsisoft had used a figure of 33% success in a country-by-country analysis of attacks. "That seems like a reasonable middle ground, as other research claims either a higher or lower number.

"In many ways, this highlights the problem of information being held in pockets with each company producing stats that are based on its own client base - enterprises or SMBs, insured or uninsured, Europe or Australia, etc."

Callow said STOP accounted for more than half the submissions to ID Ransomware, a site to which one can upload a ransom note and/or sample encrypted file to identify the ransomware that had been used to carry out out the encryption.

STOP was spread only through pirated software so any anti-virus firm would list a low percentage for STOP as people who used pirated software were unlikely to use any anti-virus products.

Callow said he was not criticising any anti-virus firm. "Our data likely suffers from similar biases at times," he pointed out. "It's just an example of how companies' users/audiences can result in distorted stats."

Wisniewski said as the second set of attackers had moved to very high ransom demands, most of them had also moved into extortion over disclosure of stolen data to try to apply additional pressure on victims.

"There is no evidence I have seen that this has had much impact, but anecdotally it seems about half or more of victims are paying these high ransom demands," he said.

"Some of this has been fuelled by 'ransom negotiators' as well as insurance companies. This is likely why the US Department of the Treasury has hinted that paying ransoms may be illegal and they are looking to enforce these rules against facilitators as well as victims."

iTWire also contacted Russian security firm Kaspersky for its take on this topic, but a company spokesperson said it had no information to offer.

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News