Digital Threats: Ransomware

In order to shed some light on the subject, we would like to look at a few facts and figures about ransomware as well as a typical course of attack.

Ransomware in numbers

Even though ransomware has recently become the focus of public attention, this type of malware has been around for almost two decades. Along with the increase in the global IT-network, an increase in malware or ransomware infections can also be observed. In 2020, the number of recorded ransomware attacks on private individuals or companies was 304 million worldwide. This represents an increase of 62% over the previous year and is the second-highest number ever recorded. Only in 2016 there were more attacks, with a total of 638 million worldwide. During research by Sophos, 37% of companies surveyed said they had already been the target of a ransomware attack. In addition, the average cost to the company per ransomware attack was estimated at US$1.85 million. However, the high costs are not the only danger of such an attack. The paralysis of the entire IT infrastructure and its reconstruction, as well as the theft and publication of company data, can burden the affected company with great reputational damage. However, the report also shows that only slightly more than 60% of the encrypted data can be recovered by paying the ransom. SECUINFRA, along with other providers and authorities in the IT security sector, recommends not to comply with ransom demands. There is no guarantee that data will be decrypted at all or that stolen data will be deleted! In addition, a company that has been successfully blackmailed can become the focus of other ransomware groups and thus make itself a target.

Ransomware process

The rough course of a ransomware infection is usually very similar and only differs in the size of the company. Particularly lucrative targets are not only attacked by automatic tools, but also receive the full attention of the hacker group and thus usually an intelligent attacker who can react dynamically to new scenarios.

1. The incidence vector

Emails are still considered the most popular vector for ransomware attacks. Last year, more than every second ransomware infection (54%) was carried out via email. The company’s employees receive spam emails or targeted and tailored phishing emails. Most of these contain prepared links or attachments which, when opened, place the malware on the system. Alternatively, the attackers get onto the victims’ systems via stolen login credentials or so-called drive-by attacks. The latter are specially prepared websites that an employee views and malware is downloaded onto his system as a result. Finally, there is the zero-day attack vector. Zero-day refers not so much to the attack technique per se, but to how long a security vulnerability has been known to the affected software manufacturer. Namely zero days. This method is therefore very dangerous and is almost always crowned with success, since only the attacker knows that such a vulnerability exists. In general, however, zero days are used sparingly and are only used in very large-scale operations (see: Kaseya: Supply-Chain-Attack). In addition to the methods mentioned, there are numerous other ways to compromise a company. Statista’s statistics show the top 10 gateways from the year 2020.

2. The malware starts working

Once the attacker has gained access to the system, he tries to spread to as many other systems in the network as possible (lateral movement). If a domain controller is used in the system, the attacker can, in the worst case, issue himself a so-called “golden ticket” by compromising a domain administrator account. With this “golden ticket”, the attacker can gain administrative access to almost any system in the network. This free pass is then used to infect as many systems as possible and maximize the damage. Parallel to this is the exfiltration of data. In this process, attackers usually take everything that could publicly or economically damage the company. Once the attacker has obtained the data, the ransomware begins to encrypt all infected systems.

3. The extortion

Once the damage has been done, ransom notes are distributed on the systems, which tell the victim the obvious; they have been encrypted. In most cases, these messages also contain a reference to the attacker group and, in addition to the requested ransom amount, also instructions on how and to which address this is to be paid. If the company is particularly large, the attackers may also contact it directly to negotiate an appropriate sum. To prove that data has been leaked, the victim usually gets a sample or the data is published directly in a corresponding underground forum. This is intended to increase the pressure on the company and thus persuade it to pay the ransom demanded.

4. Protection

Due to the enormous variety of attack vectors, complete protection against ransomware or malware attacks is generally difficult or impossible. However, by taking appropriate measures, the probability of such an attack being successful can be drastically reduced. Training for employees is a first step, but this must always be complemented by technical security solutions. Our experience has shown that Compromise Assessment is a valuable tool for detecting attacks. By scanning the entire infrastructure, any traces of attacks can be detected and analysed. In the best case, this should not only be done once, but on a recurring basis. This has the advantage that not only a snapshot is created, but that new unknown attack traces are continuously searched for, and an attacker is ideally detected very reliably within a short time. SECUINFRA, for example, offers a “Continuous Compromise Assessment” service. Here, an initial scan including evaluation is carried out to obtain an initial assessment of the general situation of the infrastructure. In this way, traces of cyberattacks can be detected and, ideally, high damage can be prevented.


Ransomware has become one of the biggest digital threats to businesses. Once successfully infected, it can cause millions in damage and steal data that not only has an economic but also a public impact on a company. By taking appropriate measures, the probability of success of such an attack can be drastically reduced. SECUINFRA will be happy to support you in developing a suitable security concept and the use of preventive measures.

If you are already affected, we offer immediate help to limit the damage and avoid future attacks.

Share post on:


SECUINFRA Falcon Team • Autor

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

> all articles
Cookie Consent with Real Cookie Banner