Brain Game: Ransomware Teams Are Becoming Smarter

  • 8 July 2020
  • 8 replies
Brain Game: Ransomware Teams Are Becoming Smarter
Userlevel 7
Badge +20

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have?


Substitute your digital space for your home and encryption for the safe and you have what’s known as ransomware. Ransomware is a type of malware. After the initial infection, a note appears demanding payment, which is usually in the form of untraceable currency such as Bitcoin.

Once your files are encrypted, you can’t access them until you pay the ransom. There have already been hundreds of millions of victims of ransomware, and the number keeps growing.


The roots of Ransomware can be traced back to 1989. The trojan, known as PS Cyborg, was spread through diskettes given to attendees of a World Health Organization International AIDS conference. Victims of PS Cyborg were to mail $189 to a PO Box in Panama to restore access to their data.


Historically, ransomware targeted individual personal computer users. Today, the big money is in attacking businesses. Most of these infections go unreported because companies don’t want to expose themselves to further attacks or reputational damage.


Criminals know the value of business data and the cost of downtime. Because they service multiple SMB customers simultaneously, Managed Services Providers (MSPs) are now an especially attractive target. A successful attack on an MSP magnifies the impact of attacks and the value of the ransom.


The New Squeeze


Now that you have an understanding of the inner-workings of ransomware and how they convince companies to pay up, it’s time to discuss a recent change in the tactics of ransomware developers. 

The traditional method of extracting cash from businesses is as follows:

  1. Drop malware payload on a collection of machines or servers
  2. Identify and encrypt all/the most important files
  3. Demand a ransom in Bitcoin and expect them to pay in order to avoid bad press and lost data

The NEW method that ransomware developers have begun to use adds an additional step at the end:

  1. Threaten to auction off the data if the ransom is not paid

This incorporates a secondary reason for ransomware victims to pay the proposed ransom: If they do not pay, it will become publicly known that they have breached data privacy policies such as GDPR. There are very large fines associated with a breach in GDPR, not to mention a huge amount of damage to their brand/reputation. 

Think about it: this new tactic is utilizing some very subtle psychological principles to make sure that they get their money no matter what.

“Pay us or pay GDPR fines while we still get to auction off your data for payment. “


Who is orchestrating large-scale ransomware attacks?


To understand the main players in this game, we need to understand the two main “tasks” that exist within the world of ransomware:

  • First stage of infection: how the operator gets initial access to a system.
    • This stage is generally carried out through phishing campaigns such as Emotet
  • Second Stage of infection: Dropping a malware payload
    • This is the malware used to scan and encrypt the servers that it has infected

These two tasks are often carried out by two different teams that work together. Here are a few examples of those teams:

  1. Ryuk/TrickBot
  2. Bitpaymer/Drydex
  3. Sodinokibi/GranCrab/rEvil (singular team, Ransomware-as-a-service)
  4. Doppelpaymer
  5. Emotet (Often used by most malware operators to spread infections)

It is difficult to track the geographical origins of these teams, but it is fairly well known that the Sodinokibi/GranCrab/rEvil team is based out of Russia.


How do they auction off stolen data?


Generally this is done via forums or standalone websites using an “Onion” link on the TOR network. Sometimes they release data for free if it isn’t worth much or if it’s a small company.

sample of data given for free


When they get access to high-profile data, they set a starting bid with a minimum bid increment. These auctions function similar to an eBay bid, with one major difference: you have to send a minimum deposit to begin bidding. This is to prevent law enforcement or tire-kickers from bidding high and then not paying. 

bid examples


These auctions could be a very valuable purchase for many different parties - primarily competitors and identity thieves. The addition of data-auctions is a genius method of inducing more psychological stress on their victims, thereby increasing the likelihood of receiving payment. Whether we like it or not, Malware operators continue to stay one step ahead of companies that have holes in their cyber resilience plan.


What does everyone think about this change in tactics within the world of malware? Do you believe that companies have any way out of paying the ransom? Let me know in the comments below!


8 replies

Userlevel 2

Not very helpful, in my opinion.

For such advice to be of real help, we need more direct tips on how to avoid such attacks (besides running Webroot, that is). What can we do, besides not clicking on links ? 

An example :

An average computer user has lots of services running which can make their computer more vulnerable. Many of those are not vital for the running of that computer. So, it would be helpful to have good info on how services can be slimmed down. 

Personally, I have 56 services running out of a possible 188, and still think it is too much.

Just some of my thoughts on how Webroot could help users stay safe.

For an individual, how protective is it to create a Standard account and limit all web activity to that account?  Typically, Standard account users will see a pop-up requiring them to enter their Admin password to authorize the installation of new software and/or updates before such installations can be executed.  In theory, covert malware could not be installed without such approval.  Hence, a user would be alerted to the attempt and could simply not grant approval for installation.  As a related question, does downloaded malware show up in your Download folder in the same manner as legitimate downloads, or is it typically invisible to a user searching his or her File Explorer files?

Userlevel 7
Badge +20

@Ghia ,

I appreciate the feedback! 

My main purpose for writing this piece is to make the Community aware of how Ransomware teams are evolving their strategies. The truth is, there is no foolproof way to avoid ransomware - The entry doors to a companies servers are as strong as their weakest link. Most of the time, ransomware infections start with an effective phishing campaign that targets a wide net of their employees. Once they can trick an employee to download a malware payload, there’s many ways that an infection can spread from there.


Our advice is always to exercise due diligence, implement some kind of Security training with your employees, and practice strong preventative strategies such as strong backups, antivirus software, DNS protection, Link filtering, etc. 

The truth of the matter is that ransomware is largely a psychological game. Even the biggest, most well-funded, and digitally protected companies that exist have been infected by ransomware at some point or another. This is currently the age we live in: Damage control. 100% prevention is almost always impossible when there is a dedicated ransomware team targeting your company. The best we can often do is protect our digital systems as well as possible and be hyper vigilant. 


Userlevel 7
Badge +20

@lvphil13 ,

This is a loaded question, but I’ll try my best.

Malware is not often a clearly downloaded file that sits in your downloads folder. There are many ways that an attacker can execute files, downloads, and installations silently. That means that you’ll never see any loading screens or “accept Installation?” requests. All major operating systems have flaws in their code that allow an attacker to silently drop a malware payload on your computer. Effective Antivirus solutions such as Webroot put up layers of defense to protect against silent installs, etc. but there are ways that a malware payload can even disable an antivirus software if it is sophisticated enough.


The Battle between Antivirus companies and malware operators is never-ending. It is a constant struggle to stay ahead of the curve. That is why we have some incredibly smart people in our Threat-Research team - it is their job to stay one step ahead of these bad actors. But the battle will likely never end. Where there is profit to be made, there will be bad actors that attempt to infiltrate computer systems.

@khumphrey ,

Thank you for your prompt & thorough response to my questions!  I have been following advice from years ago about setting up a second, Standard, account for all Internet-related activity with the thought that it would be difficult (or impossible) for bad guys to install malware through that account.  In this approach, I use my Admin account only for installation, updating, and removal of software, for addition or removal of peripherals and for various account settings. From your response, I gather that if this approach was ever true back when it is no longer true today.  I think I will continue this process since I don’t see any downside but will be even more careful where I go and what I do while out and about on the Internet.

Userlevel 7
Badge +20

@lvphil13 ,

Adding any amount of security like what you are doing is still helpful! The harder you can make it for a bad actor, the better off you are. No solution is 100% but damage mitigation is still very real when it comes to preventing malware infections! 

Userlevel 2

@Ghia ,

(snip)….The best we can often do is protect our digital systems as well as possible … (snip)


Well, that is exactly the point where more useful information/advice is needed.

Most people now are informed about the need to be restrictive when it comes to links etc. What I was hoping for was more practical advice on the protection side.



Userlevel 7
Badge +20

@Ghia ,

Happy to take more specific suggestions for future content pieces! Feel free to private message me with any suggestions you might have.