The ransomware ecosystem: changing the game for the next generation of cybersecurity experts

Ransomware never sits still, as David Emm recently discussed when speaking to a group of students

As we celebrate Anti-Ransomware Week, David Emm principal security researcher in Kaspersky’s Global Research & Analysis Team (GReAT) – recently spoke to a group of students about the evolution of ransomware into the fortified ecosystem it is today and what this means for the cybersecurity community.

Here are the highlights!

From indiscriminate attacks costing hundreds of pounds to targeted attacks costing millions

The modern era of ransomware has become increasingly targeted. In the early days, ransomware was distributed indiscriminately – aimed at anyone and everyone it could reach. Attackers would encrypt data using unsophisticated methods and hope for a pay out of maybe £300. Their sometimes rudimentary encryption methods meant that cybersecurity experts could not only detect the threat but could often also decrypt the data – a near impossibility today.

Ransomware developers have since realised that there is much more money to be made by targeting specific organisations. Instead of a few hundred pounds, they can get hundreds of thousands of pounds, and even millions in some cases. The number of ransomware samples and blocked attacks is on a downward trend but this is only because attackers are focusing on more strategic and impactful attacks rather than on quantity.

The 2017 WannaCry ransomware epidemic underlined the impact that a ransomware attack can have on organisations. WannaCry affected 230,000 computers around the world in total, but showed the catastrophic impact on specific organisations. The ransomware affected thousands of NHS hospitals and surgeries across the UK and reportedly caused ambulances to be rerouted. The NHS is estimated to have lost £92 million as a result and the global cost of related attacks was estimated at $4 billion.

In some instances, this ransomware isn’t even necessarily designed to get money  – just to sabotage IT systems. This was the case with NotPetya in 2017, which had a significant impact on a number of organisations. For example, hipping company, Maersk lost between $200 and $300 million as a result of this ransomware attack.

Networked vs. hierarchical structure

When most people imagine these ransomware gangs, they picture an Ocean’s Eleven-style set up, run by a great criminal mastermind – and for law enforcement agencies, this would be a far easier adversary to overcome. Instead, ransomware has evolved from individual hierarchical structures into a fully-fledged modular ecosystem– a whack-a-mole system of replaceable players.

The players within this whack-a-mole ransomware ecosystem. (full research available here)


  • The botmaster: controls the botnet, a robot network of compromised computers under the control of an individual(s) who looks to monetise their point of contact on all compromised computers. This includes through Infrastructure-as-a-Service, Crimeware-as-a-Service or Malware-as-a-Service
  • Developers: develop the ransomware program and sell their creation to others in the ecosystem
  • Packers: pack purchased ransomware to make it as fully undetected as possible when it is deployed in the target system
  • The red team: does the attacking, extending the initial compromise into the wider organisation
  • Analysts: determine which information is most sensitive and this is used as leverage for ransom demands
  • Support team: liaises with relevant people in the organisation to persuade them to pay the ransom, explaining that decrypted data will be lost or published if payment is not received
  • Laundering: seized money is laundered to make it difficult to track. The rise of digitised and electronic payments and banking have made this easier

How do cybersecurity experts advise as best practices in this climate?

With today’s ransomware, cybersecurity experts are rarely able to find a mechanism for decrypting data. This makes backups, a proactive defence plan and crisis management plans imperative.

  • Backups – Backups do not completely mitigate the impact of an attack, as ransomware still needs to be removed and IT teams need to clean up and restore the backup, but they do allow data loss to be minimised and enable companies to save the extortionate money demanded as a ransom. However, not all backups are created equal – if you can access it, so can the attackers, and it is going to be vulnerable to encryption. So backups must be stored offline. IT teams also need to periodically test that backups can be restored in the event of a crisis.
  • Crisis management – IT teams need to make sure their organisation has a plan for secure communications in the event of a ransomware attack. If regular communications are used to interact between teams, attackers will be privy to such communications and can use them as leverage. An alternative plan needs to be developed and practised.
  • Proactive defence – Organisations need to implement solutions that allow them to analyse network behaviour for suspicious activities and block attacks before they can cause damage. They also need to implement effective education strategies. This will make employees less prone to falling victim to phishing and other social engineering methods used by attackers to trick staff into running malicious code.

To pay or not to pay?

Ramsomware gangs are making millions of pounds and, even scarier is the prospect of what they can do with those earnings in terms of reinvesting into their own R&D. Our latest research found that nearly 75% of UK organisations paid the attackers in order to get their data back. However it is good practice to avoid paying ransoms because this is the oxygen that keeps these groups alive.

Nevertheless, vulnerable organisations are put in extremely difficult circumstances – particularly those operating critical infrastructure facilities – because of the impact on business continuity and subsequent reputational damage. It is worth noting that Kaspersky was a founding member of NoMoreRansom, now a broad consortium of industry and police bodies providing free decryptors for victims of ransomware attacks.

As ransomware groups become increasingly formidable, it is the duty of those in the cybersecurity sector to ensure that they are at the forefront of industry trends, developing new and innovative solutions to protect our increasingly interconnected world.

How do we encourage the next generation of cybersecurity professionals?

Many people think that they need a computer science degree in order to enter the profession. However, there is a variety of different roles within the industry and a broad range of skills that are needed: not just mathematicians, cryptographers and programmers, but people with writing skills, communications skills and more. Technical skills are important, but equally so is curiosity. For anyone aspiring to a career in cybersecurity, I would recommend Jessica Barker’s “Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career”.

The way we handle ransomware has completely changed in the last 15 years or so. The next generation of cybersecurity professionals has a daunting task ahead, staying one-step, and preferably a few ahead of ransomware gangs and other types of attacker. Just as they are evolving, so too is our industry. Every year our abilities to defend against cyber-attacks becomes stronger and more innovative.

Today’s cybersecurity solutions go way beyond the old-fashioned pattern detecting approach characterised as ‘anti-virus’ – including the use of generic detection, heuristics, behavioural analysis, emulation and sandboxing techniques. Our experts are continually developing new systems to stay ahead of the latest threats.

To explore careers in cybersecurity, please visit Kaspersky’s careers page.