The Road to Ruin from Ransomware is Shorter Than You Think

May 20, 2022

A ransomware attack is a complex cybercrime operation that can include many players. It can also include massive damage to an organization. Enough to drive it out of business. An estimated 60% of businesses shutter within six months of experiencing a successful cyberattack like a ransomware attack. So, what does the road to ruin for a business look like? This look at the lifecycle of an average ransomware attack offers insight into the threat that organizations face.  


Explore today’s biggest threats & what’s next in The State of Email Security 2022 GET IT>>


Follow the Path of a Ransomware Attack


1. A ransomware gang forms and begins operations.  

New ransomware gangs crop up constantly. They can form organically, spawn from other groups or emerge as reorganized notorious gangs. It’s common for ransomware gangs to shut down operations (known as “going dark”) after a highly publicized attack and reform when the heat dies down like the DarkSide ransomware gang did after its successful attack on Colonial Pipeline. The FBI tracks an average of 100 unique ransomware groups on any given day. 

2. Cybercrime organizations recruit affiliates. 

Most big-time ransomware gangs don’t do the dirty work themselves. Instead, they recruit affiliates to conduct the actual ransomware attacks. Then the boss gang customarily provides the affiliate with the proprietary malware used in the incident and specialized resources if needed. The affiliates typically handle everything from choosing the target to successfully deploying the software in-house, turning the operation over to the boss gang when it’s time to negotiate the ransom.  Affiliates generally pay the boss gang 10 – 25% of the total take.  


The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>


3. The gang or its affiliates begins choosing likely targets.  

Non-nation state ransomware gangs are almost solely motivated by money. Whether it’s the money that they haul in from ransoms or the money that they will make by peddling the assets gained from their victims, making the highest profit is always the goal. For example, in 2021, experts declared that the ideal target for a ransomware attack is a U.S. company with a minimum revenue of $100 million. Canada, Australia and Great Britain are also popular locations when cybercriminals go target shopping. Industries and infrastructure sectors that are under stress, like the Healthcare sector in 2020, are prime targets, especially if their business is time-sensitive – 14 of 16 critical infrastructure sectors in the U.S. experienced ransomware attacks in 2021. 

 4. The gang gathers resources and hires extra help if needed. 

It’s standard practice for big ransomware outfits to recruit affiliates, find specialists, hire freelancers and buy information in dark web forums. An estimated 90% of posts on popular dark web forums are from buyers looking to contract someone for cybercrime services. Information is a currency on the dark web, and a successful ransomware practitioner makes use of that resource. They’ll comb through dark web data markets and dumps for information about the target or the target’s employees that could benefit their operation, like stolen email addresses and passwords. Groups will use their own proprietary software or buy from a Ransomware-as-a-Service developer to obtain “pay and use” malware. They may also subcontract out all or part of the operation, like hiring a Phishing-as-a-Service specialist.   


See the tide of phishing rise & fall to spot future trends in the eBook Fresh Phish. GET IT>>


5. The bad guys try to do things the easy way first. 

No one ever wants to do more work than they have to, even cybercriminals. That’s why ransomware practitioners are willing to pay handsomely for access to a company’s IT environment. Privileged credentials that can open the door to the heart of a business are especially coveted. Malicious insiders can do devastating damage to their companies by selling their access credentials to ransomware gangs on the dark web – and bad actors are willing to pay $3,000 to $120,000 for a single legitimate credential depending on the level of privilege associated with it.  

6. Now it’s time to spring the attack. 

Once they’ve got all of their ducks in a row, it’s time for the cybercriminals to get down to business and launch the attack. Of course, accessing a target’s systems with a legitimate credential is the easiest way to do the deed, but if that option isn’t feasible there are plenty more approaches to try. Hacking in directly is the hardest and it’s uncommon, the kind of thing reserved for specialized, high-level targets. The vast majority of ransomware attacks are carried out through phishing. An estimated 94% of ransomware arrives at businesses via email.    


See 10 reasons why Graphus is better than other email security solutions. SEE THE LIST>>


7. Cybercriminals celebrate their success by demanding the ransom. 

If the attack is successful, it’s time for the cybercriminals to carry out some old-fashioned extortion. Depending on the type of ransomware used, the bad actors may demand payment for a decryption key to unlock systems and data, for the safe return or destruction of stolen data, or even to keep the incident quiet to avoid reputation damage for the victim. The most common variant is double extortion ransomware that demands two payments from the target to avoid two negative consequences, like copying data and publicizing the victim’s security failure. It accounted for 50% of ransomware attacks in 2020.    

8. One way or another, the cybercriminals get paid. 

A successful ransomware attack will net a nice chunk of change for the bad actors who perpetrate it and their associates. In Q1 2022, the average ransom demand rose 144% to $2.2 million and the average ransom payment rose 78% to $541,010.  Ransom payments are typically extorted in cryptocurrency. If the target chooses not to pay the ransom, the cybercriminals may still get paid by selling the victim’s stolen data on the dark web, although probably not as handsomely.    


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


9. Paying the ransom doesn’t get your data back (and it may be illegal). 

Two-fifths of organizations that fall victim to ransomware choose to pay the ransom, something declared illegal in some cases by the U.S. Department of the Treasury. However, only 8% of them got all of their data back, and nearly a third were never able to recover more than half of their stolen data. Paying the ransom also carries no guarantees that your data won’t be copied, or that bad actors won’t leave a backdoor into your systems that allows them to return at their leisure – 80% of organizations that pay up experience another attack.  

10. The victim is stuck with big bills and big business losses

Any organization that falls victim to a ransomware attack is in for a world of pain immediately and for months or years to come. In the 2021 FBI Internet Crime Complaint Center (IC3) report, FBI analysts disclosed that IC3 received more than 2,000 ransomware complaints with more than $16 million in losses, a 20% increase in reported losses compared to the same time in 2020.  The expense of mitigation and recovery adds up fast. The average ransomware recovery costs an estimated $1.85 million, up from $761,106 in 2020, However, using cutting-edge security solutions that include automation and AI can blunt the blow. Automation tools can save up to 50% of recovery costs in the event of a cybersecurity incident like a ransomware attack.    


AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>


Stop Ransomware Before It Starts with Automated Email Security 


The best way to prevent a ransomware attack is to prevent ransomware-laden phishing messages from entering your environment. Graphus is up to the test, with AI-powered automation that puts three powerful layers of security between phishing messages and your employees.    

  • Automated email solutions like Graphus catch 40% more malicious messages than conventional solutions or a SEG   
  • Cloud-native security deploys in minutes to Microsoft 365 and Google Workspace  
  • Smart AI never needs threat reports, instead using over 50 points of comparison to sniff out targeted spear phishing, ransomware, zero-day attacks and other complex threats.    

Book a personalized demo to see the ransomware defense boost that Graphus brings to your business. https://www.graphus.ai/demo-request/ 


Still relying on an old-fashioned SEG? See why Graphus is better! SEE THE COMPARISON>>


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus