The evolution of ransomware

04 July 2017

Special feature from Jason Rebholz, Vice President of The Crypsis Group, a member of JLT’s Cyber Risk Consortium.

The evolution of ransomware has brought new and innovative approaches for cyber criminals to find profit at the expense of their victims. The barrier of entry for these cyber criminals is extremely low, allowing even the most unskilled threat actors to gain access into an environment and infect systems with ransomware. Over the last year, The Crypsis Group has observed cyber criminals establishing Ransomware as a Service (“RaaS”) “businesses” to accommodate other evil-doers looking to enter the ransomware market.

These businesses focus solely on two core issues: i) providing ransomware binaries that will encrypt files and ii) facilitating the delivery of ransomware to unsuspecting victims. For cyber criminals looking to enter the ransomware game, these new vendors provide them with a fast track to profiting from malicious activity.

RaaS websites have emerged recently to fill the gap for cyber criminals looking for ransomware binaries. Historically, cyber criminals had to purchase ransomware up front or they had to write their own programs. RaaS removes that burden from cyber criminals by providing a service where malware authors write and update ransomware binaries that can be used to infect victim systems. The RaaS vendor acts as a development team, testing and ensuring that major anti-virus programs will not detect it, freeing other cyber criminals to focus on infecting systems. The RaaS service provider often provides free copies of the ransomware binary to anyone who signs up via their web page. The RaaS vendors profit when victims pay the ransom by skimming a percentage of the profits from the ransom payment. The balance of the payment goes to the cyber-criminal who infected the victim’s system.

The second obstacle for cyber criminals to overcome is delivering the ransomware payload to victims. As one may guess, there are services for that as well. One such service hacks victim organisations by guessing common user names and passwords to systems and brute forcing access. After securing access by creating new user accounts, the cyber criminal sells access to the compromised machine to other cyber criminals.

The ransomware eco-system continues to evolve in ways that are unfavourable to its victims. Given the lucrative nature of the shady business, we can assume that cyber criminals will continue to build businesses around servicing other cyber criminals to make it easier for them to infect victims. For organisations, they must continue to work to mitigate the impacts of ransomware. The primary defence we recommend to most organisations is maintaining available backups, both online and offline.

Download Cyber Decoder – June 2017

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter